WordPress + Microsoft Office 365 / Azure AD | LOGIN

Description

With WPO365 | LOGIN users can sign in with their corporate or school (Azure AD / Microsoft Office 365) account to access your WordPress website: No username or password required (OIDC or SAML 2.0 based SSO). Plus you can send email using Microsoft Graph instead of SMTP from your WordPress website.

SINGLE SIGN-ON (SSO)

  • Enable Microsoft based Single Sign-on more
  • Supported Identity Providers (IdPs): Azure Active Directory, Azure AD B2C, Entra External ID (Azure AD for Customers) more
  • Supported SSO protocols: OpenID Connect and SAML 2.0 more
  • Supported OpenID Connect User Flows: Authorization Code User Flow (recommended) and Hybrid User Flow more

NEW USERS

  • New users that sign in with Microsoft automatically become WordPress users more

INTRANET

  • Configure the intranet authentication mode to restrict access to all front-end posts and pages more
  • Hide the WordPress Admin Bar for specific roles more

MICROSOFT TEAMS

  • Support for (seamless) integration of your WordPress website into a Microsoft Teams Tabs and Apps more

MAIL

  • Send emails using Microsoft Graph instead of SMTP from your WordPress website more
  • Send as HTML
  • Save to the Sent Items folder
  • Support for file attachments

WORDPRESS MULTISITE

  • Support for WordPress Multisite more

POWER BI

  • Embed Microsoft Power BI content (user owns data) more

SHAREPOINT

  • Embed a SharePoint Online library more
  • Embed a SharePoint Online list more
  • Embed an Outlook / Exchange calendar more
  • Embed a SharePoint Online search more

EMPLOYEE DIRECTORY

  • Embed an intuitve Azure AD / Microsoft Graph based Employee Directory into a front-end post or page more

REST API ENDPOINT PROTECTION

  • Protect your WordPress REST API endpoints with a combination of a WordPress cookie and a nonce for delegated access more

DEVELOPERS

  • Developers can now connect to a RESTful API for Microsoft Graph in their favorite programming language and without the hassle of authentication and authorization more
  • PHP hooks for developers to build custom Microsoft Graph / Office 365 integrations more

ADD FUNCTIONALITY WITH PREMIUM EXTENSIONS

PROFILE+

  • Update a WordPress user profile with (first, last, full) name, email and UPN from Azure AD

more

NEW USERS

  • Create users in Azure AD B2C / Entra External ID (Azure AD for Customers) from WordPress

more

SINGLE SIGN-ON

  • Visitors are required to sign in with Azure AD / Microsoft but will not be automatically logged in to WordPress

more

AUDIENCES

  • Azure AD group based access restriction for individual front-end posts and pages and post types
  • Require a user to log on (and determine the response e.g. redirect to 404, the login page or for Microsoft based SSO)

more

SYNC

  • On-demand / scheduled user synchronization from Azure AD (B2C) to WordPress
  • On-demand / scheduled user synchronization from WordPress to Azure AD B2C / Entra External ID (Azure AD for Customers)

more

ROLES + ACCESS

  • WordPress roles assignments / access restrictions based on Azure AD groups / user attributes / login-domains

more

AVATAR

  • Replace the default WordPress / BuddyPress avatar with a Microsoft 365 profile picture

more

LOGIN+

  • Map Microsoft Graph user resource properties to custom WordPress / BuddyPress user profile fields
  • Map custom claims in an Azure AD B2C ID token to custom WordPress / BuddyPress user profile fields
  • Map custom claims from SAML 2.0 response to custom WordPress / BuddyPress user profile fields
  • Support for so-called Multi-Tenancy
  • Require Proof Key for Code Exchange (PKCE)
  • Force Single Sign-on for the login page
  • Dual login

more

LEARNDASH INTEGRATION

  • Auto-enroll users into LearnDash Courses e.g. based on their Azure AD groups memberships.
  • Support for LearnDash User Groups.

more

MAIL

  • Send large attachments (> 3 Mb)
  • Send from Microsoft 365 Shared Mailbox
  • Send as / Send on behalf / Support for distribution lists
  • Log every email sent from your WordPress website, review errors and (automatically) try to send unsuccessfully sent mails again.
  • Throttle emails send from your website.
  • Mail Staging Mode is useful for debugging and staging environments. WordPress emails will be logged and saved in the database instead of being sent.
  • Allow forms / plugins / themes to dynamically set the From address
  • Send all emails by default as BCC

more

GROUPS

  • Deep integration with the (itthinx) Groups plugin for group membership and access control

more

MICROSOFT 365 APPS

  • Advanced versions of the apps to embed content of Microsoft 365 services such as Power BI (with support for application owns data scenarios) and SharePoint Online (with support for anonymous users)

more

SCIM

  • (SCIM based) Azure AD User Provisioning to WordPress

more

REST API ENDPOINT PROTECTION

  • Enable Azure AD based protection for your WordPress REST API endpoints

more

CONFIGURATION

  • Save multiple configurations
  • Directly edit (the JSON representation of) a configuration

