Synchronize users from WordPress to Azure AD B2C / Entra External ID
Introduction
This article explains the steps needed to synchronize users from WordPress to Azure AD B2C or Entra External ID (Azure AD for Customers) using WPO365.
Please note Currently, WPO365 cannot be used to synchronize users to a regular Azure AD (workforce) tenant. |
About Azure AD B2C
Azure Active Directory B2C provides business-to-customer identity as a service. Your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs. See https://docs.microsoft.com/en-us/azure/active-directory-b2c/overview for details.
About Entra External ID (Azure AD for Customers)
Recently Microsoft has introduced their next generation Customer Identity Access Management platform Microsoft Entra External ID, also known as Azure Active Directory (Azure AD) for Customers. Check out this article if you want to read more about this exciting new platform. Even though this platform is still in preview, it can already be created and configured. WPO365 has already added support for this new platform and implemented many of the features it supports e.g. Single Sign-on and User synchronization for Azure AD B2C for Azure AD for Customers.
When do I need to synchronize users from WordPress to Azure AD B2C
Whether you need to synchronize users and possibly (some of) their attributes from WordPress to Azure AD B2C or Entra External ID (Azure AD for Customers) depends. WPO365 already offers some great features to achieve this on-demand for a single user or a for one or more users at the same time using a WordPress bulk action (see this article for more information). But there are a few scenarios where a full user synchronization still may be a good or even your only option:
- Migration You are implementing Azure AD B2C or Entra External ID for your WordPress website that has already gained some traction and possibly already has hundreds or even thousands of registered users.
- Profile editing You collect (custom) user / profile attributes that users themselves manage in WordPress and that you want to import into Azure AD B2C or Entra External ID. For example, a user's VAT number may also be of interest for other applications that connect to your Azure AD B2C or Entra External ID tenant.
Please note It would also be possible to invite users to edit / update their "local" account profile in your Azure AD B2C tenant. There is a default Azure AD B2C user flow that allows users to edit / update their account's profile data and with WPO365 it is very easy to create a custom button and send your users to that endpoint, as the following example tries to demonstrate. <div id="wpo365OpenIdRedirect" style="text-align: center"> <button onclick="window.wpo365.pintraRedirect.toMsOnline('', location.href, '', 'B2C_1_profile_editing_1')"> Sign up </button> </div> Also note that this is (currently) not a supported in Entra External ID. |
Before you start
- You have reviewed the installation prerequisites and have installed and activated the WPO365 | LOGIN plugin (see Getting started - Installation).
- You have configured Azure AD B2C based Single Sign-on or Entra External ID based Single Sign-on.
- In order to support user synchronization to customer tenants as explained in this article, you must have purchased the WPO365 | CUSTOMERS addon.
- You are a Global Administrator for your company’s Microsoft 365 tenant / Azure AD B2C directory (or you have at least obtained approval for your plans from your company's Global Administrator ).
- You are an Administrator for your WordPress website.
- Your website uses SSL and the internet address starts with https://.
Setting up Azure AD B2C
The steps to configure Azure AD B2C are beyond the scope of the WPO365 documentation. Please refer to this article for an overview of the steps needed to configure your Azure AD B2C tenant and how to register your WordPress website as an application with Azure AD B2C, to enable scenarios such as single sign-on, (bulk) creating and updating users and user synchronization.
Important In Azure AD B2C, on your sign-in (or sign-in and sign-up) User Flow, you must check the option for Forced password reset (User Flows > User Flow > Overview > Password configuration) or else users aren't forced to reset their temporary password. If you plan for users to enter their own password, then it still makes sense to check this option, in case you - as an admin - would be sending a user to Azure manually (or using WPO365 User synchronization). Also, ensure that you checked the option for Email signup on the User Flow's Identity providers page. |
Setting up Entra External ID
The steps to configure Entra External ID (Azure AD for Customers) are beyond the scope of the WPO365 documentation. Please refer to this article for an overview of the steps needed to configure your Entra External ID tenant and how to register your WordPress website as an application with Entra External ID, to enable scenarios such as single sign-on, (bulk) creating and updating users and user synchronization.
