I’m still not sure if I’ve gotten to the bottom of the problem yet. Here’s the latest:
The gist of the response I got from Auth0:
After discussing this with the rest of the Support Team, the recommendation here would be to instead create an Enterprise OIDC connection instead. The reason being is that this will allow you to configure any domain URL. One of our Staff Support Engineers Nico wrote up a rather comprehensive how-to for just this type of situation:
The response I got from Microsoft about this:
On 1 June 2018, the official Azure Active Directory (AAD) Authority for Azure Government changed from https://login-us.microsoftonline.com to https://login.microsoftonline.us. This change also applied to Microsoft 365 GCC High and DoD, which Azure Government AAD also services. If you own an application within a US Government tenant, you must update your application to sign users in on the .us endpoint. Starting in July 2020, Azure AD will begin enforcing the endpoint change for public cloud users, blocking public cloud users from signing into apps hosted in US Government tenants (microsoftonline.us tenants).
See: Azure Government AAD Authority Endpoint Update | Azure Government (microsoft.com)
See: Azure Government Identity - Azure Government | Microsoft Docs