Prerequisites

  • Make sure that you have disabled caching for your Website in case your website is an intranet and access to WP Admin and all pubished pages and posts requires authentication. With caching enabled, the plugin may not work as expected
  • We have tested our plugin with WordPress >= 4.8.1 and PHP >= 5.6.40
  • You need to be (Office 365) Tenant Administrator to configure both Azure Active Directory and the plugin
  • You may want to consider restricting access to the otherwise publicly available wp-content directory

Support

We will go to great length trying to support you if the plugin doesn’t work as expected. Go to our Support Page to get in touch with us. We haven’t been able to test our plugin in all endless possible WordPress configurations and versions so we are keen to hear from you and happy to learn!

Feedback

We are keen to hear from you so share your feedback with us on LinkedIn and help us get better!

Open Source

When you’re a developer and interested in the code you should have a look at our repo over at WordPress.

Screenshots

  • Microsoft / Azure AD based Single Sign-on
  • Embedded Power BI for WordPress
  • Embedded SharePoint Online Documents for WordPress
  • Embedded SharePoint Online Search for WordPress
  • Employee Directory
  • Support for Azure AD B2B and Azure AD B2C
  • Sending WordPress email using Microsoft Graph
  • Synchronizing users from Azure AD to WordPress
  • Embed WordPress in a Teams Tab or App
  • Assign WordPress roles / Deny access based on Azure AD groups

Installation

Please refer to these Getting started articles for detailed installation and configuration instructions.

Reviews

ግንቦት 9, 2024 1 reply
For both login and email integration with Microsoft 365.
ግንቦት 8, 2024 1 reply
I installed this plugin, followed the excellent online tutorial, and it worked the very first time. Not only that, it works like a dream. If the visitor is already logged in to MS365, they simply have to click the “Sign In With Microsoft” button and does not have to re-enter MS365 credentials. Our organization uses MS365 2FA, and it works well with that. It also works great to log in with WordPress Username/PW. SSO at its best. I’m thrilled with this plugin. Thank you!!!
ግንቦት 8, 2024 1 reply
WPO365 has been a game-changer for my platform which connects Wordpress users utilizing the MS365 suite of products. Of all the plugins I’ve purchased, WPO365 has been the most mission-critical for my company, and the most advanced. Despite how technically capable the plugin is (using secret keys / API’s / etc. to authenticate / communicate between Microsoft Azure and my wordpress ecosystem), the plugin handles these connections seamlessly. I can’t say enough good things about WPO365, as there really aren’t many options on the market that offer the ability for wordpress to communicate with the ultra-secure MS365 suite of products, but even when more competition exists, from my experience, I’m confident that WPO365 will be considered best-in-class. The seamless connections experience between Wordpress & Microsoft that WPO365 creates is smooth for both my admins and my users. It has opened up a world of possibilities, allowing us to offer a more integrated and efficient experience for everyone. I’m over the moon ecstatic with how WPO365 has enabled us to enhance our platform’s capabilities and provide a much more evolved and feature-rich experience for our users. Highly recommended for anyone looking to integrate WordPress with Microsoft 365! Re-reading this review, I acknowledge that it sounds almost like a “planted review,” but I assure you, it’s not: I just really think WPO365 does a good job at what it does, and it’s been very important for my company’s growth, so I felt compelled to write a review commensurate with the impact it’s had on my business.
ግንቦት 7, 2024 1 reply
Had a minor issue and the support was so fast, helpful, and professional. Truly appreciated it, and saved me so much time! Great plugin, great support.
ግንቦት 1, 2024 1 reply
Worked great! Very helpful instructions as to what I should configure at the Azure app registration pages to get it working.
ሚያዝያ 30, 2024 1 reply
Marco offers both an excellent product and outstanding support, a combination that is quite rare. Every time we’ve interacted with him, he has been highly professional and knowledgeable and goes the extra extra mile to help.He truly deserves a five-star review for his dedication and exceptional service.
Read all 128 reviews

Contributors & Developers

“WordPress + Microsoft Office 365 / Azure AD | LOGIN” is open source software. The following people have contributed to this plugin.

Contributors

“WordPress + Microsoft Office 365 / Azure AD | LOGIN” has been translated into 4 locales. Thank you to the translators for their contributions.

