Create / update users in Azure from WordPress

Introduction

This article explains the steps needed to create / update users in Azure AD B2C and Entra External ID (Azure AD for Customers) from WordPress using WPO365.

Please note Currently, WPO365 cannot be used to create / update users in a regular Azure AD (workforce) tenant.

About Azure AD B2C

Azure Active Directory B2C provides business-to-customer identity as a service. Your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs. See https://docs.microsoft.com/en-us/azure/active-directory-b2c/overview for details.

About Entra External ID (Azure AD for Customers)

Recently Microsoft has introduced their next generation Customer Identity Access Management platform Microsoft Entra External ID, also known as Azure Active Directory (Azure AD) for Customers. Check out this article if you want to read more about this exciting new platform. Even though this platform is still in preview, it can already be created and configured. WPO365 has already added support for this new platform and implemented many of the features it supports e.g. Single Sign-on and User synchronization for Azure AD B2C for Azure AD for Customers.

What you can expect

When you configure WPO365 to enable users to sign in with Azure, then you also need a solution to create new users in Azure AD B2C / Entra External ID. The benefits of this approach include:

Either platform offers a very strong and highly configurable solution for managing your (website) identities including support for multifactor authentication, password strength, custom branding, configuring a custom login domain, embedding the login experience into your WordPress website, out-of-the-box user flows for sign-up and password reset, custom user attributes and many other features.
Users sign in with Azure and do not know their WordPress password. Instead, the WordPress password is configured by WPO365 and this will help protect you against weak passwords.
Because users sign in with Azure and then return to your WordPress website where WPO365 will handle registration of new users, you do not need to allow anyone to register in WordPress.
Optionally you can configure WPO365 to automatically redirect anyone who tries to access your site's login page to the Microsoft login page instead. Doing so will help protect you against brute-force attacks.

Please note When it comes to Azure AD B2C, you must choose which system handles the initial user registration. WPO365 supports the following two scenarios:

A new user signs up with your Azure AD B2C tenant first, using a sign-up user flow or custom sign-up policy and WPO365 will create a new WordPress user account when the user is redirected back to your site (by Microsoft, after successful sign-up).
A new user registers in WordPress first and WPO365 will create a new Azure AD B2C user account for that user just before the user registration in WordPress is completed.

This article describes the second option where the user registers in WordPress first. If you are interested in the first option then please read Force Azure AD B2C sign-up for WordPress users.

Even though Entra External ID also supports an out-of-the-box sign-up flow, it is not as highly customizable when comparing it with Azure AD B2C. Therefore, it is not recommended to pick the first option when you have configured an Entra External ID tenant.

How it works

If your WordPress website offers features that require users to register – for example when you sell products or online-courses – then WPO365’s solution for Azure AD B2C / Entra External ID can help you create (and update) users in Azure AD B2C / Entra External ID from WordPress. To achieve this, WPO365 will hook into WordPress, just before it creates a new user (by utilizing the wp_pre_insert_user_data filter). It will take the user data and use it to create a new user in AD B2C / Entra External ID using Microsoft Graph. WPO365 will create a new “local” user identity in AD B2C / Entra External ID so that the user will then be able to sign in with his / her email address and a password, when he / she returns to your site in the future.

When WPO365 creates a new user in AD B2C / Entra External ID, it will ignore the username a user has (optionally) entered when he / she registered in WordPress. Instead it will take - by default - the user's email address as the user's WordPress username (see Username preference for alternative configurations).

Password are treated slightly difficult, depending on whether the user registers interactively with your site or whether you are (bulk) sending users to Azure from the default WordPress All Users list. See Password configuration for customers to understand the default behavior and the configuration options available to you.

If you enable WPO365 to create users in AD B2C / Entra External ID from WordPress, then WPO365 can assign a temporary password to the new Azure user (and configure Azure to ensure that the user is forced to change the password on the next sign-in). And whenever WPO365 creates a temporary password, it also will - by default - send an email with the temporary password to the user in question. See Email notifications for customers to understand the default behavior and the configuration options available to your.

