Change Log | Archive - WordPress + Azure AD / Microsoft Office 365

Click here for the latest entries.

24th October 2023 / v24.3

Feature WPO365 can now send a daily notification to the administration email address if one of the application / client secrets is about to expire in the next 30 days. Consult this article for details. [LOGIN, MICROSOFT GRAPH MAILER]
Fix The field to enter the Azure AD B2C / Entra External ID default policy is now unlocked for the free WPO365 | LOGIN version. [LOGIN]

Update 31st October 2023 / v24.3

Fix An encoding issue prevented the premium versions of the SharePoint Library shortcode app to handle folder names with spaces correctly. [M365 APPS, INTRANET]

8th October 2023 / v24.2

Fix WPO365’s SCIM server to support Azure AD User provisioning has been tested against Microsoft’s Entra ID SCIM Validator and the resulting issues have been (mostly) resolved. [SCIM, INTRANET]
Fix The field to enter the Azure AD B2C / Entra External ID domain name is now unlocked for the free WPO365 | LOGIN version. [LOGIN]
Fix The fields officeLocation has been made available for use in a (customized) Employee Directory templates. [M365 APPS, INTRANET]

25th September 2023 / v24.1

Fix User sync query tester now handles single quotes correctly, after the deprecated use of JavaScript’s (un)escape method had been replaced previously. [SYNC, INTRANET, CUSTOMERS]
Fix The plugin’s updater will now display a notification when a newer version is available. [ALL]
Fix Link to the updated documentation for the Mail Staging Mode in the release notes for v24 has now been fixed. [LOGIN]