Translate “WordPress + Microsoft Office 365 / Azure AD | LOGIN” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

v27.2

  • Improvement: The lis of “Optional SCIM attribute mappings” on the plugin’s “User Sync” configuration page has been deprecated. Administrators that have support for SCIM based Azure AD User provisioning enabled, are urged to migrate these mappings to the list “SCIM attribute to WordPress user meta mappings” in the section “Custom User Fields” using the corresponding “Migrate optional SCIM attribute mappings” button. [SCIM, INTRANET]
  • Fix: Some “SCIM attribute to WordPress user meta mappings” e.g. “emails[type eq “work”].value” were only processed by WPO365 internally e.g. to update a user’s WordPress profile. With this change, these attributes can now also be mapped to WordPress user meta. [SCIM, INTRANET]
  • Fix: An administrator now can (and should) – besides the ID token claim – also specify the corresponding AAD user property (and SCIM claim, if support for SCIM based Azure AD User provisioning has been enabled) that WPO365 should use for a new WordPress user’s username. This only concerns those administrators, who configured a custom claim as the username of a new WordPress user (on the plugin’s “User registraton” configuration page). [(LOGIN+), CUSTOMERS, SCIM, SYNC, SCIM]
  • Fix: By fixing a caching issue, WPO365 should – after this update – no longer show a notification that “There is a new version of […] available […]” for WPO365 premium addons and bundles, after those were updated to the lastest version. [ALL PREMIUM ADDONS / BUNDLES]

v27.1

  • Fix: “Strict Mode” for the Redirect URI can now also be enabled for the WPO365 | MICROSOFT GRAPH MAILER plugin (so it will only try process an Oauth response / payload detected at the exact URL which must be a path below the site’s home address e.g. /oidc-auth/). [MICROSOFT GRAPH MAILER]
  • Fix: The plugin will not try and process an Oauth response / payload if both features SSO and MICROSOFT GRAPH MAILER are disabled or if SSO is disabled but MICROSOFT GRAPH MAILER is enabled and but the administrator did not start an attempt to authorize an account to send emails from. [LOGIN, MICROSOFT GRAPH MAILER]
  • Fix: WPO365 Health Messages are now correctly displayed on the corresponding panel for the MICROSOFT GRAPH MAILER plugin.
  • Fix: A cached Authorization Code will now be correctly removed from cache after it has been redeemed. [LOGIN]
  • Fix: A user’s UPN is now correctly escaped before inserting it into the WPO365 User Synchronization database table (to support UPNs with single quotes). [SYNC, INTRANET]

v27.0

  • Breaking Change: HTML and CSS for the default login-button has changed slightly and the wrapper is now a flex-box, to allow for an additional drop-down list in case the administrator configured multiple Identity Providers. An administrator, however, can revert this change and configure WPO365 to use the old login-button template (see the corresponding option on the plugin’s Miscellaneous configuration page). [LOGIN]
  • Breaking Change: To support devOps workflows and site replication scenarios, WPO365 now automatically detects named constants in your website’s wp-config.php file that either configure an single Identity Provider (IdP) or any of the WPO365 settings that are not directly related to an IdP. As a result, the option Use WP-Config.php for AAD secrets has been renamed to Obfuscate AAD options and the option Use WP-Config.php to override (some) config options has been removed. [ANY PREMIUM ADDON / BUNDLE]
  • Breaking Change: LearnDash enrollment rules are now also applied to existing users (when they sign in or when users are synchronized). [ROLES + ACCESS, SYNC, INTRANET]
  • Feature (preview): Administrators can now configure WPO365 to support multiple Identity Providers (IdP). If multiple IdPs have been configured, WPO365 will – by default – render a dropdown list enumerating IdPs by their “friendly name”. A user simply picks an IdP from the list before clicking “Sign in with Microsoft”. Refer to the new tutorial for further details. [ANY PREMIUM ADDON / BUNDLE]
  • Feature (preview): Now administrators can enable WPO365 Insights and aggregate various events into straightforward management dashboards. These dashboards are designed to offer valuable insights, such as tracking the count of users who have authenticated successfully or unsuccessfully, monitoring emails that have been sent successfully or unsuccessfully, and overseeing the synchronization status of users, whether through SCIM, WPO365 User synchronization, or during their initial sign-in. See the new online guide for further details. [ALL]
  • Feature (preview): Administrators can now add app roles to an App registration in Microsoft Entra Admin Center and use them to dynamically assign WordPress roles to users. See the online documentation for further details. [ROLES + ACCESS, SYNC, INTRANET]
  • Feature (preview): WPO365 now also supports the SAML 2.0 protocol for use with Azure AD’s multi-tenancy feature. See the online documentation for further details. [LOGIN+, SYNC, INTRANET]
  • Improvement: WPO365 can now be configured to skip saving the default WP avatar for a user without a profile picture. See the online documentation for further details. [AVATAR, SYNC, INTRANET]
  • Improvement: An administrator can now choose between the WordPress site URL or the WP Admin URL as the default landing page after a user successfully signed in with Microsoft. Alternatively, a custom URL can be defined when the LOGIN+ addon, or the SYNC or INTRANET is detected. [LOGIN, LOGIN+, SYNC, INTRANET]
  • Improvement: When a SAML 2.0 X509 certificate is missing from the configuration, is expired or has been withdrawn, WPO365 will try and read the tenant’s federation metadata to obtain (and cache) a new signing key. [LOGIN]
  • Improvement: WPO365 Health Messages will no longer be displayed on a default WordPress notification banner, but instead a dismissable panel will slide over the configuration app. [LOGIN]
  • Improvement: After running the Plugin self-test for SAML 2.0 based SSO, the raw SAML response can now be viewed by clicking the corresponding link for the “SAML response has been processed and no errors occurred” test case. [LOGIN]
  • Improvement: Generated passwords are checked to ensure that the generated password has characters from all four possible categories (lower and upper case, numbers and symbols). [LOGIN]
  • Improvement: When deleting a WPO365 configuration, several caches e.g. for access tokens and certificates, are cleaned as well. [LOGIN]
  • Improvement: WPO365 will now update BuddyPress profile fields (provided that this option is enabled) whenever Azure AD Provisioning (SCIM) sends new / updated user attributes. [SCIM, INTRANET]
  • Fix: Audiences now work correctly if a user is a member of one Audience but not of all when more than one Audience has been added to a page. [ROLES + ACCESS, SYNC, INTRANET]
  • Fix: User synchronization of users with an apostrophe in their username now no longer generates an error when being logged into the database table. [SYNC, INTRANET]
  • Fix: Auth.-Only scenarios are now compatible with the Audiences feature to make a page private (restricting access exclusively to users who are authenticated). [ROLES + ACCESS, SYNC, INTRANET]
  • Fix: WPO365 will not send the user into an infinite loop anymore, if the administrator has enabled “strict mode” for the Redirect URI plus checked the option to use wp-config.php for AAD secrets. [ALL PREMIUM]
  • Fix: WPO365 now checks for before “Trying to create a duplicate log entry” during user synchronization and will update the existing log record instead. [SYNC, INTRANET]

