Delegated Administration Extension


This extension requires you to disable the OIDC Conformant flag (and for some older tenants, enable the Legacy User Profile flag) for your application. Once disabled, you must ensure your application's authentication code is updated as well.

The Delegated Administration Extension (DAE) allows you to grant a select group of people administrative permissions to the Users page of the Auth0 Dashboard without providing access to any other area. This is done by exposing the Users area as an Auth0 application.

This tutorial will show you how to expose the Users dashboard to a group of users without allowing them access to the rest of the management dashboard.

Prior to configuring the extension, you will need to:

Create an application

The first step is to create the Application that the extension exposes to those who should have administrative privileges to the Users page.

  1. After you've logged into the Management Dashboard, navigate to Applications.
  2. Click +Create Application.
  3. Provide a name for your application (such as Users Dashboard).
  4. Set the Application type to Single-Page Web Applications.
  5. Click Create to proceed.

Create an Application

Configure application settings

Once you've created your application, you'll need to make the following application configuration changes.

  1. Click on the Settings tab.
  2. Set the Allowed Callback URLs. This varies based on your location:
Location Allowed Callback URL
  1. You will also need to configure the Allowed Logout URLs:
Location Allowed Logout URL
  1. You will also need to configure the Allowed Logout URLs:
Location Allowed Logout URL
  1. Copy the Client ID value.

  2. Navigate to Settings > Show Advanced Settings > OAuth and paste the Client ID value to the Allowed APPs / APIs field.

  3. Next, set the JsonWebToken Signature Algorithm to RS256, and make sure the OIDC Conformant toggle is disabled.

Change Advanced OAuth Settings

  1. Click Save Changes to proceed.

Enable a connection on the application

When you create a new Application, Auth0 enables all Connections associated with your tenant by default.

For the purposes of this tutorial, we will disable all connections (this helps keep the application secure, since no one can add themselves using one of our existing connections), create a new database connection, and enable only the newly-created database connection. However, you can choose to use any type of connection.

Disable all existing connections

Switch over to the Application's Connections tab and disable all the connections using the associated switches.

Create a new connection

  1. In the navigation pane of the Management Dashboard, click Connections > Database Connections.

  2. On the Database Connections page, click +Create DB Connection.

  3. Provide a name for your connection, such as Helpdesk.

  4. Click Save to proceed.

Create DB Connection

  1. Navigate to the Settings tab of your new Connection and enable the Disable Sign Ups option. For security reasons, this ensures that even users who have the link to our connection cannot sign themselves up.

Disable Sign Ups

  1. Under the Applications Using This Connection section, enable this connection for your Users Dashboard Application.

Add a user to the new connection

You will need to add at least one user to your connection. You can do this via the Users page, where you can specify the connection for the user during the configuration process.

Assign roles to users

The Authorization Core feature set andAuthorization Extension are completely separate features. To manage groups, roles, or permissions, you will need to use the feature they were originally created in.

Although the Delegated Administration Extension and the Authorization Core feature set are completely separate features, you can use the Authorization Core feature set to create and manage roles for the DAE if you use a rule. To learn how, see Sample Use Cases: Rules with Authorization.

Auth0 grants the user(s) in your connection access to the Delegated Administration extension based on their roles:

  • Delegated Admin - User: Grants permission to search for users, create users, open users and execute actions on these users (such as delete, block, and so on);

  • Delegated Admin - Administrator: In addition to all of the rights a user has, administrators can see all logs in the tenant and configure Hooks.

  • Delegated Admin - Auditor: Grants permission to search for users and view users information, but does not allow the user to make any changes. This role will also change the UI to remove action-based buttons;

  • Delegated Admin - Operator: Grants permission to access user management and logs, but does not allow access to the extension configuration.

To use the extension, users must have either of these roles defined in one of the following fields of their user profiles:

  • user.app_metadata.roles
  • user.app_metadata.authorization.roles

You can set these fields manually or via rules.

Set user roles via rules

As an example, the following rule gives users from the IT Department the Delegated Admin - Administrator role and users from Department Managers are the Delegated Admin - User role. Your custom claim should be namespaced.

function (user, context, callback) {
 if (context.clientID === 'CLIENT_ID') {
   const namespace = '';
   if (user.groups && user.groups.indexOf('IT Department') > -1) {
     context.idToken[namespace] = { roles: [ 'Delegated Admin - Administrator' ] };
     return callback(null, user, context);
   } else if (user.app_metadata && user.app_metadata.isDepartmentManager && user.app_metadata.department && user.app_metadata.department.length) {
     context.idToken[namespace] = { roles: [ 'Delegated Admin - User' ] };
     return callback(null, user, context);

   return callback(new UnauthorizedError('You are not allowed to use this application.'));

 callback(null, user, context);

The Legacy User Profile flag may not be available to every tenant. The current rule template is only suitable for a tenant that can have the OIDC Conformant flag disabled and the Legacy User Profile enabled.

user.roles will only have that value during the authorization transaction.

Install and configure the extension

Now that we've created and configured an application, a connection, and our users, we can install and configure the extension itself.

  1. On the Management Dashboard, navigate to the Extensions page.
  2. Click on the Delegated Administration box in the list of provided extensions. The Install Extension window will open.

Install Extension

  1. Set the following configuration variables:
  • EXTENSION_CLIENT_ID: The Client ID value of the Application you will use. You can find this value on the Settings page of your Application.

  • TITLE (optional): Set a title for your Application. It will be displayed at the header of the page.

  • CUSTOM_CSS (optional): Provide a CSS script to customize the look and feel of your Application.

  • FAVICON_PATH (optional): Path to custom favicon.

  • AUTH0_CUSTOM_DOMAIN Optional: If you have a custom domain name configured, enter it here (for example: This will change the authorization endpoint to

    NOTE: Setting the AUTH0_CUSTOM_DOMAIN variable does not affect the extension URL, it only changes the "authorization endpoint". When a custom domain is used, users that are logging into the extension will be navigated to https://AUTH0_CUSTOM_DOMAIN/login instead of the default

  • FEDERATED_LOGOUT (optional): sign out from the IdP when users logout.

  1. Once done, click Install. Your extension is now ready to use!

If you navigate back to the Applications view, you will see that the extension automatically created an additional application called auth0-delegated-admin.

Because the application is authorized to access the Management API, you shouldn't modify it.

Use the extension

  1. To access your newly created users dashboard, navigate to Extensions > Installed Extensions > Delegated Administration Dashboard.

A new tab will open to display the login prompt.

Because we disabled signups for this Connection during the configuration period, the login screen doesn't display a Sign Up option.

  1. Once you provide valid credentials, you'll be redirected to the Delegated Administration Dashboard.

Session Timeout

By default, token expiration time is 10 hours. However, when using Delegated Administration, Auth0 doesn't save a token to cookies or sessionStorage for security reasons, so you will need to start a new session on each page reload.

Keep reading