Skip to main content
Auth0 supports importing users from Azure using the Azure AD ROPC flow in Auth0’s Custom DB login scripts.
  1. Create a public client app registration in your app’s respective tenants or directories as a public client, then securely store the client IDs and Client Secrets provided for the API calls.
  2. When asked who can use this application or access this api, choose Accounts in any organizational directory.
  3. In the Microsoft Graph section, grant permissions to Directory.Read.All and User.Read.
  4. If your app is B2C, set up a resource owner password credentials flow in Azure Active Directory B2C.
You can now use the ROPC flow. The following snippets are call examples.
Azure AD Login Script Template:
function login(email, password, callback) {
      const axios = require('axios').default;
      const qs = require('qs');
    	const jwtDecode = require('jwt-decode').default;

       const data = { 'client_id': {{YOUR_AZURE_APP_CLIENT_ID}},
             'scope': 'user.read openid profile offline_access',
             'username': email,
             'password': password,
             'grant_type': 'password',
             'client_secret': {{YOUR_AZURE_APP_CLIENT_SECRET}}
             };
const options = {
  method: 'POST',
  headers: { 'content-type': 'application/x-www-form-urlencoded' },
  data: qs.stringify(data),
  url: 'https://login.microsoftonline.com/{{AZURE_TENANT_ID}}/oauth2/v2.0/token',
};

axios(options).then(
	response => {
  // in a production setting it would be best to validate this JWT fully before reading claims
  const claims = jwtDecode(response.data.id_token);

  if (response.statusCode === 401) return callback();

  callback(null, {
  // this is a simple example of properties that can be mapped back to the auth0 user profile
  // you are free to choose exactly what maps back over based on what data you get from the azure token
  user_id: claims.sub,
  nickname: claims.name,
  email: claims.preferred_username
});

}
      );

    }
B2C Login Script Template:
function login(email, password, callback) {
      const axios = require('axios').default;
      const qs = require('qs');
    	const jwtDecode = require('jwt-decode').default;

       const data = { 'client_id': {{YOUR_B2C_APP_CLIENT_ID}},
             'scope': 'openid {{YOUR_B2C_APP_CLIENT_ID}} offline_access profile',
             'username': email,
             'password': password,
             'grant_type': 'password',
             };
const options = {
  method: 'POST',
  headers: { 'content-type': 'application/x-www-form-urlencoded' },
  data: qs.stringify(data),
  url: 'https://{{TENANT_NAME}}.b2clogin.com/{{TENANT_NAME}}.onmicrosoft.com/{{B2C_POLICY_NAME}}/oauth2/v2.0/token',
};

axios(options).then(
	response => {
  // in a production setting it would be best to validate this JWT fully before reading claims
  const claims = jwtDecode(response.data.access_token);
  if (response.statusCode === 401) return callback();

  callback(null, {
  // this is a simple example of properties that can be mapped back to the auth0 user profile
  // you are free to choose exactly what maps back over based on what data you get from the azure token
  user_id: claims.sub,
  nickname: claims.given_name,
  email: claims.emails[0]
});
}
      );
    }