v26.0

  • Feature: Embed an Outlook / Exchange Calendar in WordPress. See online documentation for details. [LOGIN, APPS, INTRANET]
  • Feature: Embed a SharePoint Online List in WordPress. See online documentation for details. [LOGIN, APPS, INTRANET]
  • Fix: The plugin attempted to process any POST request with parameter “error”, mistakenly assuming that it would be an authentication-error sent by Microsoft. [LOGIN, MICROSOFT GRAPH MAILER]
  • Version bumped. [ALL]

v25.4

  • Improvement: WPO365 can now also auto-assign WordPress roles to users based on claims found in the SAML 2.0 response. [ROLES + ACCESS, SYNC, INTRANET]
  • Fix: The plugin will always choose the form_post OIDC Response mode if the administrator has configured the Hybrid User Flow for OpenID Connect. [LOGIN]

v25.3

  • Fix: Updated parts of the PHP Security Library v3 to improve compatibility with older PHP versions. [LOGIN, MICROSOFT GRAPH MAILER]
  • Fix: Reverted default OIDC response mode back to form_post, to support the Hybrid Flow. Administrators can instead manually select “query”. [LOGIN]

v25.2

  • Fix: Fixed “Fatal error: Cannot use ::class with dynamic class name” for 2 files in PHP Security Library v3. [LOGIN, MICROSOFT GRAPH MAILER]

v25.1

  • Improvement: The default response mode – for new installations – when requesting an (OIDC) authorization code has been updated to “query”. This will help preserve the code, especially if the administrator has configured a 3rd party multi-factor authentication provider such as Duo. Existing installations are not affected, however, and the response mode remains “form_post”. See the updated documentation for details. [LOGIN]
  • Improvement: Admins configuring the Microsoft Graph Mailer portion of WPO365 can now select an option to skip all checks. Checking this option instructs the Microsoft Graph Mailer to skip the check whether the default “from” email address is registered for the corresponding account and whether the “from” email address specified by a plugin has a different email-domain compared to the default “from” email address used to submit email message to Microsoft Graph. [LOGIN, MAIL, SYNC, INTRANET]
  • Fix: When enrolling users onto LearnDash courses, WPO365 now first checks if the user is already enrolled. [ROLES + ACCESS, SYNC, INTRANET]
  • Fix: When clicking the clear-button in the search box – for the embedded SharePoint Online Search experience for WordPress – the search results will be cleared. [LOGIN, M365 APPS, INTRANET]
  • Fix: The option to replace the default WordPress “register” link with a link that redirects to the Azure AD B2C sign-up experience is now always available (but remains a premium option). [LOGIN+, CUSTOMERS, SYNC, INTRANET]
  • Fix: WPO365 User synchronization no longer produces warnings if a user is not an Azure AD user (based on a domain-check that has become optional since v21.0). [SYNC, INTRANET]
  • Fix: The plugin self-test now detects the recently introduced new INTRANET | 5Y and SYNC | 5Y plugins and will test all possible premium scenarios. [INTRANET | 5Y, SYNC | 5Y]
  • Fix: The PHP Secure Communications library has been updated and the plugin now uses version 3.0 (to verify an ID token’s signature). [LOGIN, MICROSOFT GRAPH MAILER]
  • Version bumped. [ALL]

