Last Modified: Oct 28th, 2024
Overview
This article explains how to manage who is allowed to access an application on an Enterprise Azure AD connection.
For example, if a customer has 1000 users in their Microsoft AD but cannot invite them all, is it possible to manage who from the AD will have permission to access the app and who does not?
Applies To
- Enterprise Azure AD (EntraID) Connection
- Application Access
Solution
One way to achieve this would be to ask the customer/partner’s AD admins to add a group that is assigned to users on their side that are allowed access to the application.
To retrieve this information during logins, the Get User groups option in the Azure AD connection’s settings must be checked.
Once enabled, a user’s groups should be passed to Auth0 in the response from AD and accessible within an Action under event.user.groups .
A check like below in a post-login Action could then be used to allow or deny access:
exports.onExecutePostLogin = async (event, api) => {
const allowedGroup = "<Name of authorized Group here>"
//Only check for the relevant AD connection (this could alternatively use event.connection.id)
if(event.connection.name === '<Azure AD connection's name here>') {
if (event.user.groups.includes(allowedGroup)) {
console.log("Group found",event.user.groups);
//Allows access as target group was found
}
else {
console.log("Group not found",event.user.groups);
api.access.deny("You are not authorized to access this application");
//Deny access as user does not have the required group
}
}
};
Other requirements for Groups to be populated:
- The Action version must be 3 or above.
To update the version to v3, please call the PATCH /api/v2/actions/actions/{id} Endpoint by passing the id of the Action with the payload:
{
"supported_triggers": [
{
"id": "post-login",
"version": "v3"
}
]
}
- Azure ID user needs to be the primary account if it is linked with other identities.
Here are some relevant documentation links about the Action trigger used in the above example: