How to configure Auth0 to authenticate with other companies Azure Active Directory?

Question

I have Auth0 configured with Social Connections > Microsoft Account.

This is linked through Client ID/secret to a Microsoft Azure Active Directory tenant in my Microsoft organisation, with an App Registration set to allow:

Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) All users with a work or school, or personal Microsoft account can use your application or API. This includes Office 365 subscribers.

When I log in through my app, I can authenticate successfully using my personal account eg. blah.blah@gmail.com

However, when I try to authenticate with my work account blah.blah@myawesomecompany.ai, which is managed with an Azure Active Directory, it fails with

"That Microsoft account doesn’t exist. Enter a different account or get a new one.":

I thought given the Microsoft settings it would allow it connect.

1. How can I make Auth0 allow Microsoft authentication with other company's existing Azure Active Directory?

2. Also - can I configure it to limit that feature to specific companies AAD eg. those I have specifically nominated?

3. Is there a way to configure this without having to upgrade to Auth0 Enterprise?

Answer 1

I believe the OP is trying to set up a social connection in Auth0 to have both personal and work Microsoft accounts to login. And that's without an Auth0 Enterprise plan. I was trying to do the same, the answers here helped a lot, but didn't give me everything I needed to do this in Auth0.

So here's how I did it:

• Create a custom social connection (Auth0 console -> New Social Connection -> Create Custom)
• give it a name. This is more of an ID than a name, you can't have a nice label here
• If you want to set an icon and nice display name, just fill in anything in other required form fields and save. Then, set the icon and nice display name with the Management API request (shown at the bottom of this post), which it deletes all connection properties other than the name. Then edit the connection again in the UI and continue.
• Authorization URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
• Token URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
• Scope: https://graph.microsoft.com/.default
• Client ID and Secret you load them from your app registration in the MS Entra ID console

As for the fetch user profile script:

function(accessToken, ctx, cb) {
  const axios = require('axios');
  
  axios.get('https://graph.microsoft.com/v1.0/me', {
    headers: {
      'Authorization': `Bearer ${accessToken}`,
      'Accept': 'application/json'
    }
  })
  .then(response => {
    const profile = {
      user_id: response.data.id,
      name: response.data.displayName,
      email: response.data.userPrincipalName,
      given_name: response.data.givenName,
      family_name: response.data.surname,
      nickname: response.data.userPrincipalName.split('@')[0]
    };
    
    cb(null, profile);
  })
  .catch(error => {
    cb(error);
  });
}

And that's it, it worked!! 🎉 🙌 Thanks for your guidance @Rukmini @Tiny Wang!

Oh, and if you want to have a nice icon and connection name in the Universal Login screen, it's not exactly straightforward, you need to do it with a request to the Management API :_( Get the credentials (google it if you don't know how), and do a request like this:

curl --request PATCH \
  --url 'https://YOUR_AUTH0_DOMAIN_HERE/api/v2/connections/YOUR_CONNECTION_ID' -v \
  --header 'content-type: application/json' \
  --data '{ "options": { "icon_url": "A_PNG_ICON_URL", "scripts": {"fetchUserProfile": "anything"} }, "display_name": "Microsoft Whatever"}' \
  --header 'authorization: bearer YOUR_API_KEY_HERE'

Unfortunately, the above is not actually a PATCH and has the "side-effect" of deleting all other properties of the connection, such as URLs and such. I guess you can add all of them to the request, but I find the API not very consistent and in order to avoid surprises I use the web forms when I can. The API docs are also horrible, full of errors.

The connection ID appears at the connection page, looks like con_xxxxxxx

Answer 2

You need to use Enterprise Connections for Microsoft work accounts. Social Connections provided by Auth0 can only allow Microsoft personal accounts, not Microsoft work accounts.

If you don't upgrade to Auth0 Enterprise, you can only configure up to 3 Enterprise Connections.

Answer 3

I tried to reproduce the same in my environment and got the results like below:

I created an Azure AD Application:

Note that: Make sure to use common endpoint for Multi-Tenant and Microsoft accounts.

For sample I used the below endpoint to authorize the users:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize? 
client_id=ClientID
&response_type=code  
&redirect_uri=RedirectURI
&response_mode=query  
&scope=https://graph.microsoft.com/.default
&state=12345

When I tried to sign-in with the personal account, the user logged in successfully like below:

And now I tried to login with other tenant user like below:

By using common endpoint, I am able to sign with personal accounts and other tenant accounts too successfully.

To limit the feature to specific companies AAD, check this blog.

• Auth0 Enterprise is required to authorize tenants to the Azure AD Application.

For more in detail, refer below MsDocs:

Use tenant restrictions to manage access to SaaS apps - Microsoft Entra

Multi-tenant application with a whitelist on tenants authorized by Marshaljs

Answer 4

Assuming you want to use multi-tenant app to allow users from different company to sign in your application with their work account. Let's assume you create an Azure AD application in your tenant(tenantA).

Then in your app, you may set the TenantId as the tenant id so that even you created a multi-tenant app, you will only allow users in your tenant to sign in. And the sign in request may look like https://login.microsoftonline.com/{tenantA_tenant_id}/oauth2/v2.0/authorize?, with this link, you will be able to use account like user@tenantA.onmicrosoft.com to sign in, you can also use personal account which is invites to tenantA as a guest to sign in your account.

If you want users in tenantB to sign in your app with account like user@tenantB.onmicrosoft.com, then you must set the TenantId in your app as common which will make the auth request look like https://login.microsoftonline.com/common/oauth2/v2.0/authorize?

Then when sign in the application created by tenantA with account in tenantB, you may see screenshot below. After consenting it, user@tenantB.onmicrosoft.com can sign in this application.