v25.0

  • Breaking Change: Sending WordPress email using Microsoft Graph now always will use the Azure AD configuration from the plugin’s Mail configuration page. [LOGIN]
  • Feature: SAML 2.0 based single sign-on can now be configured by generating / exporting Service Provider metadata that can be imported in Azure Active Directory whilst importing the Identity Provider metadata from Azure Active Directory in WPO365. See the updated documentation for details. [LOGIN]
  • Improvement: Administrators that have enabled support for multi-tenancy, can now allow-list tenants, effectively restricting access to users of tenants that are not allow-listed. See the updated documentation for details. [LOGIN+, CUSTOMERS, SYNC, INTRANET]
  • Improvement: SAML 2.0 will now always – by default – set the requestedAuthnContext to false and it’s no longer necessary to define a global variable in the WordPress site’s wp-config.php. Administrators who did add this variable can now safely remove it. On the other hand, administrators can still explicitely request that the authentication context is checked by enabling the corresponding option on the plugin’s Single Sign-on configuration page. [LOGIN]
  • Improvement: Administrators can now configure “strict” mode for OpenID Connect. Doing so, will force WPO365 to only “listen” for users returning from Microsoft at the configured Redirect URI. See the online docuemntation for details. [LOGIN]
  • Tested up to 6.4. [ALL]

v24.3

  • Feature: WPO365 can now send a daily notification to the administation email address if one of the application / client secrets is about to expire in the next 30 days. Consult this article for details. [LOGIN, MICROSOFT GRAPH MAILER]
  • Fix: The field to enter the Azure AD B2C / Entra External ID default policy is now unlocked for the free WPO365 | LOGIN version. [LOGIN]

v24.2

  • Fix: WPO365’s SCIM server to support Azure AD User provisioning has been tested against (Microsoft’s Entra ID SCIM Validator)[https://scimvalidator.microsoft.com/] and the resulting issues have been (mostly) resolved. [SCIM, INTRANET]
  • Fix: The field to enter the Azure AD B2C / Entra External ID domain name is now unlocked for the free WPO365 | LOGIN version. [LOGIN]
  • Fix: The fields “officeLocation” has been made available for use in a (customized) Employee Directory templates. [M365 APPS, INTRANET]

v24.1

  • Fix: User sync query tester now handles single quotes correctly, after the deprecated use of JavaScript’s (un)escape method had been replaced previously. [SYNC, INTRANET, CUSTOMERS]
  • Fix: The plugin’s updater will now display a notification when a newer version is available. [ALL]
  • Fix: Link to the updated documentation for the Mail Staging Mode in the release notes for v24 has now been fixed. [LOGIN]

