Methods to Block All Logins in an Auth0 Tenant

Knowledge Articles
1

Overview

This article provides methods to block all logins for accounts in an Auth0 tenant.

Applies To

  • Connections

Solution

A single setting to disable all logins at the tenant level does not exist. The following methods can be used to block logins based on specific requirements.

1. Use a Post-Login Action

This method provides a flexible way to prevent users from logging in while keeping their accounts and data intact. A Post-Login Action runs after a user attempts to log in and can deny access if defined conditions are met.

Example Action code to block all logins:

exports.onExecutePostLogin = async (event, api) => {
// This will deny access for ALL users attempting to log in.
// More specific logic can be added here to block only certain users or under certain conditions.
api.access.deny('Login is currently disabled for all accounts.');
};

To implement this solution:

  1. Navigate to the Auth0 Dashboard and select Actions > Triggers > post-login.
  2. Select the + sign.
  3. Select Build from scratch.
  4. Enter a name for the Action (e.g., Block All Logins).
  5. Select Create.
  6. Paste the code above into the editor.
  7. Deploy the Action.
  8. Move the new Action into the Login Flow and select Apply.

This approach has the following characteristics:

  • Granular Control: Logic can be added to block specific users, groups, or based on other criteria.
  • Informative Error: A custom error message can be provided to the user.
  • Reversible: The Action can be easily enabled, disabled, or modified.
  • Preserves User Data: User accounts and their data remain in the tenant.

2. Disable Connections for all Applications

Auth0 uses Connections to authenticate users (e.g., Username-Password-Authentication, social logins, Enterprise connections). If all connections for all applications within a tenant are disabled, users will not be able to log in. This is accomplished by disabling all configured connections for each application in the Auth0 tenant.

  1. Navigate to the Auth0 Dashboard and select Applications > Applications.
  2. For each application listed:
  3. Select the application name.
  4. Go to the Connections tab.
  5. Toggle off all enabled connections.

To prevent new applications from automatically having all connections enabled, navigate to Dashboard > Settings > Advanced and toggle off Enable Application Connections. This setting does not affect existing applications. This method provides direct control over login mechanisms but can be tedious if there are many applications.

3. Block Users Individually

Individual users can be blocked manually in the Auth0 Dashboard or via the Management API. This action marks a user account as “blocked,” preventing them from logging in.

  1. Navigate to the Auth0 Dashboard and select User Management > Users.
  2. Select the next to a user’s name and choose Block.

This method is not practical for blocking all accounts in a tenant with many users.

4. Delete the Tenant

This is the most drastic and irreversible option. Deleting an Auth0 tenant permanently removes all data, including user accounts, applications, and configurations.

  1. Navigate to the Auth0 Dashboard and select Settings > Advanced.
  2. Locate the Danger Zone at the bottom of the page and select Delete.
  3. Follow the prompts to confirm the deletion.

This action results in permanent data loss, is irreversible, and constitutes a complete removal, not a block.

The appropriate method depends on the goal. For a temporary or conditional block that preserves user data, a Post-Login Action is the most flexible approach. To permanently shut down the identity management service and remove all data, deleting the tenant is the only option, but this action has severe and irreversible consequences.