Systems Integration

Integrating Auth0 With Azure Active Directory

Integrating Auth0 With Azure Active Directory

Of course, here is the HTML fragment converted to markdown with the specified changes.

Integrating Auth0’s OAuth mechanism with Azure Active Directory can be a little bit tricky! The Auth0 integration documentation available on Auth0’s Azure Active Directory page doesn’t completely cover all the steps you need to take, so we’re presenting a more complete guide here. There are several core tasks, each of which is then broken down into steps:

  1. Configure App In Azure AD
  2. Create The Client Secret In Azure AD
  3. Configure API Permissions
  4. Create And Configure Auth0 Application
  5. Create Enterprise Connection In Auth0
  6. Enable Enterprise Connection For Application
  7. Testing
  8. Optional Azure AD Permissions

There is also an appendix of handy information at the end! Should you have any questions regarding any of these core tasks for Auth0 integration with Azure Active Directory, please contact us.

Task 1: Configure App In Azure AD

You can find some help on this in the official Microsoft documentation.

The key steps are:

  1. Navigate to Azure AD in the Azure Portal.
  2. Click the “App Registrations” button in the side menu.
  3. In Azure AD App Registrations, create a new App Registration.
  4. You should now see the App Registration screen.
  5. Enter the name for your application (you can change this later if you get it wrong).
  6. Select “Accounts in this organizational directory only” (multi-tenant is beyond the scope of this article).
  7. Configure redirect URI selecting “Web” and entering the callback URL https://{your-auth0-tenant}.auth0.com/login/callback (obviously, replace {your-auth0-tenant} with your Auth0 tenant name).
  8. Click “Register”.
  9. You should now see the newly created app Overview screen.
  10. IMPORTANT!! Copy the Application (client) ID from the overview screen of your newly created app registration, we’ll need this later.

To find out how to create the client secret in Azure AD, click below to go through to page 2.

Task 2: Create The Client Secret In Azure AD

If you need some help on this, take a look at the official Microsoft documentation for this task.

The key steps are:

  1. Select the “Certificates & Secrets” area from the App registration side menu.
  2. Click the “New client secret” button in the “Client secrets” section.
  3. You should now see the Client Secret creation dialog:
  4. Enter the name “Auth0”.
  5. Select expiry “Never”.

NOTE: If choosing another option there will need to be a future manual intervention to create and configure the new client secret.

  1. Click the “Add” button.
  2. You should now see the new client secret listed in the “Client secrets” section.
  3. Copy the generated client secret from the “Value” column and keep it in a safe place. YOU WILL NEVER BE ABLE TO ACCESS THIS AGAIN and you will need it later!

To learn how to configure API permissions, click below to go through to page 3.

Task 3: Configure API Permissions

To find more help on this task take a look at the official Microsoft documentation.

We need to configure access to the MS Graph API for retrieving basic user profile and directory info (some of which will find its way into Auth0 via the sync when the user logs in via Auth0). This will be done with delegated permissions which give access to the ‘User.Read’ and ‘Directory.Read.All’ permissions.

The key steps are:

  1. Start on your App registration overview screen.
  2. Click the “View API Permissions” button.
  3. You should now see the API permissions screen.
  4. You should see that “Delegated” permission for User.Read is already configured by default. If not, follow the steps below replacing Directory.Read.All with User.Read.
  5. Click “Add A Permission”.
  6. You should see the “Request API Permissions” dialog.
  7. Select “Microsoft Graph”.
  8. You should see the following:
  9. Select “Delegated Permissions”.
  10. This should reveal the “Select permissions” search field.
  11. In the search text field under the “Select Permissions” heading enter the text ‘Directory.Read.All’. This should result in the following results:
  12. Tick the checkbox next to the “Directory.Read.All” permission. This should result in the following:
  13. Click the “Add Permissions” button.
  14. OPTIONAL: If we want to avoid users having to manually accept giving our application access to these permissions we could click the “Grant admin consent for YOUR_AZURE_AD_DOMAIN” button.

To find out how to create and configure Auth0 application, click below to go through to page 4.

Task 4: Create And Configure Auth0 Application

For this task, you need to be logged in to your Auth0 tenant control panel. We’re assuming here that you are creating a mobile App that needs access to a web-based API (e.g. a REST API).

The key steps are:

  1. Open the Applications page.
  2. Click the “Create Application” button
  3. You should now see the Create Application page:
  4. Enter your application Name.
  5. Select the “Native” application option.
  6. Click the Create button.
  7. You should now be redirected to the newly created Application and see the following:
  8. Scroll down to the “Application URIs” section. In the “Allowed Callback URLs” field enter https://{your-auth0-tenant}.auth0.com/login/callback. This should match the callback URL entered during the Configure App In Azure AD setup in Task 1.
  9. Now we need to configure application grant types. Scroll to the “Application Tokens” section:
  10. Click the “Show Advanced Settings” link. This should reveal the advanced settings:
  11. The required grant types are “Authorization Code” and “Refresh Token”. These will be selected by default.
  12. Click the “Save” button to save the configuration.