Tip Entra External ID supports the One Time Passcode Identity Provider for User Flows. When configured, users are asked to enter their email address when they sign in and Microsoft will send them a code via email. The advantage of this IdP is, that it automatically means that the email address becomes verified. Plus users don't need to remember yet another password. |
App registration
In this step you will update the permissions that you assigned to the registered web application in the previous step.
- Sign in to Azure Portal with an account with sufficient privileges.
- Most likely, you have been logged in to the default "home" tenant and must now switch the directory. To do so, hover over your profile picture in the upper corner of the Azure Portal page and from the context menu that now appears, click the Switch directory link.
- Click the Switch button for your Azure AD B2C tenant.
- After you switched to your Azure AD B2C tenant, proceed to your Azure AD B2C resource.
- From the Azure AD B2C resource menu, select App registrations and look up the entry that you created previously when you registered the WordPress website (for Single Sign-on).
- Open the App registration's API Permissions page.
Most likely, you have already configured the delegated type of permissions for openid and offline_access and also granted admin consent for these two permissions. For WPO365 to be able to create new users in Azure AD B2C, it needs an additional permission.
- Click + Add a permission.
- Select Microsoft Graph > Application permissions > User.ReadWrite.All and add that permission.
- Also add the application permission for User.Read.All, or else WPO365 will fail to check if the current user already exists.
- Don't forget to again Grant admin consent.
Plugin configuration
To configure WPO365 to regularly synchronize users from WordPress to Azure AD B2C - for example once per day - you must complete the following steps.
- Navigate to WP Admin > WPO365 > User sync and Enable user synchronization.
- As soon as WPO365 User synchronization has been enabled, you must select WordPress -> AAD B2C / Entra Ext. ID from the dropdown as the direction for the synchronization and click + Add. This will add an empty job that you now must configure.
Proceed by configuring the following options.
Option | Description |
Name | A human-readable name for the job e.g. ALL CUSTOMERS. |
Actions | Define the actions that should WPO365 should apply for each user during synchronization.
|
Page size | This defines the number of users that WPO365 shall process per batch. See the information immediately below this table to understand how WPO365 processes batches and what you must to do ensure that all batches are processed as expected. |
Excluded roles | Maintain a list of roles e.g. administrator that the plugin should ignore / exclude when synchronizing users. |
Trigger | Define how this user synchronization job should be started:
|
Send log | Check this option, if you want to receive an email when the user synchronization job is completed. |
Send email to | If you check the option to Send log this input field will appear and you can enter here the email address where the log will be sent. |
Important To avoid technical time-out exceptions, WPO365 User synchronization does not process all users at once. Instead, it processes all users in batches of 10 or 25 users each. After each batch of users is completed, WPO365 creates a new batch. To process all the batches, WPO365 relies heavily on WP-Cron jobs. Therefore it is important that you ensure that WP-Cron jobs are being checked frequently. Please check this article for guidance on how you can improve the stability of WP-Cron and simulate a situation in which WP-Cron is running continuously. |
Monitoring progress
Once a user synchronization job is running or has finished you can monitor progress as shown below.
After a user synchronization job has finished you click the View link that is shown next to the Total. If some users were not synchronized, it would as an error. If errors were detected, you can click the View link next to Errors to view what users did not synchronize as expected. Clicking either link will take you to the default WordPress All Users list and filter all users that were included in the last run of WPO365's user synchronization.
Troubleshooting
- The External link trigger may not work as expected if caching is enabled for your website. In that case the link will work for the very first time or each time after your purged / refreshed the cache. In such a case you should add a dynamic parameter to the URL with a value that is dynamically generated to break the cache.