v24.0

  • Breaking change: Testing the User synchronization query no longer requires the WPO365 REST API for Microsoft Graph to be enabled. Administrators, however, must update both WPO365 | LOGIN and the premium extension / bundle or else they cannot test the query. If the user sync query remains unchanged, it is no longer needed to test the query again. [SYNC, INTRANET, CUSTOMERS]
  • Deprecated: Administrators can not add new Private pages to the corresponding list on the plugin’s Authentication configuration page anymore. Instead they must enable and configure the Audiences feature, which provide a more robust option to mark pages or post types as private i.e. to require a user to log in first. See the online documentation for details. [LOGIN+, ROLES + ACCESS, SYNC, INTRANET]
  • Deprecated: The ability to exclude post types from the Audiences feature has been removed. [ROLES + ACCESS, SYNC, INTRANET]
  • Feature: Support for LearnDash integration, for example to auto-enroll users into courses or allocate users to LD User Groups based on a user’s Azure AD group membership(s) or just whenever WPO365 creates a new WordPress user. See the online documentation for details. [ROLES + ACCESS, SYNC, INTRANET]
  • Feature: WPO365 now supports Entra External ID (Azure AD for Customers) and this support has been streamlined with the already built-in support for Azure AD B2C. [LOGIN+, SYNC, INTRANET, CUSTOMERS] Check out our online documentation
  • Feature: (Auto-) Register new WordPress users in Azure AD B2C / Entra External ID (Azure AD for Customers) and update existing ones (including support for custom user attributes / claims). See the online documentation for details. [SYNC, INTRANET, CUSTOMERS]
  • Feature: Synchronize users from WordPress to Azure AD B2C / Entra External ID (Azure AD for Customers) (including support for custom user attributes). See the online documentation for details. [SYNC, INTRANET, CUSTOMERS]
  • Feature: (Auto-) Retry sending failed emails using Microsoft Graph. See the online documentation for details. [MAIL]
  • Feature: Throttle nr. of emails send per minute using Microsoft Graph. See the online documentation for details. [MAIL]
  • Feature: Audiences can now be configured to restrict viewing posts of a specific type to members of an audience. See the online documentation for details. [ROLES + ACCESS, SYNC, INTRANET]
  • Feature: Audiences now allows administrators to require users to log in to view posts of a specific type and where a visitor will be redirected to e.g. the 404 Not Found page, the site’s login page or Microsoft’s login page. See the online documentation for details. [ROLES + ACCESS, SYNC, INTRANET]
  • Improvement: Most of the features that WPO365 | CUSTOM USER FIELDS unlocks are now also unlocked by WPO365 | ROLES + ACCESS to allow for Azure-AD-user-attribute based rules. [ROLES + ACCESS, CUSTOM USER FIELDS]
  • Improvement: Optional claims and attributes added to an JWT OIDC ID token can now also be mapped to WordPress custom user fields. See the online documentation for details. [LOGIN+, SYNC, INTRANET]
  • Improvement: Administrators can now select a (custom) claim from the ID token or the SAML response that WPO365 should be using to create a new WordPress user’s username. See the updated documentation for details. [LOGIN+, SYNC, INTRANET]
  • Improvement: Developers can now skip the removal of specific roles when WPO365 is configured to “Replace” user roles by utilizing the new “wpo365/roles/remove” filter. See the updated documentation for details. [ROLES + ACCESS, SYNC, INTRANET]
  • Improvement: Developers can now add a filter for the Azure AD Redirect URI e.g. to set it dynamically to the current host. See the updated documentation for details. [LOGIN]
  • Improvement: The WPO365 | MAIL premium addon now also unlocks the option to use WP-Config.php to override (some) config options. Now administrators can – for example on their staging environment – enable mail-staging mode, simply by adding a global constant to the WP-Config.php file. See the updated documentation. [MAIL]
  • Improvement: Developers can now skip the URL check that WPO365 conducts just before it redirects a user to its final destination by hooking into a new filter wpo365/url_check/skip. See the updated documentation for details. [LOGIN]
  • Improvement: Administrators can now configure WPO365 user synchronization to only send mail notifications when a job did not complete successfully. [SYNC, INTRANET]
  • Improvement: Administrators now can bulk-reactivate users that have been deactivated previously by WPO365. [SYNC, INTRANET, CUSTOMERS]
  • Improvement: When a user is reactivated, the role will be set to the default role for the main (or sub) site as per WPO365 configuration. [SYNC, INTRANET, CUSTOMERS]
  • Improvement: Blocking password reset and email change has been made available for Azure AD B2C / Entra External ID (Azure AD for Customers). [LOGIN+, SYNC, INTRANET]
  • Fix: WPO365 will now match custom WordPress roles in a case-insensitive matter. [ROLES + ACCESS, SYNC, INTRANET]
  • Fix: WPO365 will now retrieve a user’s Azure AD group memberships from Microsoft Graph if the administrator checked the option to include Microsoft 365 group memberships, even if the ID token already carries information on group memberships. [ROLES + ACCESS, SYNC, INTRANET]
  • Fix: When you schedule a WPO365 User synchronization job for a specific hour of the day, it will now translate the time from UTC to the admin’s timezone and not wrongly add the current minutes of the hour passed. [SYNC, INTRANET, CUSTOMERS]
  • Fix: WPO365 now caches the access token with an audience property (= the requesting application (client) ID) to prevent access tokens for mail and for other Microsoft 365 services getting mixed up / from being overwritten. [LOGIN]
  • Fix: Tested with PHP 8.2. [ALL]

v23.1

  • Fix: The plugin update checker did not always return the expected result. [LOGIN, MS GRAPH MAILER]