Last but not least, you probably want to avoid that users try and sign into WordPress using their local WordPress account. Therefore it is recommended to ensure that the following configurations are in place:

To avoid any confusion, you therefore would like to force the user to always sign in using Azure AD B2C. With WPO365 this can achieved by enabling Azure AD B2C based Single Sign-on for the default (or custom) login page. If enabled, visitors that navigate to the site's login page, will always be redirected to the Azure AD B2C login page instead. Administrators, however, can (and should) store a secret that - if added to the site's login page URL - allows them to bypass the auto-redirection. This way, administrators can still sign into the site using a local WordPress (administrator) account when needed.
Don't allow users to change their WordPress password.
Optionally, you may also want to prevent users to change their WordPress email. However, WPO365 is able to deal with user email addresses being updated. If this happens, and if you activated the option to update users in Azure, then WPO365 will update the corresponding user's identity in Azure. This will ensure that the existing user can sign into Azure with the updated email address.

Please note WPO365 also supports the following scenarios:

Force Azure AD B2C sign-up for WordPress users Read more
On-demand Bulk-create new users in Azure AD B2C from the default WordPress user list, by clicking the WPO365 button Send to Azure. (see
Scheduled / on-demand full synchronization of (all) existing users from WordPress to Azure AD B2C Read more

Before you start

You have reviewed the installation prerequisites and have installed and activated the WPO365 | LOGIN plugin (see Getting started - Installation).
You have configured Azure AD B2C based Single Sign-on (see Azure AD B2C based Single Sign-on).
In order to support the advanced Azure AD B2C scenarios in this article, you must have purchased the WPO365 | CUSTOMERS addon.
You are a Global Administrator for your company’s Microsoft 365 tenant / Azure AD B2C directory (or you have at least obtained approval for your plans from your company's Global Administrator ).
You are an Administrator for your WordPress website.
Your website uses SSL and the internet address starts with https://.

Setting up Azure AD B2C

The steps to configure Azure AD B2C are beyond the scope of the WPO365 documentation. Please refer to this article for an overview of the steps needed to configure your Azure AD B2C tenant and how to register your WordPress website as an application with Azure AD B2C, to enable scenarios such as single sign-on, (bulk) creating and updating users and user synchronization.

Important In Azure AD B2C, on your sign-in (or sign-in and sign-up) User Flow, you must check the option for Forced password reset (User Flows > User Flow > Overview > Password configuration) or else users aren't forced to reset their temporary password. If you plan for users to enter their own password, then it still makes sense to check this option, in case you - as an admin - would be sending a user to Azure manually (or using WPO365 User synchronization).

Also, ensure that you checked the option for Email signup on the User Flow's Identity providers page.

Setting up Entra External ID

The steps to configure Entra External ID (Azure AD for Customers) are beyond the scope of the WPO365 documentation. Please refer to this article for an overview of the steps needed to configure your Entra External ID tenant and how to register your WordPress website as an application with Entra External ID, to enable scenarios such as single sign-on, (bulk) creating and updating users and user synchronization.

Tip Entra External ID supports the One Time Passcode Identity Provider for User Flows.

When configured, users are asked to enter their email address when they sign in and Microsoft will send them a code via email. The advantage of this IdP is, that it automatically means that the email address becomes verified. Plus users don't need to remember yet another password.

App registration

In this step you will update the permissions that you assigned to the registered web application in the previous step.

Sign in to Azure Portal with an account with sufficient privileges.
Most likely, you have been logged in to the default "home" tenant and must now switch the directory. To do so, hover over your profile picture in the upper corner of the Azure Portal page and from the context menu that now appears, click the Switch directory link.
Click the Switch button for your Azure AD B2C tenant.

After you switched to your Azure AD B2C tenant, proceed to your Azure AD B2C resource.

From the Azure AD B2C resource menu, select App registrations and look up the entry that you created previously when you registered the WordPress website (for Single Sign-on).
Open the App registration's API Permissions page.

Most likely, you have already configured the delegated type of permissions for openid and offline_access and also granted admin consent for these two permissions. For WPO365 to be able to create new users in Azure AD B2C, it needs an additional permission.

