R&A | Dynamically assign WordPress roles based on Azure AD group memberships

Update API Permissions

Steps in this Topic

Perform the following steps to ensure that your registered application in Azure AD / Microsoft Entra ID has been granted sufficient permissions to request for a user all the groups he / she is a direct or indirect (transitive) member of.


Please note If you do not plan to synchronize users and only expect WPO365 to dynamically assign WordPress roles based on a user’s Azure AD group memberships whenever a user signs in with Microsoft interactively, you can configure the following permissions as delegated permissions instead. In that case you must have configured OpenID Connect based single sign-on and you must add the delegated permissions to the registered application in Azure AD / Microsoft Entra ID that you created for the purpose of OpenID Connect based single sign-on.


  • Navigate to the plugin’s Integration configuration page.
  • Scroll down to the Application Access section and click View in Azure Portal link for (App-only) Application (Client) ID. This will open the Overview page of the registered application in Azure AD / Microsoft Entra ID Or ignore this step if you are configuring delegated permissions.
  • Click API permissions from the ‘App registration’ menu on the left
  • Click + Add permission.
  • Select Microsoft Graph > Application permissions Or select Microsoft Graph > Delegated permissions if you are configuring delegated permissions.
  • Scroll down to GroupMember and check
    • GroupMember.Read.All
  • Scroll down to User and check
    • User.Read.All
  • Click  Add permissions.
  • Finally click the Grant admin consent for … to grant consent for all users in your tenant to use this ‘App registration’.

If the Grand admin consent for … is greyed out then you do not have sufficient permissions to continue. Since this is mandatory you must contact your Global Administrator and ask for help.