Setup Azure SSO

Make sure the site is already setup for SSL (https).

Update WordPress and update all plugins.

Install the SSO for Azure AD plugin.

Configure the plugin.

Endpoints

  • Copy Redirect URL and Homepage/Login URL
  • Register site in Azure Portal -> App Registry -> new app registration using Endpoints
  • Save Application ID, Client secret, and Directory ID credentials

OAuth

  • Application (client) ID
  • Client secret
  • Directory (tenant) ID
  • Scope: https://graph.microsoft.com/User.Read

Login

  • "Create new users if they don't already exist" => yes
  • Login button text (default) => "Sign in with Azure AD"
  • Save changes
QA tests
  • Go directly to WP site without prior login -> should redirect to Azure AD login page.
  • Go to WP site as a redirect from another site signed in with SSO -> should redirect transparently to destination link page.
  • Go to WP site as a redirect from another site NOT signed in with SSO -> should redirect to Azure AD login page.

Create plugin - force logins and disable emails

Make sure ALL users login and disable BOTH default WordPress new user notification emails with a global PHP function.

<?php
/*
Plugin Name: Local Code Snips
Description: Contains custom functions for site
Version: 1.0.0
Author: me
Author URI: me@here.com
*/

// Force user to login on welcome
function my_force_login() {

	global $post;

	if ( ( is_single() || is_front_page() || is_page() || is_archive()) && !is_page('login') && !is_user_logged_in()){ 
		auth_redirect(); 
	}
}

// Disable BOTH default WordPress new user notification emails
if ( ! function_exists( 'wp_new_user_notification' ) ) :
    function wp_new_user_notification( $user_id, $deprecated = null, $notify = '' ) {
        return;
    }
endif;

Save this function as a PHP file. ZIP up the PHP file, then add the ZIP to WordPress site using wp-admin Plugins -> Add New -> Upload Plugin -> Activate workflow.

Edit the <theme> header file
/wp-content/themes/<theme>/header.php

Add a call to this my_force_login function at the very top of the header file

<!-- Redirect users to login page -->
<?php my_force_login();?>

<!-- Redirecting users to after login based on user role -->
<?php 
function my_login_redirect( $url, $request, $user ){
    if( $user && is_object( $user ) && is_a( $user, 'WP_User' ) ) {
        if( $user->has_cap( 'administrator' ) ) {
            $url = admin_url();
        } else {
            $url = home_url('/blog/');
        }
    }
    return $url;
}
add_filter('login_redirect', 'my_login_redirect', 10, 3 );

Other useful modifications

Disable new user registration emails
https://smartwp.com/disable-wordpress-new-user-notification-email/