15th September 2023 / v24.0

Breaking change Testing the User synchronization query no longer requires the WPO365 REST API for Microsoft Graph to be enabled. Administrators, however, must update both WPO365 | LOGIN and the premium extension / bundle or else they cannot test the query. If the user sync query remains unchanged, it is no longer needed to test the query again. [SYNC, INTRANET, CUSTOMERS]
Deprecated Administrators can not add new Private pages to the corresponding list on the plugin’s Authentication configuration page anymore. Instead they must enable and configure the Audiences feature, which provide a more robust option to mark pages or post types as private i.e. to require a user to log in first. See the online documentation for details. [LOGIN+, ROLES + ACCESS, SYNC, INTRANET]
Deprecated The ability to exclude post types from the Audiences feature has been removed. [ROLES + ACCESS, SYNC, INTRANET]
Feature Support for LearnDash integration, for example to auto-enroll users into courses or allocate users to LD User Groups based on a user’s Azure AD group membership(s) or just whenever WPO365 creates a new WordPress user. See the online documentation for details. [ROLES + ACCESS, SYNC, INTRANET]
Feature WPO365 now supports Entra External ID (Azure AD for Customers) and this support has been streamlined with the already built-in support for Azure AD B2C. [LOGIN+, SYNC, INTRANET, CUSTOMERS] Check out our online documentation
Feature (Auto-) Register new WordPress users in Azure AD B2C / Entra External ID (Azure AD for Customers) and update existing ones (including support for custom user attributes / claims). See the online documentation for details. [SYNC, INTRANET, CUSTOMERS]
Feature Synchronize users from WordPress to Azure AD B2C / Entra External ID (Azure AD for Customers) (including support for custom user attributes). See the online documentation for details. [SYNC, INTRANET, CUSTOMERS]
Feature (Auto-) Retry sending failed emails using Microsoft Graph. See the online documentation for details. [MAIL]
Feature Throttle nr. of emails send per minute using Microsoft Graph. See the online documentation for details. [MAIL]
Feature Audiences can now be configured to restrict viewing posts of a specific type to members of an audience. See the online documentation for details. [ROLES + ACCESS, SYNC, INTRANET]
Feature Audiences now allows administrators to require users to log in to view posts of a specific type and where a visitor will be redirected to e.g. the 404 Not Found page, the site’s login page or Microsoft’s login page. See the online documentation for details. [ROLES + ACCESS, SYNC, INTRANET]
Improvement Most of the features that WPO365 | CUSTOM USER FIELDS unlocks are now also unlocked by WPO365 | ROLES + ACCESS to allow for Azure-AD-user-attribute based rules. [ROLES + ACCESS, CUSTOM USER FIELDS]
Improvement Optional claims and attributes added to an JWT OIDC ID token can now also be mapped to WordPress custom user fields. See the online documentation for details. [LOGIN+, SYNC, INTRANET]
Improvement Administrators can now select a (custom) claim from the ID token or the SAML response that WPO365 should be using to create a new WordPress user’s username. See the updated documentation for details. [LOGIN+, SYNC, INTRANET]
Improvement Developers can now skip the removal of specific roles when WPO365 is configured to “Replace” user roles by utilizing the new “wpo365/roles/remove” filter. See the updated documentation for details. [ROLES + ACCESS, SYNC, INTRANET]
Improvement Developers can now add a filter for the Azure AD Redirect URI e.g. to set it dynamically to the current host. See the updated documentation for details. [LOGIN]
Improvement The WPO365 | MAIL premium addon now also unlocks the option to use WP-Config.php to override (some) config options. Now administrators can – for example on their staging environment – enable mail-staging mode, simply by adding a global constant to the WP-Config.php file. See the [updated documentation](). [MAIL]
Improvement Developers can now skip the URL check that WPO365 conducts just before it redirects a user to its final destination by hooking into a new filter wpo365/url_check/skip. See the updated documentation for details. [LOGIN]
Improvement Administrators can now configure WPO365 user synchronization to only send mail notifications when a job did not complete successfully. [SYNC, INTRANET]
Improvement Administrators now can bulk-reactivate users that have been deactivated previously by WPO365. [SYNC, INTRANET, CUSTOMERS]
Improvement When a user is reactivated, the role will be set to the default role for the main (or sub) site as per WPO365 configuration. [SYNC, INTRANET, CUSTOMERS]
Improvement Blocking password reset and email change has been made available for Azure AD B2C / Entra External ID (Azure AD for Customers). [LOGIN+, SYNC, INTRANET]
Fix WPO365 will now match custom WordPress roles in a case-insensitive matter. [ROLES + ACCESS, SYNC, INTRANET]
Fix WPO365 will now retrieve a user’s Azure AD group memberships from Microsoft Graph if the administrator checked the option to include Microsoft 365 group memberships, even if the ID token already carries information on group memberships. [ROLES + ACCESS, SYNC, INTRANET]
Fix When you schedule a WPO365 User synchronization job for a specific hour of the day, it will now translate the time from UTC to the admin’s timezone and not wrongly add the current minutes of the hour passed. [SYNC, INTRANET, CUSTOMERS]
Fix WPO365 now caches the access token with an audience property (= the requesting application (client) ID) to prevent access tokens for mail and for other Microsoft 365 services getting mixed up / from being overwritten. [LOGIN]
Fix Tested with PHP 8.2. [ALL]

9th June 2023 / v23.1

Fix The plugin update checker did not always return the expected result. [LOGIN, MS GRAPH MAILER]