To discover how to create enterprise connection in Auth0, click below to go through to page 5.

Task 5: Create Enterprise Connection In Auth0

You can find some help on this in the official Auth0 documentation via their website.

The key steps are:

  1. Open Connections > Enterprise.
  2. Click the + button next to Azure AD.
  3. You should see the New Azure AD connection screen.
  4. Enter connection name (Needs to be unique).
  5. Get your MS Azure AD domain from the Azure AD overview screen in the Azure Portal (e.g. mycompany.com).
  6. Enter the domain in the Microsoft Azure AD Domain field.
  7. Enter your Azure AD app registration Client Id and Client Secret. You should have saved these while creating your Azure App registration in Task 2.
  8. Leave everything else as default.
  9. Click the ‘Create’ button.

You can learn how to enable enterprise connection for application by clicking page 6 below.

Task 6: Enable Enterprise Connection For Application

Some help on this can be found in the official Auth0 documentation.

The key steps are:

  1. If you have just created the Enterprise Connection you should be looking at the connection already. If not navigate to Connections > Enterprise > Microsoft Azure AD > Your_Enterprise_Connection.
  2. Click the ‘Applications’ tab below the main heading.
  3. Find your App in the list of Apps and enable the toggle next to it.

To learn about the steps which need to be taken for testing, click below to go through to page 7.

Task 7: Testing

For some help on this check out the official Auth0 documentation here:

The key steps are:

  1. Open Connections > Enterprise > Microsoft Azure AD.
  2. Click the try button.
  3. You should be redirected to the Azure AD login screen
  4. Login.
  5. Accept the permissions request (may not be shown depending on Azure AD config for granting permissions – See Azure AD Permissions section below).
  6. If successful you should see the “It Works!” message.
  7. An authorization code should be included in the URL. This can be used to hit the Auth0 token endpoint to retrieve a JWT.

To find out more about optional Azure AD permissions, click below to go through to page 8.

Task 8: Optional Azure AD Permissions

For non-admin users access to the Azure App registration is required. This can be achieved in two ways:

Option 1: Admin Assignment

  1. Open Azure AD.
  2. Open the App Registration.
  3. Open API Permissions.
  4. Click the “Grant Admin Consent for Your Domain” button.

Option 2: Manual Assignment

  1. Open Azure AD.
  2. Navigate to Enterprise Applications.
  3. Select the application registration from the list of applications.
  4. Click 1. Users and Groups.
  5. Add the user to the application here.

Click through to page 9 (below) to view the appendix.

Appendix

This is some information that you will find useful when completing Azure Active Directory and Auth0 integration.

Azure AD OpenID config endpoint

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc

Azure AD Login URL

If you want to try logging into to your app registration on Azure AD to validate it is configured correctly to allow sign-in for your Azure AD user this can be done using the following URL:

https://login.microsoftonline.com/your-tenant-id/oauth2/v2.0/authorize?

client_id=your-app-registration-client-id

&response_type=code

&redirect_uri=your-app-registration-callback-url

&response_mode=query

&scope=offline_access%20user.read%20directory.read.all

&state=12345

After logging in you should be able to retrieve an authorization code in the URL. You can use this via Postman to post to the Azure AD token endpoint and retrieve a JWT as follows:

HTTP POST https://login.microsoftonline.com/your-tenant-id/oauth2/v2.0/token

HEADER

Content-Type: application/x-www-form-urlencoded

BODY

client_id: your-app-registration-client-id

code: your-authorization-code

redirect_uri: your-app-registration-redirect-uri

grant_type: authorization_code

client_secret: your-app-registration-client-secret

Auth0 Login URL

To login via Auth0 you can use the following URL:

https://auth0.com/docs/universal-login

client_id=your-auth0-app-clientId

&response_type=code

&audience=your-audience

&scope=openid%20profile%20offline_access

&redirect_uri=your-auth0-app-allowed-callback-url

&state=some-random-string

&code_challenge_method=your-code-challenge-method (i.e. S256)

&code_challenge=your-code-challenge

MS GRAPH Admin Consent Request

This may be useful if you are planning to use admin consent workflow when users log in and need to request permission for the app to access their MS Graph profile.

https://login.microsoftonline.com/your-tenant-id/oauth2/authorize?

client_id=your-app-registration-client-id

&response_type=code

&redirect_uri=your-app-registration-client-id

&resource=https://graph.microsoft.com

&prompt=admin_consent

Related Articles

Have a question about this topic?

Our team would be happy to discuss this further with you.

Get in Touch