Disable SSO for certain users

[jsakas]

One of our clients currently uses this plugin on their website and it works great if you have a Microsoft email account with them.

Our challenge is that as a third party, our employees cannot log in to manage their WordPress website without their IT team creating email accounts for each user.

Is it possible to disable SSO for a certain user or users, to give some external users outside of their AAD access to the backend?

Perhaps there is a hook we can use to disable SSO for all users with a certain email domain?

[psignoret]

Is the plugin configured using the "common" endpoint, or the tenant-specific endpoint?

[psignoret]

Also, is the plugin configured to automatically redirect to Azure AD?

[jsakas]

Hi @psignoret thanks for your reply.

It's configured using the common endpoint.

Also, the auto-forward to Azure AD option is enabled.

[psignoret]

If you append ?aadsso_no_redirect=please to the WordPress login URL, it will skip the automatic redirect, and leave the user at the regular sign-in form. (This is described here: https://github.com/psignoret/aad-sso-wordpress#bypassing-automatic-redirect-to-azure-ad-to-prevent-lockouts.) Your team members could then have local accounts in WordPress, and use that magic URL to sign in normally.

An alternative (and, in my opinion, better) approach is for your client to invite the approved members of your team as guests into their Azure AD tenant (using these users' normal work email addresses, they don't need to be Microsoft email addresses, and they don't need to be given dedicated email accounts by your client). For SSO to work for guest users, the plugin needs to be configured using your client's tenant-specific endpoint (e.g. "https://login.microsoftonline.com/{tenant-id-or-domain-name}/...").

[jsakas]

Thank you for the detailed response. I will look into both of these options for my team.