Role Based Access using Azure AD groups

Back to documentation


  1. Tobias

    Hi, I was wondering if user access to certain Intranet WP-Sites based on group membership also works with Office365-Groups instead of security groups? Thanks a lot!

  2. Tobias

    Thanks a lot. We are a school and we would like to implement WordPress Websites to our Office365 environment, since this enables us to use content that was animated with H5P for learning purposes. Our target scenario looks like this:

    1. We would like to use WordPress Multisite, so that every colleague can have his oder her own site and subsites
    2. Access to the root directory of all WP sites is only granted, if the users (students and teachers) are part of our organization
    3. Optional: It would be supercool, if there was also an option for every single site admin to manage access via membership to certain security groups in Azure AD for every single subsite individually

    Is such a scenario feasible? Thanks again for your help!

    • mvan

      Hi Tobias

      I will need a bit of time to reply to your comment and formulate my answer, latest by end of business tomorrow!

      Thank you for your patience!

    • mvan

      Hi Tobias

      We have already been discussing bits and pieces via email and chat, but here my reply to your question(s). To restrict access to the root directory you’d need to implement some kind of Intranet function, which is precisely what the plugin offers. It does so in two scenarios. One scenario I refer to as Dedicated, in which each subsite has it’s own plugin-instance and configuration. The other scenario is Shared and all subsites basically share the same plugin and configuration. Your “ideal” scenario would be Shared because in the scenario the plugin always adds a new user (who authenticated and thus is part of the organization) to the root site and to the subsite that user is trying to access (because the plugin is capable of automatically creating the user upon successful login and then subsequently adds this user to both sites, namely the current one and the root site). But there is but: In this scenario you cannot differentiate access to individual subsites. Because yes, the plugin is able to manage access via membership to certain security groups in Azure AD as documented here However, in the Shared this isn’t on a per-subsite base but rather in general. To enable this per subsite, you’d need to go with the Dedicated scenario. In this case you can configure the plugin on a per-subsite basis and in that case can control access also on a per-subsite base. You can find the online documentation on how to enable this scenario here The Dedicated also needs an (Azure AD) application id for each subsite. However, you can still (re-)use a single Application registration, but instead you’d need to register for each subsite the specific Redirect URI. So in short: Yes, the plugin will support this, but there is a bit of configuration that you’d need to take into account. Depending on the volume of subsite you’d like to create, you should have a look at automating a few of these configuration tasks (I’m happy to discuss this offline).

Leave a Reply

Your email address will not be published. Required fields are marked *