weilai-irl
commented
1 month ago Hi @slewislcm
I confirm the User Restrictions settings in the auth_oidc plugin can only work on user identifier, which is UPN for Microsoft accounts. It's impossible to extend it to support groups.
You may want to check the Prevent account creation when authenticating (authpreventaccountcreation) setting on the "Manage authentication" configuration page (https://url.to.moodle/admin/settings.php?section=manageauths). When enabled, it will prevent any authentication plugin that authenticates users from external IdPs, including but not limited to auth_oidc, to create new Moodle account on successful authentication.
The ideal configuration in your case is likely:
- Use the restriction in the user sync task to create accounts for users from a configured group only.
- Enable the Prevent account creation when authenticating setting so that only users with existing Moodle accounts can login to Moodle.
Please give it a try.
Regards, Lai
Hi, The plugin is working pretty well for us, just tweaking the process. So the user sync creation works well, with the restriction by an Entra group. And users can access and create a new accounts by logging straight into moodle, but when they do there is no group restriction (unless I'm missing something), so it's open to anyone on our domain. We've set the auth_oidc/userestriction to our domain, but I think it would be good to restrict by group too. So we can leave the 'account creation' on when authenticating.
thanks, Simon