Sync | Synchronize users from Azure AD to WordPress

Configure user-synchronization actions

Steps in this Topic

Perform the following steps to configure the actions that WPO365 should apply when synchronizing users from Azure AD / Microsoft Entra ID to WordPress.

Select the actions that should be performed when users are being synchronized e.g. 

  • Create new users.
  • Update (basic profile fields, custom user fields, a profile picture and / or dynamically assigned WordPress roles of) existing users.
  • Delete users.
  • Soft-delete users (only available if you previously selected to delete users).
  • Re-assign posts to (only available if you previously unchecked the option to soft-delete users and please note that you must have checked the user successfully to be able to save the job).

Please note that if you do not check any of the actions then user synchronization will simply log / preview the action it would have otherwise applied.

When you configure user synchronization for the first time it is strongly recommended that you preview the results by leaving any of the actions unchecked.


User (soft) deletion

WPO365 User synchronization is a process that is implemented in two phases. During the first phase, users from Azure AD / Microsoft Entra ID that resulted from the query are processed one by one. For each Azure AD / Microsoft Entra ID user, WPO365 tries to find the WordPress counterpart. It does so by trying to find a WordPress user by their Azure AD / Microsoft Entra ID Object ID (oid) first and if that fails, it tries to find it by comparing (short) user names and finally by comparing email addresses. If no matching WordPress user is found, WPO365 can create it, but only if the corresponding create action has been checked. And if WPO365 did find a matching WordPress user, it will update the user’s basic profile fields and optionally – depending on your configuration – it will also update custom user fields, a profile picture and / or dynamically assigned WordPress roles. But again, WPO365 will only do so, if the corresponding update action has been checked.


Please note WPO365 will always tag a matching WordPress user with the user’s Azure AD / Microsoft Entra ID Object ID (oid) and with a unique identifier for the current run of the synchronization job. It will do so, no matter what actions you have checked.


During the second phase, WPO365 will look at all WordPress users that have been tagged with an Azure AD / Microsoft Entra ID User Object ID. Then it will search in that collection of users for users that have not been tagged with the unique identifier for the current run of the synchronization job. The resulting set of users are the users that WPO365 will then (soft) delete, but only if you checked the corresponding (soft) delete option.


Please note When WPO365 soft-deletes a user, it removes all WordPress roles. It will also tag the user as de-activated. For as long as the WPO365 | LOGIN plugin is installed and activated, it will deny access to users that have been tagged as de-activated.


Optionally, you can decide whether or not WPO365 should ignore external identities (= Azure AD guest users) that may be included in the query result.

Last but not least – when processing the users that the query returned – WPO365 can compare (the domain portion of) a user’s Azure AD / Microsoft Entra ID login name (UPN) and email address with the entries in the Custom domains list on the plugin’s User registration configuration page. However – by default – the option to Skip domain check is unchecked.