6th June 2023 / v23.0

Change The WPO365 | M365 APPS extension now includes the Gutenberg Editor Block to embed a SharePoint Document Library in WordPress (was previously sold as a separate extension called WPO365 | DOCUMENTS). [M365 APPS, DOCUMENTS]
Improvement An administrator of a website that receives OpenID Connect based ID tokens from multiple sources, can now configure the plugin to ignore ID tokens not issued by a Microsoft Azure AD based Identity Provider. [LOGIN+, SYNC, INTRANET]
Improvement A new (translatable) error message – for the case where the ID token is intended for a different audience – has been added. [LOGIN]
Improvement The Documents (shortcode and Gutenberg based) app – to embed a SharePoint library in WordPress – can now be configured to show / hide an “Open in SharePoint” link in the app’s header. [M365 APPS, DOCUMENTS, INTRANET]
Improvement The WPO365 authentication cookie (set when you configure an “auth.-only” authentication scenario) can be prefixed to help work-around server-side caching services / plugins that support naming convention based cache busting. [LOGIN]
Improvement 3 new developer actions have been added. See the updated documentation for details. [LOGIN]
Improvement Exceptions logged by the Microsoft Graph Mailer are earmarked when logged in ApplicationInsights with a new custom property “wpoMail”. Administrators can now configure a query-based alert in ApplicationInsights and trigger a new alert specifcally for mail-related errors if “wpoMail” equals “error”. [LOGIN, MS GRAPH MAILER]
Fix If certain conditions were met, the plugin would delete Audience related metadata unwantedly. [ROLES + ACCESS, SYNC, INTRANET]
Fix A SAMLResponse sent to the website will only be processed if the administrator configured SAML 2.0 based SSO for WordPress. [LOGIN]
Fix Various modifications to Microsoft Graph Mailer configurator should make it easier and more intuitive to configure it. [LOGIN, MS GRAPH MAILER]
Fix The Documents (shortcode and Gutenberg based) app – to embed a SharePoint library in WordPress – will now correctly load items in a folder. [M365 APPS, DOCUMENTS, INTRANET]
Fix The Documents (shortcode and Gutenberg based) app – to embed a SharePoint library in WordPress – now accepts a pagesize parameter to improve the performance when loading large libraries. [M365 APPS, DOCUMENTS, INTRANET]
Fix The Documents (shortcode and Gutenberg based) app – to embed a SharePoint library in WordPress – now loads all possible “locales” so it can display date columns e.g. “Modified” correctly. [M365 APPS, DOCUMENTS, INTRANET]
Fix The Log Viewer – to view and optionally resend emails sent using the Microsoft Graph Mailer – now calculates the last inserted logged item ID using MAX() instead of looking up the AUTO INCREMENT value, which may not be up-to-date. [MAIL]
Fix In an attempt to prevent the error “cURL error 28: Operation timed out after 15001 milliseconds with 0 bytes received” when integrating with Microsoft Graph, the use of the Expect: header has been disabled by default. [LOGIN, MS GRAPH MAILER]
Fix If support for multi-tenancy has been enabled and a user with a personal Microsoft account (e.g. outlook.com) signs in successfully, the plugin will no longer attempt to connec to Microsoft Graph to retrieve additional user attributes. [LOGIN+, CUST. USER FIELDS, SYNC, INTRANET]
Fix The license checker (for premium extensions / bundles) has been updated to work-around an issue whereby the license would be invalidated if the website’s home URL would incidentally returned the site’s IP address instead of its host name. This might happen occasionally, if you defined the constant WP_HOME using the $_SERVER[‘HTTP_HOST’] variable in your wp-config.php file and the site was requested by its IP address instead. [LOGIN]
Version bump for all extensions and bundles

3rd April 2023 / v22.1

Fix The built-in Microsoft Graph Mailer for WordPress will now exclude any custom headers that do not start with x- or X-, to prevent Microsoft Graph from not sending the message and reporting the following error instead: “The internet message header name […] should start with ‘x-‘ or ‘X-‘.”. [LOGIN, MICROSOFT GRAPH MAILER]

3rd April 2023 / v22.0

Improvement Administrators can now define configuration overrides in the WP-Config.php file. Support for configuration overrides must be enabled separately by checking the correspondig option on the plugin’s Miscellaneous page. See online documentation. [LOGIN+, SYNC, INTRANET]
Improvement The plugin will no longer skip loading when detecting wp-cli but instead skip any attempt to authenticate the current request. Support for wp-cli must be enabled separately by checking the correspondig option on the plugin’s Miscellaneous page. See online documentation. [LOGIN+, SYNC, INTRANET]
Improvement Administrators can now define a list of usernames of administrators that are allowed to administer the WPO365 settings in the WP-Config.php file. See online documentation. [LOGIN]
Improvement The WPO365 | MICROSOFT GRAPH MAILER plugin can now also log remotely to ApplicationInsights, allowing administrators to configure Azure’s Monitoring / Alerts feature to send – for example – an SMS whenever an exception is logged. [MICROSOFT GRAPH MAILER]
Fix Updated the permissions requested / scope for Azure AD B2C / OpenID Connect based Single Sign-on, after a previous change added ‘https://graph.microsoft.com/User.Read’ to the scope / permissions being requested (v21.8), which in turn caused an “invalid_request AADB2C90146” response being returned when attempting to authenticate with Microsoft. [LOGIN]
Fix Updated the permissions requested / scope for Azure AD / OpenID Connect based Single Sign-on, after a previous change always added ‘https://graph.microsoft.com/User.Read’ to the scope / permissions being requested (v21.8). Now this permission will only be added, if the plugin detects a premium extension (because any premium extension needs this permission when it attempts to retrieve user data from Microsoft Graph) [LOGIN]
Fix The application ID / application ID URI for Azure AD based protection for the WordPress REST API must now also be added to the wp-config.php (but only if the administrator has enabled the option to use wp-config.php for Azure AD secrets). [LOGIN+, SYNC, INTRANET]
Fix The Microsoft Graph Mailer for WordPress no longer “unauthorizes” itself, after it fails to retrieve an access token. Instead, WPO365 Health Messages are created and administrators should regularly check for errors [LOGIN, MICROSOFT GRAPH MAILER]
Fix Refactored the flow when sending emails from a different account than the one submitting the request to send an email to Microsoft Graph (= the default “From” account) to improve consistency, even when the alternative sending-from account is a Shared Mailbox, a Distribution List or normal User Mailbox. [MICROSOFT GRAPH MAILER, MAIL, SYNC, INTRANET]
Fix User synchronization will now generate an error and stop when it fails to create a new WP Cron task for the next batch of users. [SYNC, INTRANET]
Fix Updated Teams SDK (used for silent SSO when integrating WordPress into Microsoft Teams). [LOGIN]
Fix Updated PowerBI SDK. [LOGIN, INTRANET, M365 APPS]

16th March 2023 / v21.8

Feature Administrators can now enable Mail Staging Mode. This is useful for debugging and staging environments. WordPress emails will be logged and saved in the database instead of being sent. [MAIL]
Improvement The WPO365 plugin will now handle forms (e.g. Contact Form 7) that propose to send emails from a different account than the default from mail account, after it handles any other option (e.g Shared Mailbox or Send as / Send on behalf of). The proposed alternative from therefore always prevails. It can also be any type of mailbox e.g. User Mailbox, Shared Mailbox or Distributionlist. But it’s up to the adminstrator to ensure that the default from mail account is a either a member (e.g. of the Shared Mailbox) or has sufficient permissions to send emails as / on behalf of an alternative account (e.g. the Distributionlist). [MAIL]
Fix The initial OpenID Connect authorization request will now always include https://graph.microsoft.com/User.Read. [LOGIN]
Fix A public property $ErrorInfo has been added to the PHPMailer object to support integration with Gravity Forms. [LOGIN, MICROSOFT GRAPH MAILER]
Fix The plugin now better understands – in the context of WordPress Multisite installations – whether the configuration must be retrieved / stored at site or at network level. [LOGIN]
Fix Some Azure AD information that the plugin collects during the plugin self-test is no longer assigned to the user executing the self-test. [LOGIN]

8th March 2023 / v21.7

Fix ID Token validation now also validates audiences that are defined using an Application ID URI instead of the Application ID (e.g. this is the case for Microsoft Teams). [LOGIN, MICROSOFT GRAPH MAILER]
Fix The plugin does no longer rely on the HTTP_HOST key of the global $_SERVER variable, which – if not initialized – may cause a critical error on the website. [LOGIN, MICROSOFT GRAPH MAILER]
Fix The link to launch the Mail Log Viewer would return “false” for FireFox users. [MAIL]

