Map Incoming Azure Groups to Auth0 ID Token

Problem statement

When a user logs in against the Azure Active Direction (AAD) Connection, the user profile in Auth0 appears to have attributes such as groups that are not passed back to the application.

How can AAD attributes such as ‘groups’ be sent to the application when a user logs in?

Solution

Auth0 by default will send an ID Token with the standard OIDC claims assuming no other configurations have been made to the login transaction. To map an attribute like ‘groups’ will require a Post-Login Action where the incoming groups can be added to the ID Token. For example, the following code would achieve this:

exports.onExecutePostLogin = async (event, api) => {
 const namespace = 'https://my-app.example.com';;
  if (event.authorization) {
    api.idToken.setCustomClaim(`${namespace}/groups`, event.user.groups);
  }
};