Only Allow Access for Certain Active Directory User Groups

Problem statement

This article explains how to manage who on an Enterprise Azure AD connection is allowed to access an application and who is not.

For example, if there is a customer with 1000 users in their Microsoft AD - but cannot invite them all, is it possible to manage who from the AD will have permission to access the app and who does not?


One way to achieve this would be to ask the customer/partner’s AD admins to add a group that is assigned to users on their side that are allowed access to the application.

It is required that the “Get User groups” option in the Azure AD connection’s settings is checked to retrieve this information during logins.

Once enabled, a user’s groups should be passed to Auth0 in the response from AD and accessible within an Action under “event.user.groups”.
A check like below in a post-login Action could then be used to allow or deny access:

exports.onExecutePostLogin = async (event, api) => {

const allowedGroup = "<Name of authorized Group here>"

//Only check for the relevant AD connection (this could alternatively use
  if( === '<Azure AD connection's name here>') {
    if (event.user.groups.includes(allowedGroup)) {
      console.log("Group found",event.user.groups);
      //Allows access as target group was found
    else {
      console.log("Group not found",event.user.groups);
      api.access.deny("You are not authorized to access this application");
      //Deny access as user does not have the required group

Here are some relevant documentation links about the Action trigger used in the above example: