Microsoft Entra ID (Azure AD) App Roles to WordPress Roles Mapping

Our All-in-One Microsoft Office 365 Apps Plugin automatically sets WordPress roles based on the data sent by Microsoft Entra ID (Azure AD) during Single Sign On (SSO). When a user signs in, Microsoft Entra ID returns a token with the user’s App Roles and, if enabled, group information in the sign-in token. The plugin reads that data and then updates the user’s WordPress Roles accordingly, so permissions in WordPress stay in sync without manual changes.

Entra ID App Roles to WordPress Role Mapping Process

Within Microsoft Entra ID (Azure AD), administrators create App Roles that represent specific access rights or responsibilities and assign these roles to users or groups within the organization.

When a user logs into WordPress through Azure Single Sign On (SSO), Microsoft Entra ID (Azure AD) securely sends a token that includes the roles claim describing those assigned App Roles. The plugin reads these Azure AD roles claims for WordPress and automatically matches them to the mapped WordPress roles configured in your plugin settings.

For instance, a Manager role in Entra ID might correspond to the Editor WordPress role. This automatic synchronization ensures that WordPress permissions always accurately reflect your organization's identity assignments.

For more details on how to define and assign App Roles in Microsoft Entra ID, please see Microsoft’s official documentation.

Key Benefits

Keep permissions accurate and in sync across Microsoft Entra ID and WordPress.

• User privileges in WordPress are automatically updated to match their current role in Microsoft Entra ID, eliminating outdated access.
• New team members get the right WordPress role on their first login, and access is revoked immediately when their Entra ID role changes or is removed.
• No need for WordPress administrators to manually track role changes across large user bases or multiple teams.
• Centralizing permissions in Entra ID creates a clear, verifiable record of role assignments for reviews and audits.

Requirements

To enable WordPress role mapping from Microsoft Entra ID (Azure AD) App Roles, ensure the following:

• The All-in-One Microsoft Office 365 Apps Plugin is installed and active on your WordPress site.
• OAuth 2.0 or OpenID Connect Single Sign On (SSO) is already set up and connected to Microsoft Entra ID (Azure AD).
• You have Global Administrator privileges or equivalent permissions in Microsoft Entra ID (Azure AD) to manage and assign App Roles.
• You have Administrative access to your WordPress site to configure role mapping within the plugin.

How to Map Microsoft Entra ID App Roles to WordPress Roles

Follow the steps below to configure this feature in the All‑in‑One Microsoft Office 365 Apps Plugin for WordPress.

A. Basic Attribute Mapping

• Attribute mapping allows you to map the user attributes sent from the Azure during SSO to the user attribute at the wordpress.
• Navigate to the Attribute/Role Mapping section from the EntraID(AzureAD) tab.
• Enter the required attributes details as well as others from the Test Configuration table and click on Save Settings button.

B. Custom Attribute Mapping

• Custom attribute mapping allows you to map any attribute sent by Azure to the usermeta table of the wordpress.
• Navigate to the Attribute/Role Mapping tab in the plugin.
• Enter Custom Attribute Name and select Attribute Name from Azure from dropdown.
• Click on Save Settings to save the customized data.

C. Basic Role Mapping

This feature enables you to assign and manage user roles during SSO. It supports both default WordPress roles and any custom roles you've defined.

• Scroll down to the Basic Role Mapping section under Attribute Mapping, and add the desired mappers to assign default roles for both new and existing users in the custom and existing user fields dropdown.

D. Custom Role Mapping

• Navigate to the Custom role mapping section from the Attribute/Role Mapping tab.
• Turn on Enable Custom Role Mapping option.
• Enter the Azure groups, separated by semicolons (;), in the provided fields to assign the desired roles and click on Save settings button.