How to configure Auth0 to authenticate with other companies Azure Active Directory?

Question

I have Auth0 configured with Social Connections > Microsoft Account.

This is linked through Client ID/secret to a Microsoft Azure Active Directory tenant in my Microsoft organisation, with an App Registration set to allow:

Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) All users with a work or school, or personal Microsoft account can use your application or API. This includes Office 365 subscribers.

When I log in through my app, I can authenticate successfully using my personal account eg. [email protected]

However, when I try to authenticate with my work account [email protected], which is managed with an Azure Active Directory, it fails with

"That Microsoft account doesn’t exist. Enter a different account or get a new one.":

I thought given the Microsoft settings it would allow it connect.

1. How can I make Auth0 allow Microsoft authentication with other company's existing Azure Active Directory?

2. Also - can I configure it to limit that feature to specific companies AAD eg. those I have specifically nominated?

3. Is there a way to configure this without having to upgrade to Auth0 Enterprise?

Answer 1

Assuming you want to use multi-tenant app to allow users from different company to sign in your application with their work account. Let's assume you create an Azure AD application in your tenant(tenantA).

Then in your app, you may set the TenantId as the tenant id so that even you created a multi-tenant app, you will only allow users in your tenant to sign in. And the sign in request may look like https://login.microsoftonline.com/{tenantA_tenant_id}/oauth2/v2.0/authorize?, with this link, you will be able to use account like [email protected] to sign in, you can also use personal account which is invites to tenantA as a guest to sign in your account.

If you want users in tenantB to sign in your app with account like [email protected], then you must set the TenantId in your app as common which will make the auth request look like https://login.microsoftonline.com/common/oauth2/v2.0/authorize?

Then when sign in the application created by tenantA with account in tenantB, you may see screenshot below. After consenting it, [email protected] can sign in this application.

Answer 2

I tried to reproduce the same in my environment and got the results like below:

I created an Azure AD Application:

Note that: Make sure to use common endpoint for Multi-Tenant and Microsoft accounts.

For sample I used the below endpoint to authorize the users:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize? 
client_id=ClientID
&response_type=code  
&redirect_uri=RedirectURI
&response_mode=query  
&scope=https://graph.microsoft.com/.default
&state=12345

When I tried to sign-in with the personal account, the user logged in successfully like below:

And now I tried to login with other tenant user like below:

By using common endpoint, I am able to sign with personal accounts and other tenant accounts too successfully.

To limit the feature to specific companies AAD, check this blog.

• Auth0 Enterprise is required to authorize tenants to the Azure AD Application.

For more in detail, refer below MsDocs:

Use tenant restrictions to manage access to SaaS apps - Microsoft Entra

Multi-tenant application with a whitelist on tenants authorized by Marshaljs

Answer 3

You need to use Enterprise Connections for Microsoft work accounts. Social Connections provided by Auth0 can only allow Microsoft personal accounts, not Microsoft work accounts.

If you don't upgrade to Auth0 Enterprise, you can only configure up to 3 Enterprise Connections.