2nd March 2023 / v21.6

Improvement The (premium extension for the) Microsoft Graph Mailer for WordPress now also supports sending mail as / on behalf of another user or Distribution List. [MAIL]
Improvement The user interface for the Mail Log Viewer has been significantly updated with improved scrolling and selection and overall a clearer arrangement of the available information. [MAIL]
Improvement The Microsoft Graph Mailer for WordPress will notify the administrator in the form of a WPO365 Health Message when another plugin with mail-sending capabilities is detected. [LOGIN, MICROSOFT GRAPH MAILER]
Fix An alternative system for WordPress Nonces has been introduced to work around the fact that some browsers refuse to send the WordPress auth cookie along with HTTP 302 redirect requests, causing default WordPress nonce verification to fail unexpectedly, in which case the plugin would then log the warning “Could not successfully validate oidc nonce with value xyz”. [LOGIN, MICROSOFT GRAPH MAILER]

26th January 2023 / v21.5

Fix The recently added ID token verification did not take the mail-authorization flow into account. [LOGIN]
Improvement Administrators can now re-configure the WPO365 | LOGIN plugin to skip the ID token verification altogether, on the plugin’s Miscellaneous configuration page (but this is not recommended for production environments). [LOGIN]

26th January 2023 / v21.4

Fix The built-in update checker for premium extensions might incorrectly indicate that an update for some extensions would be available. [LOGIN]

26th January 2023 / v21.3

Fix The plugin would cause a fatal crash when using PHP 7.2 or lower. [LOGIN]

25th January 2023 / v21.2

Change The WPO365 | LOGIN plugin will now verify the tenant that issued the ID token and the audience for which the ID token was issued. [ALL]
Fix Various issues with the built-in license and update checker for premium extensions and bundles.
Fix The Employee Directory app now will only take the host portion of the SharePoint home URL when dynamically constructing the permissions scope. [M365 APPS, INTRANET]
Fix The User Sync test case will skip the check for custom domains when Azure AD B2C has been selected. [SYNC, INTRANET]

17th January 2023 / v21.1

Fix License check for premium extensions and bundles would show “unknown error occurred” for valid licenses.
Fix Update check for premium extensions and bundles now better aligned with the recently updated license management service.

16th January 2023 / v21.0

Improvement Various aspects of user synchronization have been improved / refactored in an attempt to make it easier to configure, track and start / stop jobs. [SYNC, INTRANET]
Improvement The WPO365 plugin will now – by default – first try to look up an existing WordPress user by its Azure AD Object ID. This value uniquely identifies a user in Azure AD and is automatically configured when WPO365 creates a new user (or updates an existing one). [ALL]
Improvement To support Azure AD B2C user synchronization, newly created user synchronization jobs will now – by default – skip the domain check (whereby the login domain of the username of users retrieved from Microsoft Graph is matched against a list of supported custom domains on the plugin’s User registration configuration page). Existing user synchronization jobs must be updated manually. [SYNC, INTRANET]
Improvement If user synchronization has been configured, the default WordPress User list will be enhanced automatically. A column is added to show the date and time a user was last updated. A second column will show a button that allows administrators to reactivate a user in case that user has been de-activated / soft-deleted by WPO365 User synchronization. [SYNC, INTRANET]
Improvement Support for Azure AD B2C custom login domains. See online documentation for details. [LOGIN+, SYNC, INTRANET]
Improvement Administrators can now configure custom website buttons targeting a specific Azure AD B2C user flow or custom policy sign-up, sign-in or reset password. See online documentation for details. [LOGIN+, SYNC, INTRANET]
Improvement It is now possible to configure an embedded login experience for Azure AD B2C. See online documentation for details. [LOGIN+, SYNC, INTRANET]
Fix The Source for custom user fields (ID token, Microsoft Graph or SAML response) selector was not always visible on the plugin’s User sync configuration page. [LOGIN+, CUSTOMER USER FIELDS, SYNC, INTRANET]
Fix The Allow forms to override “From” address was only enabled for application-level Mail.Send permissions. [MAIL, SYNC, INTRANET]
Fix Overriding the “From” address was sometimes ignored. [MAIL, SYNC, INTRANET]
Fix Sending from a Shared Mailbox was sometimes ignored. [MAIL, SYNC, INTRANET]
Fix Version bump for all WPO365 plugins. [ALL]
Fix License for premium extensions are now checked regularly and a notification will be shown if the license is expired. [ALL]
Fix The “Authorized!” label on the plugin’s Mail configuration page is now green instead of red to indicate succes

