Delegated Administration Extension v3

The Delegated Administration Extension (DAE) allows you to grant administrative permissions to a select group of people without providing access to any other area.

Configure the DAE

To configure the DAE, you must:

  1. Register the application with Auth0

  2. Create a database connection

  3. Disable all other connections for the Auth0 Application

  4. Create users for database connection

  5. Assign roles to users

  6. Install and configure the extension

  7. Use the extension

Register the application with Auth0

Create the Application that the Delegated Administration Extension will expose to those who should have administrative privileges for the Users page. To do this, create a delegated admin application in Auth0.

When finished, note the application's Client ID.

Create a database connection

In this example, a database connection will serve as the source of your users who are allowed access to the Users area. To configure this, create a database connection.

While setting up your connection:

  • Use a fitting connection name, such as HelpDesk.

  • Enable the Disable Sign Ups toggle. For security purposes, this ensures that even users who have the link to the database connection cannot sign themselves up.

Disable all other connections for the Auth0 application

By default, Auth0 enables all connections associated with your tenant when you create a new Application. For this example, disable all connections other than your newly-created database connection. This helps keep the application secure because no one can add themselves using one of your existing connections.

To configure this, update application connections.

Create users for the database connection

To continue, you must create at least one user and attach it to your connection.

Assign roles to users

Auth0 grants access to the Delegated Administration Extension (DAE) for the user(s) attached to your connection based on their roles. These are DAE-specific roles:

This role... Grants permission to...
Delegated Admin - User Search for users, create users, open users, and execute actions on users (such as delete or block).
Delegated Admin - Administrator Do everything that the Delegated Admin - User can, plus see all logs in the tenant and configure Hooks.
Delegated Admin - Auditor Search for users and view user information, but not make changes. Action-based buttons are not visible to this role.
Delegated Admin - Operator Access user management and logs, but not the extension configuration section.

When working with roles, we recommend that you use the Authorization Core feature set:

  1. Create DAE roles. The names of the roles you create must match the names of the pre-defined DAE roles above.

  2. Assign DAE roles to a user manually.

  3. Add user roles to the DAE namespace in the ID Token using Actions:

    exports.onExecutePostLogin = async (event, api) => {
      const namespace = `https://{yourTenant}/auth0-delegated-admin`;
      if (event.client.client_id === 'CLIENT_ID' && event.authorization) {
        api.idToken.setCustomClaim(namespace, { "roles": event.authorization.roles });

    Was this helpful?


Remember to replace the CLIENT_ID placeholder with your delegated admin application's Client ID.

To learn more about creating Actions, read Write Your First Action

Install and configure the extension

Now that we've created and configured an application, a connection, and our user, we can install and configure the Delegated Admin Extension itself.

Use the extension

Once installed, you are ready to use the Delegated Admin Extension.

Navigate to the extension using the appropriate login link for your region and your tenant's extensibility runtime.

Location Name Login Link
Australia AU https://{yourTenant}
Europe EU https://{yourTenant}
Europe EU-2 https://{yourTenant}
Japan JP-1 https://{yourTenant}
UK UK https://{yourTenant}
USA US-1 https://{yourTenant}
USA US-3 https://{yourTenant}

A new tab opens, displaying the login prompt.

Extensions - Delegated Admin - Login prompt

Because (in this example) we disabled signups for the database connection while configuring it, the login screen does not display a Sign Up option. Once you provide valid credentials, Auth0 directs you to your custom Delegated Administration Dashboard page, which has the Title you provided at the top of the page and (if you provided a custom CSS file), your design.

Extensions - Delegated Admin - Standard dashboard

Delegated Administration session timeout

By default, token expiration time is 10 hours. However, for security reasons, when using Delegated Administration, Auth0 doesn't save a token to cookies or sessionStorage. You must start a new session on each page reload.

Learn more