Trying to access user outlook account through SAML connection with Azure AD

Problem statement

We have a SAML connection to Microsoft Azure AD setup and working, but we are not receiving an access token from the Identity Provider in the user’s profile.

We need to establish this:
SAML > Auth0 > Graph API Microsoft

Can you provide an example of how to achieve this? Which API can we use and what config is needed to get an access token?

Some parts might be out of scope but any recommendation and help would be great.

Cause

  • You will not be able to perform requests to the Microsoft Graph API using a SAML connection. This is not possible since access tokens are a product of the OAuth protocol but not the SAML protocol. Note also that the SAML protocol has no mechanism for authorization, i.e. what access tokens are used for, but only covers user authentication. In other words, a SAML Response cannot be used to authorize access to an API like the Microsoft Graph API.

Solution

You can either configure a Microsoft Azure AD connection, which returns a Microsoft Graph API token, or you’ll need to ask your Identity Provider to include the relevant data directly in the SAML Response.

For example, if you are normally hitting the Graph API with an access token for a specific user property, like their job_title, then you would need to ask the Identity Provider to include this field as an attribute in their SAML Response, i.e. SAML Token. See the Microsoft documentation linked below for more details on how to add custom claims to the IdP’s SAML Response.