Ignore Microsoft Azure AD Domain for home realm discovery

Hi!
I’ve reviewed @konrad.sopala 's post about being redirected to Azure under the following conditions:

  • Enable username and password login via Auth0 DB
  • Enable SSO enterprise connection Azure AD
  • Enable both connections for an application
  • Enable identifier first

I do understand that, by definition, the domains specified in the Home Realm Discovery list for the connection would always trigger an Azure login, this is very clear from the doc.

However, I don’t really understand the current behaviour where users with email from the same domain as your Azure Tenant, specified in Microsoft Azure AD Domain, get redirected to Azure. From the doc, I understand that Microsoft Azure AD Domain designates the domain from my own Azure instance.

In a B2B scenario, if I’m the company Travel0 on domain travel0.com, and I want to offer my business customers a way to login via Azure, I will configure the Azure connection, register an app in my travel0.com Azure tenant, which means that my Microsoft Azure AD Domain is travel0.com. This means that not just my customers, but also my own employees with @travel0.com email would be forced to log in with Azure, which is not a scenario I want.

Is there no solution to only redirect users whose domain belongs to the Home Realm Discovery list?

1 Like