Which Active Directory tenant type to use for Auth0 social login?

Question

Hi!

We have a public consumer application for which we use Auth0 as identity platform and through Auth0 we have enabled a couple of social logins to which we now want to add "Login with Microsoft" as an option so that anyone with any type of Microsoft account can login.

Obviously we will need to enable the Microsoft social connection in our Auth0 instance and connect it to a Active Directory Application and Tenant created in Azure.

What I can't seem to find the answer for is which type of tenant we should setup for this, whether we should use a Azure Active Directory tenant with a multi-tenant application or if we should use a Azure Active Directory (B2C) tenant for this?

Answer 1

Thank you for your extensive input @Akshay-MSFT !

I've gathered the following insights, for others finding their way to this question trying to figure out Which Active Directory tenant type to use for Auth0 social login?

Summary

• Auth0 Social connection -> Azure Active Directory tenant with an app configured to support "Personal Microsoft accounts"
• Auth0 Enterprise connection -> Azure Active Directory tenant with an app configured to support "Accounts in any organisational directory and personal Microsoft accounts" See guide of different app types here

Reflection
Some things I learned (feel free to comment if I've mistaken on any of these)

• Since we wanted to support login with any microsoft account (multi tenant + personal) my initial attempt of using an Auth0 Social connection for this was incorrect, since the Social connection will only allow successful logins with personal accounts regardless of how you have setup the App registration in Azure
• Auth0 Enterprise connection is the way to go for our case, with an Azure app registation supporting multi tenant + personal accounts. Also when setting the connection up in Auth0, make sure to enable the "Use common endpoint" setting as described here
• The Azure Active Directory B2C tenant type is not useful with any of the Auth0 connections as you likely won't be able to get a satisfying consent screen with verified publisher. I'm guessing its just the wrong way of using the B2C tenant, where its supposed to be used the other way around with the Azure tenant being the identity platform optionally integrating applications from Auth0 like in the answer from @Akshay-MSFT

Answer 2

Hello @Tobias Heldring ,

Thanks for posting your query on Microsoft Q&A. As per https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/azure-active-directory/v2#register-your-app-with-azure-ad Azure AD would support for multitenant apps but not with social account (until you plan to send invitation to each user's personal account for Azure AD B2B).

For Microsoft Social accounts Azure B2C would suit your requirement.

On Auth0 Admin Console:

• Create a web application in Auth0
• Copy the client ID and secret
• Add a callback URL from your B2C tenant in given format: https://<tenant>.b2clogin.com/<tenant>.onmicrosoft.com/oauth2/authresp
• Copy the “OpenID Configuration” URI from advance setting.

On Azure B2C tenant:

• Add an Identity provider to B2C, Azure AD B2C > Identity providers > New OpenID Connect Provider
• Input “OpenID Configuration” URI you copied in above step to Metadata URL.
• Similarly add client ID and Client secret you copied from Auth0.
• Complete the claims mapping ref: https://learn.microsoft.com/en-in/azure/active-directory-b2c/identity-provider-generic-openid-connect?pivots=b2c-user-flow#claims-mapping
• Hit Save and Auth0 will be saved as IDP in your Azure B2C tenant.

For verifying the publisher on B2C:

• Please check the custom domain verification in corresponding Azure AD tenant and similarly ensure that the domain is verified for your application in Azure AD B2C tenant according to the below documentation link: -

https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-configure-publisher-domain#configure-publisher-domain-using-the-azure-portal

• Also, do ensure that you have global administrator privileges on the tenant in which your application is registered, and your user account is a global administrator in that tenant in which your application is registered. You should be an ‘MPN Admin’ or ‘Accounts Admin’ for your tenant. You can verify that by signing on the below MPN management page: -

https://partner.microsoft.com/dashboard/account/v3/tenantmanagement

• Once above conditions are met, then using the graph API, mark the app as publisher verified by executing the below command with the verified MPN ID. Ensure that you are logging into the Microsoft Graph API with the Global Administrator credentials and executing the command. Also do refer the below documentation for this purpose: -

https://learn.microsoft.com/en-us/azure/active-directory/develop/troubleshoot-publisher-verification#making-microsoft-graph-api-calls

POST /applications//setVerifiedPublisher

{

"verifiedPublisherId": "********"

}

Once above actions are done then navigate to Partner Center

Select the Settings gear icon, then Account settings, and then select Tenants.

Select Associate Azure AD B2C, and then indicate the tenant you want to associate.

Sign in at the prompt as Global admin to the tenant you want to associate and then select Confirm.

Upload logo for AD B2C app registration

Azure B2C does not support dedicated logo for application.

However, you could have a company branding defined in user flow

NOTE: Company branding in Azure AD B2C is currently limited to background image, banner logo, and background color customization. The other properties in the company branding pane, for example, Advanced settings, are not supported.

Company branding is not supported for the standard Sign in and standard Profile editing user flow types.

Please do let me know if you have any queries in the comments section.

Thanks,
Akshay Kaushik

Please "Accept the answer" and "UpVote" if the information helped you. This will help us and others in the community as well.