Choose a Connection Type for Azure AD
You can connected your Auth0 instance to Microsoft Azure Active Directory in three ways. Review the options to determine the best approach for your situation.
Auth0 recommends starting with the native Microsoft Azure AD connection. If you need further customization, review the SAML connection configuration. Also, if your organization has additional restrictions on OAuth code flows, review the Enterprise OIDC configuration.
The table below illustrates the main differences in these connection types. Review these capabilities to determine the best connection type for your organization.
| Connection Type | “Native” Azure AD | Enterprise OIDC | SAML |
|---|---|---|---|
| Protocol | OAuth authorization code flow | OAuth implicit flow OR OAuth authorization code flow | SAML |
| Can receive optional claims from Azure AD? | No | Yes | Yes |
| Federated logout support (“Single Logout” or SLO) | Yes | No | Yes |
| Receive AD Groups | Yes, friendly names | Yes, object IDs | Yes, object IDs |
| Receive Extended Profile | Yes | No | No |
Microsoft Azure AD
The first connection type is the Microsoft Azure AD connection in Auth0 Dashboard > Authentication > Enterprise.
This connection type uses the OAuth authorization code flow. The Microsoft Azure AD connection accepts claims from an id_token and directly queries the Microsoft Graph API. If configured, the query searches for groups and additional profile information. Microsoft Azure AD ignores any custom claims included in the id_token.
Connection Features and Considerations
Because this connection type is the native workflow, it is explicitly compatible with extended AD features. The Azure AD connection maps profile attributes directly to your Auth0 user profiles from the Microsoft Graph API.
The extended profile option offers three attributes not available in other connection types. You must enable permission to query the Microsoft Graph API to use the receive the extended profile features.The table below compares the Azure AD Graph Attributes across the connection types:
| Graph Attribute | Auth0 Profile Attribute | Data type | Equivalent optional claim for OIDC or SAML |
|---|---|---|---|
| businessPhones | phone | array | - |
| givenName | given_name | string | given_name |
| jobTitle | job_title | string | - |
| mobilePhone | mobile | string | - |
| preferredLanguage | preferred_language | string | xms_pl |
| surname | family_name | string | family_name |
| userPrincipalName | upn | string | upn |
Group Configuration
If you enable permission to query the Microsoft Graph API, Auth0 automatically retrieves groups for the user and maps these to the groups attribute in the Auth0 profile. Auth0 maps these group "friendly names" and does not need to configure a custom claim because these groups map directly from the Microsoft Graph API.
SAML
The SAML connection type uses the SAML protocol and supports attribute mapping and all standard SAML features.
Connection Features and Considerations
The SAML connection type is the most flexible of the available connection types because it supports optional claims and federated logouts. If you need both of these features, SAML is the only connection type that supports both simultaneously.
Group Configuration
For Auth0 to accept group information with the SAML connection type, you must configure your Azure AD with optional attributes in the SAML response. Auth0 then maps the groups to the group_ids attribute in the user's Auth0 profile.
The SAML and OIDC connection types use object identifiers rather than friendly names for groups. You may be able to get friendly names into a SAML response if you have imported groups from on-premises AD. To learn more about group claims, visit the Microsoft Documentation.
Enterprise OIDC
The Enterprise Open ID Connect type can use either OAuth Implicit or Authorization Code workflows. This connection maps custom claims in the id_token to the Auth0 User Profile. To learn more about authentication flows, visit the Authentication and Authorization Flows documentation.
Connection Features and Considerations
If you cannot provide client secrets in your login flow due to regulations or privacy protocols, the Implicit Flow the OIDC connection offers could be a preferred method. If you require custom claims but do not want to configure the additional SAML features, the OIDC connection can reduce complexity.
Group Configuration
For Auth0 to accept group information with the OIDC connection type, you must configure your Azure AD with an optional claim to add groups in the id_token of your request. Auth0 then maps these groups to the group_ids attribute in the user’s Auth0 profile.
The SAML and OIDC connection types use object identifiers rather than friendly names for groups. You may be able to get friendly names into a SAML response if you have imported groups from on-premises AD. To learn more about group claims, visit the Microsoft Documentation.