v23.0

  • Change: The WPO365 | M365 APPS extension now includes the Gutenberg Editor Block to embed a SharePoint Document Library in WordPress (was previously sold as a separate extension called WPO365 | DOCUMENTS). [M365 APPS, DOCUMENTS]
  • Improvement: An administrator of a website that receives OpenID Connect based ID tokens from multiple sources, can now configure the plugin to ignore ID tokens not issued by a Microsoft Azure AD based Identity Provider. [LOGIN+, SYNC, INTRANET]
  • Improvement: A new (translatable) error message – for the case where the ID token is intended for a different audience – has been added. [LOGIN]
  • Improvement: The Documents (shortcode and Gutenberg based) app – to embed a SharePoint library in WordPress – can now be configured to show / hide an “Open in SharePoint” link in the app’s header. [M365 APPS, DOCUMENTS, INTRANET]
  • Improvement: The WPO365 authentication cookie (set when you configure an “auth.-only” authentication scenario) can be prefixed to help work-around server-side caching services / plugins that support naming convention based cache busting. [LOGIN]
  • Improvement: 3 new developer actions for wpo365/oidc/authenticating, wpo365/saml/authenticating and wpo365/user/creating have been added. See the updated documentation for details. [LOGIN]
  • Fix: If certain conditions were met, the plugin would delete “Audience” related metadata unwantedly. [ROLES + ACCESS, SYNC, INTRANET]
  • Fix: A SAMLResponse sent to the website will only be processed if the administrator configured SAML 2.0 based SSO for WordPress. [LOGIN]
  • Fix: Various modifications to Microsoft Graph Mailer configurator should make it easier and more intuitive to configure it. [LOGIN, MS GRAPH MAILER]
  • Fix: Exceptions logged by the Microsoft Graph Mailer are earmarked when logged in ApplicationInsights with a new custom property “wpoMail”. Administrators can now configure a query-based alert in ApplicationInsights and trigger a new alert specifcally for mail-related errors if “wpoMail” equals “error”. [LOGIN, MS GRAPH MAILER]
  • Fix: The Documents (shortcode and Gutenberg based) app – to embed a SharePoint library in WordPress – will now correctly load items in a folder. [M365 APPS, DOCUMENTS, INTRANET]
  • Fix: The Documents (shortcode and Gutenberg based) app – to embed a SharePoint library in WordPress – now accepts a pagesize parameter to improve the performance when loading large libraries. [M365 APPS, DOCUMENTS, INTRANET]
  • Fix: The Documents (shortcode and Gutenberg based) app – to embed a SharePoint library in WordPress – now loads all possible “locales” so it can display date columns e.g. “Modified” correctly. [M365 APPS, DOCUMENTS, INTRANET]
  • Fix: The Log Viewer – to view and optionally resend emails sent using the Microsoft Graph Mailer – now calculates the last inserted logged item ID using MAX() instead of looking up the AUTO INCREMENT value, which may not be up-to-date. [MAIL]
  • Fix: In an attempt to prevent the error “cURL error 28: Operation timed out after 15001 milliseconds with 0 bytes received” when integrating with Microsoft Graph, the use of the Expect: header has been disabled by default. [LOGIN, MS GRAPH MAILER]
  • Fix: If support for multi-tenancy has been enabled and a user with a personal Microsoft account (e.g. outlook.com) signs in successfully, the plugin will no longer attempt to connec to Microsoft Graph to retrieve additional user attributes. [LOGIN+, CUST. USER FIELDS, SYNC, INTRANET]
  • Fix: The license checker (for premium extensions / bundles) has been updated to work-around an issue whereby the license would be invalidated if the website’s home URL would incidently returned the site’s IP address instead of its host name. This might happen occassionaly, if you defined the constant WP_HOME using the $_SERVER[‘HTTP_HOST’] variable in your wp-config.php file and the site was requested by its IP address instead. [LOGIN]
  • Version bump for all extensions and bundles

v22.1

  • Fix: The built-in Microsoft Graph Mailer for WordPress will now exclude any custom headers that do not start with x- or X-, to prevent Microsoft Graph from not sending the message and reporting the following error instead: “The internet message header name […] should start with ‘x-‘ or ‘X-‘.”. [LOGIN, MICROSOFT GRAPH MAILER]

v22.0

  • Improvement: Administrators can now define configuration overrides in the WP-Config.php file. Support for configuration overrides must be enabled separately by checking the correspondig option on the plugin’s Miscellaneous page. See online documentation. [LOGIN+, SYNC, INTRANET]
  • Improvement: The plugin will no longer skip loading when detecting wp-cli but instead skip any attempt to authenticate the current request. Support for wp-cli must be enabled separately by checking the correspondig option on the plugin’s Miscellaneous page. See online documentation. [LOGIN+, SYNC, INTRANET]
  • Improvement: Administrators can now define a list of usernames of administrators that are allowed to administer the WPO365 settings in the WP-Config.php file. See online documentation. [LOGIN]
  • Improvement: The WPO365 | MICROSOFT GRAPH MAILER plugin can now also log remotely to ApplicationInsights, allowing administrators to configure Azure’s Monitoring / Alerts feature e.g. to send an SMS when ever an exception is logged. [MICROSOFT GRAPH MAILER]
  • Fix: Updated the permissions requested / scope for Azure AD B2C / OpenID Connect based Single Sign-on, after a previous change added ‘https://graph.microsoft.com/User.Read’ to the scope / permissions being requested (v21.8), which in turn caused an “invalid_request AADB2C90146” response being returned when attempting to authenticate with Microsoft. [LOGIN]
  • Fix: Updated the permissions requested / scope for Azure AD / OpenID Connect based Single Sign-on, after a previous change always added ‘https://graph.microsoft.com/User.Read’ to the scope / permissions being requested (v21.8). Now this permission will only be added, if the plugin detects a premium extension (because any premium extension needs this permission when it attempts to retrieve user data from Microsoft Graph) [LOGIN]
  • Fix: The application ID / application ID URI for Azure AD based protection for the WordPress REST API must now also be added to the wp-config.php (but only if the administrator has enabled the option to use wp-config.php for Azure AD secrets). [LOGIN+, SYNC, INTRANET]
  • Fix: The Microsoft Graph Mailer for WordPress no longer “unauthorizes” itself, after it fails to retrieve an access token. Instead, WPO365 Health Messages are created and administrators should regularly check for errors [LOGIN, MICROSOFT GRAPH MAILER]
  • Fix: Refactored the flow when sending emails from a different account than the one submitting the request to send an email to Microsoft Graph (= the default “From” account) to improve consistency, even when the alternative sending-from account is a Shared Mailbox, a Distribution List or Group or normal User Mailbox. [MICROSOFT GRAPH MAILER, MAIL, SYNC, INTRANET]
  • Fix: User synchronization will now generate an error and stop when it fails to create a new WP Cron task for the next batch of users. [SYNC, INTRANET]
  • Fix: Updated Teams SDK (used for silent SSO when integrating WordPress into Microsoft Teams). [LOGIN]
  • Fix: Updated PowerBI SDK. [LOGIN, INTRANET, M365 APPS]

