Auth0 SCIM Provisioned Users from Entra ID Fail Email Verification upon First Login

Connections
Apr 20, 2026
Overview

This article clarifies why users provisioned into Auth0 from Microsoft Entra ID via System for Cross-domain Identity Management (SCIM) remain with an unverified email status after their first login. It addresses scenarios where the profile merge fails or the user receives the following error message during the initial authentication attempt.

 

Access Denied

 

Applies To
  • Auth0
  • Microsoft Entra ID
  • SCIM
Cause

A custom Post-Login Action within the Auth0 tenant often enforces email verification before granting access. Since SCIM creates users with the email_verified: false status by default, the Action denies the initial login attempt. This interruption prevents Auth0 from completing the profile merge and updating the email verification claim from the Entra ID token.

Solution

To resolve this issue, the Post-Login Action must include an exception for the Entra ID connection strategy. This allows the first login to complete, so the identities can merge and the email status can update to verified.

  1. Log in to the Auth0 Dashboard.

  2. Navigate to Actions > Library.

  3. Select the specific Post-Login Action enforcing email verification.

  4. Modify the code to exclude the waad strategy:

exports.onExecutePostLogin = async (event, api) => {
    // Add an exception for the 'waad' strategy (Entra ID / Azure AD)
    if (!event.user.email_verified && event.connection.strategy !== 'waad') {
        api.access.deny('Please verify your email before logging in.');
    }
};

 

Apply the following configurations to ensure successful identity merging and email verification:

  • In Auth0 Enterprise Connection settings, set the User ID Attribute Type to user object identifier (oid).

  • In the connection settings, set the Email Verification toggle to Always set email_verified to true.

  • In the Auth0 Dashboard, navigate to Settings > Advanced and turn on the Enable email verification flow during login for Azure AD and ADFS connections toggle.

  • In Auth0 SCIM Provisioning settings, map the SCIM attribute containing the user ID to externalId.

  • In Entra ID SCIM Attribute Mappings, map the Azure objectId to the SCIM externalId.

Attribute mapping

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community