Restrict access to members of specific Azure AD groups
Use this guide if you want to restrict access to members of specific Azure AD (security / Office 365 / distribution list) groups using the PREMIUM or INTRANET edition of the WordPress + Office 365 plugin.
Before you start
- You must already have configured the single sign-on capability of the WordPress + Office 365 plugin.
- You are a Global Administrator for your company’s Office 365 tenant / Azure AD directory (or have at least the ability to edit the Azure Active Directory App registration that was created previously when the single sign-on capability was configured).
- You are an Administrator for your WordPress website.
App registration
- In Azure Portal click the 'hamburger' (icon with three horizontal lines in the upper corner) to open the menu.
- Navigate to Azure Active Directory > App registrations.
- Select the App registration that you created when you configured the single sign-on capability of the plugin.
Token configuration
- Click Token configuration from the 'App registration' menu on the left.
- Click + Add groups claim.
- Select Security groups.
- Click Add.
Grant access to an Azure AD group
- Open (in a new browser tab) Azure Portal and click the 'hamburger' (icon with three horizontal lines in the upper corner) to open the menu.
- Navigate to Azure Active Directory > Groups.
- Click the group you want to create a mapping for and from the Overview page copy the group's Object ID.
- Navigate to the plugin's wizard WP Admin > WPO365 and click User registration.
- Scroll down to Allowed Azure AD groups.
- Paste the Object ID of group (see the following screenshot) on a new line.
- Important Click "+" to add the mapping.
The following video https://youtu.be/kL82s5opWnk has been created for an older version of the plugin but still covers the basics presented in this guide.
Please note that once you have whitelisted specific Azure AD groups all users that are not a member of any of the whitelisted groups no longer can sign into your website.
Last but not least, please note that you can reference nested Azure AD groups here. The ID token received from Microsoft will contain all group IDs of all groups the user is a member of and all groupd IDs of all groups those groups are member of etc. In other words, Azure AD will resolve the nested group hierarchy for your convenience.
- Click Save configuration.
Test and Troubleshoot
To test your whitelist you can log on with a (test) user that is a member of a whitelisted Azure AD group.
Alternatively you can try and log on with a (test) user that is not a member of a whitelisted Azure AD.
If the whitelist is not working as expected you can verify your configuration as follows.
- Enable the plugin's Debug log (see https://docs.wpo365.com/article/19-enable-debug-log).
- Navigate to the plugin's wizard WP Admin > WPO365 and click ... > Debug.
- Check Log ID token.
- Sign out of your WordPress website.
- Sign back in with Microsoft.
- Navigate back to WP Admin > WPO365 > ... > Debug and click Show all.
- Search for the ID token in the log and check to see if the group IDs were indeed sent as expected.