Feature description

If you want to control access and WordPress role assignment through Azure AD (security) groups, you can do this with the help of:

  • A set of Azure AD group to WordPress role mappings to control the WordPress role assigned to a user when signing into your website.
  • Optionally, an Azure AD Groups Whitelist to effectively deny users (who are not member of whitelisted Azure AD groups) access to your website.

For further technical details please refer to the Configuration documentation https://docs.wpo365.com/article/39-map-between-azure-ad-groups-and-wordpress-roles.


  1. Hi, I was wondering if user access to certain Intranet WP-Sites based on group membership also works with Office365-Groups instead of security groups? Thanks a lot!

    1. Yes and no (or in German you’d say “Jein”). The Azure AD group membership(s) can be basically part of the ID token sent and you can enable this by manually changing the manifest of the App registration in Azure AD (see https://www.wpo365.com/azure-application-registration/#groupids). Instead “SecurityGroup” you can configure “All” and then you also get O365 Group IDs and Distribution Lists (see https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest). However, I believe that the list of IDs sent may be truncated and the plugin hasn’t implemented any other way to retrieve the list of Group Memberships in any other way e.g. by getting the full list from Microsoft Graph (you could, however, implement this fairly easy using the Pintra Fx integration option, see https://www.wpo365.com/pintra-fx/ – that you can hook up with the login hook).

  2. Thanks a lot. We are a school and we would like to implement WordPress Websites to our Office365 environment, since this enables us to use content that was animated with H5P for learning purposes. Our target scenario looks like this:

    1. We would like to use WordPress Multisite, so that every colleague can have his oder her own site and subsites
    2. Access to the root directory of all WP sites is only granted, if the users (students and teachers) are part of our organization
    3. Optional: It would be supercool, if there was also an option for every single site admin to manage access via membership to certain security groups in Azure AD for every single subsite individually

    Is such a scenario feasible? Thanks again for your help!

    1. Hi Tobias

      I will need a bit of time to reply to your comment and formulate my answer, latest by end of business tomorrow!

      Thank you for your patience!

    2. Hi Tobias

      We have already been discussing bits and pieces via email and chat, but here my reply to your question(s). To restrict access to the root directory you’d need to implement some kind of Intranet function, which is precisely what the plugin offers. It does so in two scenarios. One scenario I refer to as Dedicated, in which each subsite has it’s own plugin-instance and configuration. The other scenario is Shared and all subsites basically share the same plugin and configuration. Your “ideal” scenario would be Shared because in the scenario the plugin always adds a new user (who authenticated and thus is part of the organization) to the root site and to the subsite that user is trying to access (because the plugin is capable of automatically creating the user upon successful login and then subsequently adds this user to both sites, namely the current one and the root site). But there is but: In this scenario you cannot differentiate access to individual subsites. Because yes, the plugin is able to manage access via membership to certain security groups in Azure AD as documented here https://www.wpo365.com/role-based-access-using-azure-ad-groups/. However, in the Shared this isn’t on a per-subsite base but rather in general. To enable this per subsite, you’d need to go with the Dedicated scenario. In this case you can configure the plugin on a per-subsite basis and in that case can control access also on a per-subsite base. You can find the online documentation on how to enable this scenario here https://www.wpo365.com/support-for-wordpress-multisite-networks/. The Dedicated also needs an (Azure AD) application id for each subsite. However, you can still (re-)use a single Application registration, but instead you’d need to register for each subsite the specific Redirect URI. So in short: Yes, the plugin will support this, but there is a bit of configuration that you’d need to take into account. Depending on the volume of subsite you’d like to create, you should have a look at automating a few of these configuration tasks (I’m happy to discuss this offline).

Leave a Reply

Your email address will not be published. Required fields are marked *