Migrating ADFS to Azure AD when using Active Authentication

Problem statement

We need guidance on migrating a user base from the ADFS enterprise connector to the Azure AD enterprise connector on the back end without changing their underlying ID and going forward to use the new connector. Additionally, we would like to use active authentication (passing credentials directly to AD and not via the universal login page).

Solution

ADFS connections can be pointed at Azure AD instances by changing the metadata set on the ADFS connection. Azure uses a URL like this for the metadata:

Care should be taken to ensure the name Identifier returned from Azure AD is the same as what is returned by ADFS for a smooth transition.

However, if active authentication is required, i.e., it may be desired to pass a username and password directly to Auth0 to log the user into Azure AD via /oauth/token, this will not work with an ADFS connection. ADFS connections rely on the endpoint https://${adfs_server_url.host}/adfs/services/trust/13/usernamemixed for this functionality, which Azure AD does not appear to support.

Workarounds are to use an Azure AD connection instead, with the configuration mentioned here to enable active authentication:

If the ADFS connection user’s profiles need to be retained, they could be linked to the relevant Azure AD connection user after they have logged in at least once to create their Azure-based account. If the ADFS identity is set as the primary identity, the user can log in through the Azure AD connection, but the profile Auth0 will return will be that of the ADFS connection user.