22nd November 2022 / v20.4

Fix The mail authorization may falsely indicate that the plugin is not authorized to send emails using Microsoft Graph due to how the plugin compared permissions. [ALL]

14th November 2022 / v20.3

Feature Websites that are using the Mail Integration for Office 365/Outlook are now urged to switch to WPO365 | MICROSOFT GRAPH MAILER or configure the builtin Microsoft Graph mail function of the WPO365 | LOGIN plugin. Consult the online migration guide for further details. [ALL]
Improvement Administrators can check an option to Use alternative CDN (on the plugin’s Integration page). If checked, the plugin will download the react-js and react-dom.js packages from the CloudFlare CDN (instead of from the default UNPKG CND). However, administrators can also choose to self-host these dependencies. In this case they can override the CDN configuration using a constant that must defined in wp-config.php. See the online documentation for details. [ALL]
Fix The avatar method updated in v20.0 now also overrides the get_avatar hook to avoid conflicts with other plugins such as Ultimate Member. [AVATAR, SYNC, INTRANET]

28th October 2022 / v20.2

Improvement Administrators can now define a constant in wp-config.php to override the default CDN used to download the react.js and react-dom.js packages. This constant must be defined immediately after the line /* That’s all, stop editing! Happy publishing. */ as an array as follows URLs may be replaced by administrators as they see fit:

define('WPO_CDN', array('react' => 'https://cdnjs.cloudflare.com/ajax/libs/react/16.14.0/umd/react.production.min.js', 'react_dom' => 'https://cdnjs.cloudflare.com/ajax/libs/react-dom/16.14.0/umd/react-dom.production.min.js'));

21st October 2022 / v20.1

Fix The renaming of an option (to allow retrieval of oauth tokens by client side apps) prevented existing configurations to update this value. [ALL]

18th October 2022 / v20.0

Feature The (premium version of the) Microsoft Graph Mailer can now send attachments larger than 3 MB. [MAIL, SYNC, INTRANET]
Feature The (premium version of the) Microsoft Graph Mailer can now send emails from a Microsoft 365 Shared Mailbox. [MAIL, SYNC, INTRANET]
Improvement The LOGIN+ extension now also allows administrators to save multiple configurations (on the plugin’s Import / Export configuration page). [LOGIN+]
Improvement Administrators can now define the name of the WordPress user meta for user attributes synchronized from Azure AD to WordPress. [LOGIN+, CUSTOM USER FIELDS, SYNC, INTRANET]
Improvement The Avatar method now replaces the URL of the profile image instead (by filtering the pre_get_avatar_data function instead of the get_avatar function). [AVATAR, SYNC, INTRANET]
Improvement Now supports receiving custom claims in a SAML response and save them as WordPress user meta. [LOGIN+, CUSTOM USER FIELDS, SYNC, INTRANET]
Improvement Administrators can now choose to skip updating a user WordPress user’s displayname. [LOGIN+, USER FIELDS, SYNC, INTRANET]
Improvement Some parts of the source code have been updated to improve compatibility with PHP 8.1. [ALL]
Fix The Audiences feature now also prevents access to posts and pages using a direct-edit link. [ROLES + ACCESS, SYNC, INTRANET]
Fix Sign out of Microsoft now also works as expected for Azure AD B2C. [LOGIN+, SYNC, INTRANET]
Fix Custom formatting of a WordPress user’s displayname now works as expected for SAML 2.0 based Single Sign-on. [LOGIN+, CUSTOM USER FIELDS SYNC, INTRANET]
Fix The shortcode properties of a Micrsoft 365 App are now HTML-decoded to handle the case where WordPress updates shortcode properties when an author edits a page. [ALL]
Fix The div that encapsulates a Microsoft 365 App can now be referenced by its unique classname “wpo365-app-root”. [ALL]
Fix Some WPO365 options have been removed / renamed to avoid triggering ModSecurity OWASP CRS causing an 418 “I am not a teapot” HTTP errors, for example when hosting a site at DreamHost. [ALL]
Fix The plugin now correctly tries again to get a user’s (Azure AD) group memberships with Group.Read.All permissions when the administrator has not (yet) granted permissions to do so using GroupMember.Read.All permissions. [ROLES + ACCESS, SYNC, INTRANET]

