Please note that the following capability is applied each time a user signs in as well as when users are being synchronized in batches.
If you want to turn your WordPress website into a corporate intranet and you would like to control access and WordPress role assignment through Azure AD (security) groups, you can do this with the help of:
- A set of Azure AD group to WordPress role mappings to control the WordPress role assigned to a user when signing into your website.
- Optionally, an Azure AD Groups Whitelist to effectively deny users (who are not member of whitelisted Azure AD groups) access to your website.
A newer version of this documentation is available here https://docs.wpo365.com/article/39-map-between-azure-ad-groups-and-wordpress-roles.
For the plugin to receive all the user’s Azure AD Group Memberships, you need to update your Azure AD Application Registration manifest, to provoke the ID token sent by Microsoft to include this information. Please consult the following instruction on how to update the registered application’s manifest.
Launch the WordPress + Office 365 wizard by navigating to WordPress Admin, go to the plugins page and click Configuration. Select the User registration tab and add new role mappings using the control labelel Role mappings. To do so, you first select the WordPress role that you want to create a mapping for from the dropdown list and then enter the Azure AD’s (security) group ID in the textbox adjecent to the selected WordPress role. Click “+” to add the new mapping to the list.
Just above the Role mappings you can add Azure AD groups to the Azure AD groups whitelist simply by entering the Azure AD group ID to the list and clicking “+” to add it. Just be aware that once you’ve created a whitelist, any user who is not a member of any of the whitelisted groups won’t be able to log on. Instead they will be redirected to the default login page an error, stating that the user is not a member of any of the allowed Azure AD groups.
Last but not least, you can define, using the dropdown labeled User role(s) update scenario, whether the user’s new WordPress role assignments, which re-evaluated each time when a user signs into your website, should be added to that user’s role assignments or whether new WordPress role assignments should replace any existing ones. This setting is especially important over time, when role assignments are being changed.
Please note that you can reference nested Azure AD groups. The ID token received from Microsoft will contain all Azure AD Group IDs of all groups the user is a member of and all group IDs of all groups those groups are member of etc. In other words, Microsoft will resolve the nested Azure AD Group hierarchy, if any.
Please keep in mind that the plugin will only resolve the first mapping that matches. So if a user is a member of multiple Azure AD Groups and for more than one of these Azure AD Groups you have defined a valid mapping to a WordPress role, only the first one will be used to update the WordPress user’s role.
Furthermore you can configure role based access with the help of the following settings:
|Azure AD to WordPress role mappings||Yes||Yes||Yes|
|Azure AD Groups Whitelist||Yes||Yes||Yes|
|User role(s) update scenario||Yes||Yes||Yes|