Obtain Azure AD access token and refresh token when using Auth0 as service provider and Azure AD as an Identity Provider

azuread_refresh_token.md

There is no standard way to renew identity provider access tokens through Auth0. The mechanism for renewing identity provider access tokens varies for each provider. In the case of Azure AD, you can request refresh token to renew the access token once it expires. Auth0 dashboard does not allow you to include refresh token scope when autneticating with Azure AD. However, one can set scope manually via Management API and request additional scope.

• Call /api/v2/connections/{id} endpoint and copy the options object
• Update the connection configuration by calling /api/v2/connections/{id} with upstream_params object.

Example Curl command: copy the options object from the first API call and include upstream_params

curl  --request PATCH 'https://[Auth0 Domain]/api/v2/connections/[Connection ID]' \
--header 'Authorization: Bearer [Auth0 Management API]' \
--header 'Content-Type: application/json' \
--data '{
    "options": {
       // other params as copied
        "upstream_params": {
            "scope": {
                "value": "openid profile email offline_access User.Read"
            }
        }
    }
}'

Once the user finishes the Authentication with Azure AD, the user should have access_token and refresh token in the identities object.

To obtain Azure AD access token and refresh token, you should call /api/v2/users/{id} endpoint which returns identities object

Then, you can use azure ad access token to call graph API.

Auth0 documentation :

Identity Provider Access token:
https://auth0.com/docs/tokens/identity-provider-access-tokens

Pass params to IDP :
https://auth0.com/docs/connections/pass-parameters-to-idps

Related Community Post:
https://community.auth0.com/t/access-microsoft-graph-resources-with-an-auth0-login/34719/2

Remember to Allow Graph API permission in Azure Portal