Connect your app to Azure Active Directory (Classic Portal)
To allow users to login using a Microsoft Azure Active Directory account, you must register your application through the Microsoft Azure portal. If you don't have a Microsoft Azure account, you can signup for free.
1. Create a new Microsoft Azure Active Directory instance
Login to Microsoft Azure and click on Active Directory on the Dashboard.
Click on ADD+ at the bottom of the screen.
Enter a subdomain, such as: YOUR_TENANT. This can be any text. (It does not have to match the Auth0 subdomain and it will be used in the next step.) Also enter your country and a friendly name for your organization.
2. Create a new application
Once the Microsoft Azure AD instance has been created, you need to create an application. Go to APPLICATIONS and click on ADD AN APPLICATION.
Select Add an application my organization is developing.
Enter a friendly name for the application and select WEB APPLICATION AND/OR WEB API.
Proceed to the next screen and enter the following:
- SIGN-ON URL: your application URL
- APP ID URI: https://YOUR_TENANT.onmicrosoft.com/yourapp
3. Configure the application
Once the application has been created, you have to configure it. Click CONFIGURE to continue. On this screen you can customize the logo and the application URL that you entered before, if needed.
Enter the following values on KEYS and REPLY URL, and click Save.
- KEYS: Select 1 or 2 years (the key will be displayed when these settings are saved)
- REPLY URL: https://YOUR_AUTH0_DOMAIN/login/callback
The next step is to modify permissions so your app can read the directory. Select the Read Directory Data and Enable sign-on and read users' profiles delegated permissions.
Click SAVE at the bottom of the screen and the key will be displayed. Make sure to copy the value of this key before leaving this screen.
4. Copy the Client ID and Secret to Auth0
Login to your Auth0 Dashboard, and select the Connections > Enterprise menu option. Select Windows Azure AD.
Copy the Client ID and the Key generated by Microsoft Azure in the previous step into the Client ID and Client Secret fields in Auth0.
Congratulations! You are now ready to accept Microsoft Azure AD users.
When granting access, make sure to use an Incognito/InPrivate window and a Global Administrator user.
If you get Access cannot be granted to this service because the service listing is not properly configured by the publisher, try selecting the Application is Multi Tenant option in the Windows Azure AD application on the Azure dashboard.
Signing Key Rollover in Azure Active Directory
Signing keys are used by the identity provider to sign the authentication token it issues, and by the consumer application (Auth0 in this case) to validate the authenticity of the generated token.
For security purposes, Azure AD’s signing key rolls on a periodic basis. If this happens, you do not need to take any action. Auth0 will use the new key automatically.