> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Compare the Microsoft Azure AD connection types available in Auth0, then pick the one that matches your tenant model and the user attributes.

# Choose a Connection Type for Azure AD

You can connected your Auth0 instance to Microsoft Azure Active Directory in three ways. Review the options to determine the best approach for your situation.

Auth0 recommends starting with the native Microsoft Azure AD connection. If you need further customization, review the <Tooltip tip="Security Assertion Markup Language (SAML): Standardized protocol allowing two parties to exchange authentication information without a password." cta="View Glossary" href="/docs/glossary?term=SAML">SAML</Tooltip> connection configuration. Also, if your organization has additional restrictions on <Tooltip tip="OAuth 2.0: Authorization framework that defines authorization protocols and workflows." cta="View Glossary" href="/docs/glossary?term=OAuth">OAuth</Tooltip> code flows, review the Enterprise OIDC configuration.

The table below illustrates the main differences in these connection types. Review these capabilities to determine the best connection type for your organization.

| Connection Type                                       | “Native” Azure AD             | Enterprise OIDC                                      | SAML            |
| ----------------------------------------------------- | ----------------------------- | ---------------------------------------------------- | --------------- |
| **Protocol**                                          | OAuth authorization code flow | OAuth implicit flow OR OAuth authorization code flow | SAML            |
| **Can receive optional claims from Azure AD?**        | No                            | Yes                                                  | Yes             |
| **Federated logout support (“Single Logout” or SLO)** | Yes                           | No                                                   | Yes             |
| **Receive AD Groups**                                 | Yes, friendly names           | Yes, object IDs                                      | Yes, object IDs |
| **Receive Extended Profile**                          | Yes                           | No                                                   | No              |

## Microsoft Azure AD

The first connection type is the **Microsoft Azure AD** connection in [Auth0 Dashboard > Authentication > Enterprise](https://manage.auth0.com/dashboard/#/connections/enterprise).

This connection type uses the OAuth authorization code flow. The Microsoft Azure AD connection accepts claims from an `id_token` and directly queries the Microsoft Graph API. If configured, the query searches for groups and additional profile information. Microsoft Azure AD ignores any custom claims included in the `id_token`.

### Connection features and considerations

Because this connection type is the native workflow, it is explicitly compatible with extended AD features. The Azure AD connection maps profile attributes directly to your Auth0 user profiles from the Microsoft Graph API.

The table below compares the Azure AD Graph Attributes across the connection types:

| Graph Attribute     | Auth0 Profile Attribute | Data type | Equivalent optional claim for OIDC or SAML |
| ------------------- | ----------------------- | --------- | ------------------------------------------ |
| `businessPhones`    | `phone`                 | array     | N/A                                        |
| `givenName`         | `given_name`            | string    | `given_name`                               |
| `jobTitle`          | `job_title`             | string    | N/A                                        |
| `mobilePhone`       | `mobile`                | string    | N/A                                        |
| `preferredLanguage` | `preferred_language`    | string    | `xms_pl`                                   |
| `surname`           | `family_name`           | string    | `family_name`                              |
| `userPrincipalName` | `upn`                   | string    | `upn`                                      |

You must [enable permission to query the Microsoft Graph API](/docs/authenticate/identity-providers/enterprise-identity-providers/azure-active-directory/v2#add-permissions) to receive the following extended profile attributes:

* `businessPhones`
* `jobTitle`
* `mobilePhone`

### Group Configuration

If you [enable permission to query the Microsoft Graph API](/docs/authenticate/identity-providers/enterprise-identity-providers/azure-active-directory/v2#add-permissions), Auth0 automatically retrieves groups for the user and maps these to the `groups` attribute in the Auth0 profile. Auth0 maps these group "friendly names" and does not need to configure a custom claim because these groups map directly from the Microsoft Graph API.

## SAML

The SAML connection type uses the SAML protocol and supports attribute mapping and all standard SAML features.

### Connection features and considerations

The SAML connection type is the most flexible of the available connection types because it supports optional claims and [federated logouts](https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol). If you need both of these features, SAML is the only connection type that supports both simultaneously.

### Group configuration

For Auth0 to accept group information with the SAML connection type, you must configure your Azure AD with optional attributes in the SAML response. Auth0 then maps the groups to the `group_ids` attribute in the user's Auth0 profile.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  The SAML and OIDC connection types use object identifiers rather than friendly names for groups. You may be able to get friendly names into a SAML response if you have imported groups from on-premises AD. To learn more about group claims, visit [the Microsoft Documentation.](https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims)
</Callout>

## Enterprise OIDC

The Enterprise Open ID Connect type can use either OAuth Implicit or Authorization Code workflows. This connection maps custom claims in the `id_token` to the Auth0 User Profile. To learn more about authentication flows, visit the [Authentication and Authorization Flows documentation](/docs/get-started/authentication-and-authorization-flow).

### Connection features and considerations

If you cannot provide <Tooltip tip="Client Secret: Secret used by a client (application) to authenticate with the Authorization Server; it should be known to only the client and the Authorization Server and must be sufficiently random to not be guessable." cta="View Glossary" href="/docs/glossary?term=client+secrets">client secrets</Tooltip> in your login flow due to regulations or privacy protocols, the Implicit Flow the OIDC connection offers could be a preferred method. If you require custom claims but do not want to configure the additional SAML features, the OIDC connection can reduce complexity.

### Group configuration

For Auth0 to accept group information with the OIDC connection type, you must configure your Azure AD with an optional claim to add `groups` in the `id_token` of your request. Auth0 then maps these groups to the `group_ids` attribute in the user’s Auth0 profile.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  The SAML and OIDC connection types use object identifiers rather than friendly names for groups. You may be able to get friendly names into a SAML response if you have imported groups from on-premises AD. To learn more about group claims, visit [the Microsoft Documentation.](https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims)
</Callout>

## Learn more

* [Connect Your App to Microsoft Azure Active Directory](/docs/authenticate/identity-providers/enterprise-identity-providers/azure-active-directory/v2)