We have an enterprise connection setup to an Active Directory instance of one of our customer. The connection has been established for about a year now, and we have written a custom Rule allowing us to get the AD group IDs from the token (as per this knowledge-base article) and make it available on the user metadata so we can consume it in a post login action.
Recently, about a week ago, we’ve started receiving notice from our customer that some of their Active Directory users were having login issues. I checked the user details and I’ve noticed that the group IDs were not there. The group names were still there, and there hasn’t been any changes made to the connection, or the rule and post-login action. All the users that exhibit this problem have the same tenant ID as the users that are working. I can also confirm, from my own testing, that other connections seem to work fine.
I suspect that this may be an issue with the Active Directory configuration but without access to it, I cannot confirm. So my question is:
Has there been any other instances of this happening, where some Active Directory users were coming through without group IDs alongside those that have group IDs?
Is there a way to see the exchange of group IDs between Active Directory and Auth0? I’m not sure if group IDs are passed through as part of the exchange, or if they’re called via the graph API, but is there a way where I can see that call happening (even if I need to change the rule or post-login action)?
Has there been a recent change to how these group IDs are made available to Auth0 that I should be aware of?
I have seen that you have opened an internal ticker regarding the issue, nonetheless I will also answer your questions posted here since it might help others as well.
There were a few instances in which this issue has occurred, specifically more recently due to Microsoft deprecating the Azure AD Graph API and opting for the Microsoft Identity Platform v2 at the connection level in the Azure settings. This situation can be spotted be checking the Auth0 logs. This article on the matter can be checked - Azure AD Enterprise Connection Groups Suddenly Missing
From the Auth0 side you can check the user profile, and see if it has the group IDs. If the Identity Provider sends them, then they should be mapped to the user profile. You can check this article here - How to Get Group IDs from Azure
No recent changes were made in Auth0, however there were some on Microsoft’s end.
This is way if your connection is set in accordingly in Auth0 with the above mentioned steps from the articles presented, the most likely reason of the Group Ids missing would be a configuration issue on the customer’s end, so we would advise on checking up with them to see if their settings are up to date on the Azure’s side.
Thank you and if you have further questions please let me know!
Best regards,
Remus