v21.8

  • Feature: Administrators can now enable Mail Staging Mode. This is useful for debugging and staging environments. WordPress emails will be logged and saved in the database instead of being sent. [MAIL]
  • Improvement: The WPO365 plugin will now handle forms (e.g. Contact Form 7) that propose to send emails from a different account than the “default from” mail account, after it handles any other option (e.g Shared Mailbox or Send as / Send on behalf of). The proposed “alternative from” therefore always prevail. It can also be any type of mailbox e.g. User Mailbox, Shared Mailbox or Distributionlist. But it’s up to the adminstrator to ensure that the “default from” mail account is a either a member (e.g. of the Shared Mailbox) or has sufficient permissions to send emails as / on behalf of an alternative account (e.g. the Distributionlist). [MAIL]
  • Fix: The initial OpenID Connect authorization request will now always include https://graph.microsoft.com/User.Read. [LOGIN]
  • Fix: A public property $ErrorInfo has been added to the PHPMailer object to support integration with Gravity Forms. [LOGIN, MICROSOFT GRAPH MAILER]
  • Fix: The plugin now better understands – in the context of WordPress Multisite installations – whether the configuration must be retrieved / stored at site or at network level. [LOGIN]
  • Fix: Some Azure AD information that the plugin collects during the plugin self-test is no longer assigned to the user executing the self-test. [LOGIN]

v21.7

  • Fix: ID Token validation now also validates audiences that are defined using an Application ID URI instead of the Application ID (e.g. this is the case for Microsoft Teams). [LOGIN, MICROSOFT GRAPH MAILER]
  • Fix: The plugin does no longer rely on the HTTP_HOST key of the global $_SERVER variable, which – if not initialized – may cause a critical error on the website. [LOGIN, MICROSOFT GRAPH MAILER]
  • Fix: The link to launch the Mail Log Viewer would return “false” for FireFox users. [MAIL]

v21.6

  • Improvement: The (premium extension for the) Microsoft Graph Mailer for WordPress now also supports sending mail as / on behalf of another user or distribution list. [MAIL]
  • Improvement: The user interface for the Mail Log Viewer has been significantly updated with improved scrolling and selection and overall a clearer arrangement of the available information. [MAIL]
  • Improvement: The Microsoft Graph Mailer for WordPress will notify the administrator in the form of a WPO365 Health Message when another plugin with mail-sending capabilities is detected. [LOGIN, MICROSOFT GRAPH MAILER]
  • Fix: An alternative system for WordPress Nonces has been introduced to work around the fact that some browsers refuse to send the WordPress auth cookie along with HTTP 302 redirect requests, causing default WordPress nonce verification to fail unexpectedly, in which case the plugin would then log the warning “Could not successfully validate oidc nonce with value xyz”. [LOGIN, MICROSOFT GRAPH MAILER]

v21.5

  • Fix: The recently added ID token verification did not take the mail-authorization flow into account. [LOGIN]
  • Improvement: Administrators can now re-configure the WPO365 | LOGIN plugin to skip the ID token verification altogether, on the plugin’s Miscellaneous configuration page (but this is not recommended for production environments). [LOGIN]

v21.4

  • Fix: The built-in update checker for premium extensions might incorrectly indicate that an update for some extensions would be available. [LOGIN]

v21.3

  • Fix: The plugin would cause a fatal crash when using PHP 7.2 or lower. [ALL]

v21.2

  • Change: The WPO365 | LOGIN plugin will now verify the tenant that issued the ID token and the audience for which the ID token was issued. [LOGIN]
  • Fix: Various issues with the built-in license and update checker for premium extensions and bundles.
  • Fix: The Employee Directory app now will only take the host portion of the SharePoint home URL when dynamically constructing the permissions scope. [M365 APPS, INTRANET]
  • Fix: The User Sync test case will skip the check for custom domains when Azure AD B2C has been selected. [SYNC, INTRANET]

v21.1

  • Fix: License check for premium extensions and bundles would show “unknown error occurred” for valid licenses.
  • Fix: Update check for premium extensions and bundles now better aligned with the recently updated license management service.

v21.0

  • Improvement: Various aspects of user synchronization have been improved / refactored in an attempt to make it easier to configure, track and start / stop jobs. [SYNC, INTRANET]
  • Improvement: The WPO365 plugin will now – by default – …