Hi, everyone. My team needs to move entirely from using Authentication via AzureAd. What’s the strategy for user migration there?
I find out that “Microsoft Azure AD” allows us to sign AzureAd users via Auth0 form. So we use it as a temporary solution. But how do we move users completely off AzureAd?
After Azure AD users sign in, can we force users to sign up for Auth0? Or will Passwordless login be a better/feasible approach for user?
I don’t think that Azure AD provides any mechanism for you to export the password hashes of the users. You may be able to export other user information and bulk import it into a database connection in your Auth0 tenant. However, this would imply that all your users would have to perform a password reset operation in order to login through the new approach.
If user credentials (the password themselves) need to be migrated to that users don’t have to reset passwords it may be possible for you to set up a custom database connection with import mode enabled and use the custom scripts to validate the password against Azure AD (likely through a resource owner password credentials grant). This way, whenever a user completes a login with success that password would be validated in Azure AD and then migrated to the Auth0 tenant (Import and Export Users).
whenever a user completes a login with success that password would be validated in Azure AD
How does your 2nd solution (no password reset) work if the user has MFA?
I confess I’m not sure, but if MFA is in the mix the approach around import mode could possibly not work at all. As in, if Azure AD allows for you to still validate the password even if MFA is configured you could in theory still migrate the user password to Auth0 through that approach, but then you would have to make a decision about what to do next… with regards to MFA so this could get complex easily.
If you don’t mind loosing the existing user passwords and MFA secrets and an email address is something that uniquely identifies each user you could indeed consider a sort of migration using passwordless but that would not be a seamless migration most likely.