Choose a Connection Type for Azure AD

Choose a Connection Type for Azure AD

You can connected your Auth0 instance to Microsoft Azure Active Directory in three ways. Review the options to determine the best approach for your situation.

Auth0 recommends starting with the native Microsoft Azure AD connection. If you need further customization, review the SAML connection configuration. Also, if your organization has additional restrictions on OAuth code flows, review the Enterprise OIDC configuration if your organization has additional restrictions on OAuth code flows.

The table below illustrates the main differences in these connection types. Review these capabilities to determine the best connection type for your organization.

Connection Type “Native” Azure AD Enterprise OIDC SAML
Protocol OAuth authorization code flow OAuth implicit flow OR OAuth authorization code flow SAML
Can receive optional claims from Azure AD? No Yes Yes
Federated logout support (“Single Logout” or SLO) Yes No Yes
Receive AD Groups Yes, friendly names Yes, object IDs Yes, object IDs
Receive Extended Profile Yes No No

Microsoft Azure AD

The first connection type is the Microsoft Azure AD connection in Auth0 Dashboard > Authentication > Enterprise.

This connection type uses the OAuth authorization code flow. The Microsoft Azure AD connection accepts claims from an id_token and directly queries the Microsoft Graph API. If configured, the query searches for groups and additional profile information. Microsoft Azure AD ignores any custom claims included in the id_token.

Connection Features and Considerations

Because this connection type is the native workflow, it is explicitly compatible with extended AD features. The Azure AD connection maps profile attributes directly to your Auth0 user profiles from the Microsoft Graph API.

The extended profile option offers three attributes not available in other connection types. You must enable permission to query the Microsoft Graph API to use the receive the extended profile features.The table below compares the Azure AD Graph Attributes across the connection types:

Graph Attribute Auth0 Profile Attribute Data type Equivalent optional claim for OIDC or SAML
businessPhones phone array -
givenName given_name string given_name
jobTitle job_title string -
mobilePhone mobile string -
preferredLanguage preferred_language string xms_pl
surname family_name string family_name
userPrincipalName upn string upn

Group Configuration

If you enable permission to query the Microsoft Graph API, Auth0 automatically retrieves groups for the user and maps these to the groups attribute in the Auth0 profile. Auth0 maps these group "friendly names" and does not need to configure a custom claim because these groups map directly from the Microsoft Graph API.

SAML

The SAML connection type uses the SAML protocol and supports attribute mapping and all standard SAML features.

Connection Features and Considerations

The SAML connection type is the most flexible of the available connection types because it supports optional claims and federated logouts. If you need both of these features, SAML is the only connection type that supports both simultaneously.

Group Configuration

For Auth0 to accept group information with the SAML connection type, you must configure your Azure AD with optional attributes in the SAML response. Auth0 then maps the groups to the group_ids attribute in the user's Auth0 profile.

Enterprise OIDC

The Enterprise Open ID Connect type can use either OAuth Implicit or Authorization Code workflows. This connection maps custom claims in the id_token to the Auth0 User Profile. To learn more about authentication flows, visit the Authentication and Authorization Flows documentation.

Connection Features and Considerations

If you cannot provide client secrets in your login flow due to regulations or privacy protocols, the Implicit Flow the OIDC connection offers could be a preferred method. If you require custom claims but do not want to configure the additional SAML features, the OIDC connection can reduce complexity.

Group Configuration

For Auth0 to accept group information with the OIDC connection type, you must configure your Azure AD with an optional claim to add groups in the id_token of your request. Auth0 then maps these groups to the group_ids attribute in the user’s Auth0 profile.

Learn more