Enable Single Sign On with Azure AD on your site.
This plugin allows users to authenticate to a site with an Azure AD account using OAuth.
This plugin requires an app registration in the Azure AD portal.
Warning: guest users and users created with a linked Microsoft account may lead to strange behavior. See the “How are AD users matched to site users?” FAQ for more information.
Not affiliated with or approved by Microsoft.
After installing the plugin, an application must be created in Azure AD to allow for authentication.
The login button will not be displayed until the plugin has been fully configured.
Make sure that the following options are configured and valid inside the plugin’s settings (Settings -> SSO for Azure AD):
1. Application (client) ID
2. Client secret
3. Directory (tenant) ID
The plugin will look for a user whose email address is the same as their email address on Azure AD.
For example, when the user who logs in to Azure AD by entering [email protected]
logs in to the site, the plugin will look for a user with the email address [email protected]
.
Warning: guest users and users created with a linked Microsoft account may have a different format. For example, [email protected]
may become user_guestexample.com#EXT#@example.onmicrosoft.com
. (In some situations, the #
characters may be removed.)
The behavior for this case is configurable.
In the “Login options” section of the plugin’s settings (Settings -> SSO for Azure AD), there is an option named “Create new users if they don’t already exist”.
If it is enabled, when a user logs in and the plugin cannot find the corresponding site user, a new one will be created.
By default, the user will be created with the same role as new site signups. This can be changed in the “Role for new profiles”.
The plugin can also automatically fill the user’s name on the new account by enabling the “Generate user profiles automatically” option.
The plugin will set the user’s username to be their email address.
Alternatively, the email domain can be removed ([email protected]
-> user
) by enabling the “Create usernames without domain name” option.
Warning: if multiple users have the same name but different domain names ([email protected]
and [email protected]
) enabling this option may cause conflicts.
If it is disabled, when a user logs in and the plugin cannot find the corresponding site user, the following error message will be displayed: “Your account has not been registered on this site. Please contact your administrator.”
To add the site administration panel to the Azure application list, copy the “Homepage/Login URL” displayed in the “Endpoints” section of the plugin’s settings (Settings -> SSO for Azure AD).
This URL must be pasted in the “Home page URL” field in the “Branding” section of your app registration on the Azure AD portal.
In some cases, Azure may reject the callback URL provided by the plugin with the error “URL may not contain a query string”.
In this case, URL rewrites are required. In the plugin settings page, enable “Use rewrites” and save.
The callback and login/homepage URLs listed in the plugin settings will change. These new URLs do not contain a query string and should therefore work.
Warning: if you had previously referenced the callback URL with a query string, those references must be changed to the new value displayed in the plugin settings.
First release