Articles

Connect Auth0 to Azure Active Directory (2026)

April 16, 2026 4 min read

Auth0 and Azure AD (now Microsoft Entra ID) can be connected so that users authenticated by Azure AD can access applications secured by Auth0.

Here’s a basic setup for connecting Auth0 to Azure AD as an identity provider.

Let’s imagine you have an application, say a customer portal, that you want to protect with Auth0. Your users, however, already have accounts in your organization’s Azure AD. Instead of forcing them to create new accounts, you want to let them log in using their existing Azure AD credentials. Auth0 can act as a facade, trusting Azure AD to do the actual authentication.

Here’s how that looks in practice.

First, in the Auth0 dashboard, navigate to Authentication > Enterprise Connections. Click Create Connection. Choose SAML as the connection type.

Name your connection something descriptive, like AzureAD.

Now, Auth0 needs information from Azure AD. This is where you’ll be toggling between the Auth0 dashboard and your Azure AD portal.

In Azure AD, you’ll need to create an "Enterprise Application" (or "Non-gallery application" if it’s not a pre-configured integration).

  1. Go to Azure Active Directory (or Microsoft Entra ID) -> Enterprise applications -> New application.
  2. Select Create your own application.
  3. Give it a name, e.g., Auth0-SAML-Connection, and choose Integrate any other application you don’t find in the gallery (Non-gallery).
  4. Click Create.

Once the application is created, go to its Single sign-on section and select SAML.

This is where you’ll find the crucial information Auth0 needs:

  • Basic SAML Configuration:
    • Identifier (Entity ID): This uniquely identifies your Auth0 tenant to Azure AD. It will look something like urn:auth0:YOUR_TENANT_DOMAIN. You’ll copy this from Auth0’s SAML configuration page.
    • Reply URL (Assertion Consumer Service URL): This is where Azure AD will send the SAML assertion after successful authentication. It will look like https://YOUR_TENANT_DOMAIN.auth0.com/login/callback. You’ll also copy this from Auth0.

Auth0 provides these values. In your Auth0 dashboard, under the AzureAD SAML connection you created, you’ll see fields for Settings.

  • Settings > Advanced Options > Signing Certificate: You’ll need to download the certificate.
  • Settings > Advanced Options > Metadata: Auth0 provides a metadata URL. This URL contains all the necessary endpoints and certificates Azure AD needs to trust Auth0. It usually looks like https://YOUR_TENANT_DOMAIN.auth0.com/samlp/metadata/YOUR_CONNECTION_ID.

Back in Azure AD’s SAML-based Single Sign-On configuration for your Auth0-SAML-Connection application:

  1. Basic SAML Configuration: Paste the Identifier (Entity ID) and Reply URL copied from Auth0.
  2. User Attributes & Claims: Ensure that at least the NameID claim is configured. By default, Azure AD often sends the user’s email address as the NameID. This is usually what Auth0 expects to identify the user.
  3. SAML Signing Certificate: Download the Certificate (Base64). You’ll upload this to Auth0.
  4. Set up [Your App Name]: You’ll see Login URL and Logout URL. These are the endpoints Azure AD provides for initiating SAML flows. You’ll need the Login URL for Auth0’s configuration.

Now, back to the Auth0 SAML connection settings:

  • Signing Certificate: Upload the Certificate (Base64) you downloaded from Azure AD.
  • IdP Issuer: This is Azure AD’s Entity ID. You can find this in Azure AD under Set up [Your App Name] -> Azure AD Identifier. It looks like https://sts.windows.net/YOUR_TENANT_ID/.
  • IdP Login URL: This is the Azure AD Login URL. You can find this in Azure AD under Set up [Your App Name] -> Login URL. It looks like https://login.microsoftonline.com/YOUR_TENANT_ID/saml2.
  • IdP Logout URL: Optional, but good for seamless logouts. Find this in Azure AD under Set up [Your App Name] -> Logout URL.

After saving the Auth0 connection, you need to assign users or groups in Azure AD to the Auth0-SAML-Connection enterprise application you created. This tells Azure AD which users are allowed to use this connection to log in.

Finally, on your Auth0 application’s login page, you’ll see the AzureAD connection listed as an option. When a user clicks it, they’ll be redirected to Microsoft’s login page. Upon successful authentication with their Azure AD credentials, they’ll be redirected back to Auth0, which will then log them into your application.

The most surprising truth about this setup is that Auth0 isn’t performing any credential validation itself; it’s simply acting as a trusted intermediary, passing the authentication request to Azure AD and then accepting the signed assertion Azure AD returns as proof of identity.

The next step in managing this integration is configuring attribute mapping to ensure specific user profile information from Azure AD (like department or role) is correctly passed to Auth0 and your application.

Want structured learning?

Take the full Auth0 course →