Perform the following steps to ensure that your registered application in Azure AD / Microsoft Entra ID has been granted sufficient permissions to request for a user all the groups he / she is a direct or indirect (transitive) member of.
Please note If you do not plan to synchronize users and only expect WPO365 to dynamically assign WordPress roles based on a user’s Azure AD group memberships whenever a user signs in with Microsoft interactively, you can configure the following permissions as delegated permissions instead. In that case you must have configured OpenID Connect based single sign-on and you must add the delegated permissions to the registered application in Azure AD / Microsoft Entra ID that you created for the purpose of OpenID Connect based single sign-on.
- Navigate to the plugin’s Integration configuration page.
- Scroll down to the Application Access section and click View in Azure Portal link for (App-only) Application (Client) ID. This will open the Overview page of the registered application in Azure AD / Microsoft Entra ID Or ignore this step if you are configuring delegated permissions.
- Click API permissions from the ‘App registration’ menu on the left
- Click + Add permission.
- Select Microsoft Graph > Application permissions Or select Microsoft Graph > Delegated permissions if you are configuring delegated permissions.
- Scroll down to GroupMember and check
- GroupMember.Read.All
- Scroll down to User and check
- User.Read.All
- Click Add permissions.
- Finally click the Grant admin consent for … to grant consent for all users in your tenant to use this ‘App registration’.
If the Grand admin consent for … is greyed out then you do not have sufficient permissions to continue. Since this is mandatory you must contact your Global Administrator and ask for help.