How to Get an Azure V2 Access Token Saved in the Users Identity Profile in Auth0

Single Sign-OnSessions
Mar 19, 2026
Overview

Some customers may want to retrieve the Azure AD V2 IDP Access tokens (not Auth0 access tokens) from the users' profiles in Auth0. This is not supported in the:

  • Azure AD Enterprise Connection - This is because the Microsoft Graph API scopes are hardcoded. The Graph API will only return V1 tokens. In testing, this still appears to be the case.
  • OIDC Enterprise Connection - This will not store the IdP token within the identity array of the user profile
Applies To
  • Azure AD V2 IdP Access Tokens
  • Single Sign-On (SSO)
Solution

A custom social connection must be used; for more information, refer to Connect Apps to Generic OAuth2 Authorization Servers.

General settings guidance for the connection:

  • Authorization URL: https://login.microsoftonline.com/[APP-ID]/oauth2/v2.0/authorize
  • Token URL: https://login.microsoftonline.com/[APP-ID]/oauth2/v2.0/token
  • Scope: openid profile email {Application scope that forces V2 type tokens, please see the screenshot here for what the setup should look like. For more information, refer to the How to get access token version 2.0.
  • Separate scopes using space: true
  • Client ID: [APP-ID]
  • Client Secret: {Secret generated in Azure dashboard under the application in Manage > Certificates and Secrets}
  • Fetch User Profile Script: examples below


No JWKS verification

function(accessToken, context, callback) {
  const jwt = require('jsonwebtoken');
  var idToken = jwt.decode(context.id_token);
      const profile = {
        user_id: idToken.oid,
        email: idToken.email,
        name: idToken.name
      };
      callback(null, profile);
}


 

With JWT verification with the JWKS endpoint

function(accessToken, context, callback) {
  const jwt = require('jsonwebtoken');
  var jwksClient = require('jwks-rsa');
  var client = jwksClient({
    timeout: 5000,
    jwksUri: 'https://login.microsoftonline.com/[APP-ID]/discovery/v2.0/keys'
  });
  function getKey(header, callback){
    client.getSigningKey(header.kid, function(err, key) {
      var signingKey = key.publicKey || key.rsaPublicKey;
      callback(null, signingKey);
    });
  }
  jwt.verify(context.id_token, getKey, [], function(err, idToken) {
    if (err) {
      return callback(new Error(err));
    }
    console.log("JWT verified!");
    const profile = {
      user_id: idToken.oid,
      email: idToken.email,
      name: idToken.name
    };
    callback(null, profile);
  });
}

 

NOTE: In the code above, the JWKS endpoint will be called on every login attempt via that connection. Please ensure the JWKS endpoint used is configured for this type of traffic.
 

Related References

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community