Click + Add a permissionon.
Select Microsoft Graph > Application permissions > User.ReadWrite.All and add that permission.
Also add the application permission for User.Read.All, or else WPO365 will fail to check if the current user already exists
Don't forget to again click Grant admin consent for ...

Important Make sure to select application type permissions instead of delegated permissions.

Also, if the link Grant admin consent for ... appears to be grayed out, it means that you have not sufficient privileges. In that case you should ask the Global Administrator for the tenant in question to click the link on your behalf.

Plugin configuration

To configure WPO365 to create new users in Azure AD B2C each time a new user is registered in WordPress, you must complete the following steps.

Go to WP Admin > WPO365 > User registration. Because you have already configured Azure AD B2C based Single Sign-on, you will see a section for New User Experience AAD B2C / Entra External ID (AAD for Customers).
In this section, check the option to Create users in Azure from WordPress and optionally Update users in Azure from WordPress.
Configure the remaining options to match your requirements. You can click the small information icon for a better understanding of each configuration option available to your.

That's all. Now WordPress will try and create a new Azure AD B2C user, each time a new WordPress user is registering.

Test creating / updating users in Azure AD B2C / Entra External ID

Please note As soon as you enable the option to Create users in Azure from WordPress, WPO365 will provide you with two more options to create users in Azure AD B2C:

Create a single new user in Azure AD B2C from the default WordPress user list, by clicking the newly added button to Send to Azure.
Bulk-create one or more new users in Azure AD B2C from the default WordPress All Users list, by selecting the newly added WPO365 bulk action to Send to Azure.

Please note WPO365 will always, before it sends a (WordPress) user to Azure, check to see if that user already exists in Azure. If a user already exists, WPO365 will instead try and update the user (but only if you enabled that option).

Mapping (custom) claims to WordPress usermeta and vice versa

By default, WPO365 will create a new user in Azure from WordPress using a minimal set of user attributes:

Email address
Display name
First name
Last name

If you are collecting additional user attributes in Azure AD B2C, for example when a user signs-up, you can define so-called (custom) user attributes in Azure AD B2C and map those to (custom) claims that Microsoft sends to the site whenever a user successfully registers or signs in. You can then configure WPO365 to process those claims and save them as WordPress usermeta. Vice versa, you can update those (custom) user attributes in Azure AD B2C from WordPress usermeta, whenever you create or update a WordPress user.

Whenever you enable the option to Create users in Azure from WordPress, a new list for WordPress user (meta) to Azure AD (B2C) user attributes mappings, appears on the plugin's User sync page. This list, together with the list for ID token claims to WordPress user meta mappings allows you to update user fields in both systems in both directions.

In this example, the ID token has been selected as the Source for custom user fields. This is the default and recommend configuration for Azure AD B2C. In the list immediately below that, ID token claims are mapped to WordPress usermeta. In this example, WPO365 will look for a custom claim in the ID token with the name mobilePhone. When found, it will store the value of that claim as usermeta in WordPress, using the usermeta key azMobilePhone. The name of the key is up to you. Last but not least, if you checked the option to Show Azure AD user attributes in a WordPress user profile, then the value of the mobilePhone claim will be shown on a user's WordPress profile page, in a new section at the bottom of the page, with Mobile as the label. Again, the label is up to you. This is to retrieve (custom) user attributes from Azure AD B2C and store those in WordPress as usermeta.

To send (custom) user attributes from WordPress to Azure AD B2C, you must configure a similar mapping. First you must select where WPO365 should look for the attribute's value i.e. the attribute's source. This can be a WordPress user attribute or usermeta. So if users are able to update their mobile number in WordPress, then you select usermeta and enter the name of usermeta key e.g. azMobilePhone. And finally you enter the name of the property that the attribute's value should be send to e.g. mobilePhone.

This example shows, how you can retrieve a user's mobile number for Azure AD B2C, allow for it to be updated by the user in WordPress and send the updated number back to Azure AD B2C (assuming that you have enabled the option to Update users in Azure from WordPress on the plugin's User registration page).

Important Some user attributes are deemed sensitive properties by Microsoft and cannot be updated without further configuration. Please see Update sensitive properties in Azure AD B2C / Entra External ID (AAD for Customers) for details.