Linking AD from one tenant to another

Help
,
1

I have to move users that are linked to an azure ad connection in one tenant and move them into another tenant. For our application to stay synchronized, we have to preserve all of the IDs that the users were given in Auth0 when we migrate them to this new tenant. Here is what I have done thus far:

  1. Export users from the Azure AD connection in old tenant.
  2. Import those users into the new tenant as a Username/Database connection.

I need help with step 3. I have seen documents online but they all point to having a user “link” accounts. Is it possible to just load the same raw JSON from the old tenant into the new one? I was thinking of doing this with the SDK and trying it out. This way all the users could just be linked to the AD connection in the new tenant and keep their IDs. Appreciate any assistance that could be given here. Thank you!

EDIT: I tried the following using the API:

  1. Creating a user on the connection directly and got a “400: The connection does not support user creation through the API. It must either be a database or sms connection.”
  2. Import users to this tenant from the old one and I was able to do that successfully. However these users are only able to be imported as database username/password and not directly on to the AD connection. I attempt to update the user on to the connection and I get a “connection does not exist” error even though I can clearly see it even when I list the connections through the API on that same tenant.
3

Hello @lawrencerogo,

Thank you for reaching out to us!

The user_id is a unique identifier within Auth0, which is not editable - there can exist multiple users with the same email address in a tenant, but can only even be one user with a specific user_id.
The logic Auth0 uses for creating a user_id - let’s consider a user from an Enterprise Azure AD Connection - would be to take the existing user_id of the user from the AD ( if it has one ) and add to it a prefix of the Connection within Auth0. As an example, an AD sourced user could have it’s user_id ( in the AD ) set to 123abc, but upon importing to Auth0, it could get converted to ad|Test|123abc, where " Test " would be the name of the Connection.

With this out of the way, I believe the only way you can preserve the same user_ids from one tenant to another would be to create a new Azure AD integration in your second tenant with the same local AD ( the same users ), name it the same way as the connection from the first tenant and have the users login naturally through this way.

The following doc could prove useful to see how Auth0 interacts with User Profile Attributes.

Thank you!
Gerald

4

So just to confirm, that would mean that I would have to use the same AD connection by re-using the client ID and secret that I used for my old tenant, right?