This article provides instructions for configuring an OpenID Connect (OIDC) Enterprise connection to Azure Active Directory (AD). While Auth0 offers a dedicated Azure AD connection type, a generic OIDC Enterprise connection can also be used.

• Azure Active Directory (AD)

• Enterprise Connections

• OpenID Connect (OIDC)

Using a generic OIDC Enterprise connection for Azure AD offers several advantages over the dedicated Azure AD connection type:

• It does not require a client secret, which simplifies configuration.
• It allows for the use of other Azure AD National Cloud instances. For more information, refer to Microsoft Entra authentication & national clouds.
• It accepts any custom claim included in the ID Token, allowing for greater flexibility in mapping claims to the Auth0 user profile.

The connection uses the Implicit grant by default, requesting an ID Token with response_mode=form_post. To inspect the token that Azure AD provides, use the browser's developer tools to find the POST to https://<auth0_domain>/login/callback. The token can be decoded using a tool such as jwt.io.

Please watch the video or the steps below:

Configure Azure AD

These steps configure an application registration for single-tenant applications, where only users from the same directory can log in.  

1. In Azure AD, create a new application registration.   
    
2. For the Redirect URI, select Web as the type and enter https://<tenant_domain>/login/callback. The tenant’s domain can be found by checking any application created in Auth0.
   NOTE: If using a custom domain, add a second Redirect URI later, after creating the app.
3. Select the Register button.
4. From the confirmation page, copy the Application (client) ID for later use.
    
    

5. Select the Endpoints button and copy the OpenID Connect metadata document URL. The URL format is https://login.microsoftonline.com/<Directory (Tenant) ID>/v2.0/.well-known/openid-configuration.

    

6. Navigate to the Authentication section.

    

7. Under Implicit grant and hybrid flows, select the ID tokens checkbox.

8. If using a custom domain with Auth0, add a second Redirect URI in the https://<your_custom_domain>/login/callback format.

9. Click the Save button.

    

10. Navigate to the Token configuration section.

     

11. Click Add optional claim. 
     

12. Select ID.
                                                                                                                                               

     

13. Select email, family_name, and given_name, along with any other required claims. Select Add.

     

14. When prompted, accept the request for Microsoft Graph permissions.
     

     

15. Optionally, click Add groups claim to include group information in the ID Token.

16. Navigate to the Certificates & Secrets section.                                                                                               
     

     

17. Select New Client Secret

18. Copy the Client Secret Value, not the Secret ID. 

Steps on Auth0

1. In the Auth0 Dashboard, navigate to Authentication > Enterprise.
2. Select OpenID Connect and click Create Connection.
3. Enter a Connection name.
4. In the Issuer URL field, paste the OpenID Connect metadata document URL copied from Azure AD.
5. In the Client ID field, paste the Application (client) ID copied from Azure AD.

6. Select Create.
7. Select the Applications tab for the new connection and enable the connection for at least one application.
8. Once the settings are saved, return to the list of OIDC Enterprise connections, click the three dots to the right of the new connection, and select Try to test the connection. Auth0 stores all claims included in the ID Token from Azure AD in the user's profile.