14th September 2022 / v19.4

Fix Mail authorization for delegated access would fail with the error “Could not retrieve a tenant and application specific JSON Web Key Set and thus the JWT token cannot be verified successfully”. [LOGIN, MICROSOFT GRAPH MAILER]
Fix Embedded PowerBI reports will now try to refresh the acquired access token when the browser tab is left open. [LOGIN, INTRANET, M365 APPS]
Fix Encoding of parameters for embedded SharePoint Online apps (Search and Documents) have been improved. [LOGIN, INTRANET, M365 APPS]
Fix The Audiences custom meta box has been updated and produces valid HTML. [ROLES + ACCESS, SYNC, INTRANET]

2nd September 2022 / v19.3

Fix The delegated mail authorization feature would – under circumstances – fail to get the mail specific tenant ID and as a result an attempt to refresh the access token may fail. [LOGIN, MICROSOFT GRAPH MAILER]

29th August 2022 / v19.2

Fix The Redirect URL field for the mail authorization is no longer greyed out and can be changed by administrators. [LOGIN]

29th August 2022 / v19.1

Fix A backward-compatibility issue with Audiences would cause a critical error when editing a post or page. Administrators with any of the following extensions installed must update as soon as possible: ROLES + ACCESS, SYNC, INTRANET. [ROLES + ACCESS, SYNC, INTRANET]

28th August 2022 / v19.0

Change Sending WordPress emails using Microsoft Graph can now also be configured with delegated permissions. Administrators are urged to review the documentation and to update their configuration. [LOGIN, MICROSOFT GRAPH MAILER]
Feature Audiences – used to target posts and pages to specific Azure AD groups – can now also be used on a post or page using a custom metabox in the sidebar. Consult the updated documentation for details. [ROLES + ACCESS, SYNC, INTRANET]
Feature Azure Active Directory secrets can now be stored in the website’s WP-Config.php and removed from the database. [MAIL]
Improvement A number of plugin self-tests have been improved to help administrators find loopholes in the configuration e.g. of User synchronization and the integration of various SharePoint Online services. [LOGIN]
Fix The plugin no longer “hijacks” a state parameter when sent in the header of any request. This prevented – amongst other things – enabling / disabling of WordPress auto-updates. [LOGIN]
Fix The Employee Directory app now shows profile information when users are searched for using SharePoint. [M365 APPS, INTRANET]
Fix Version bump for all WPO365 plugins.

22th July 2022 / v18.2

Fix Recent changes to the built-in notification service could cause a fatal error for older PHP versions that has now been fixed. [LOGIN]

18th July 2022 / v18.1

Fix If the plugin is configured to send WordPress emails using Microsoft Graph then it will now always replace the From email address if WordPress tries to sent emails from wordpress@[sitename]. WordPress will propose this email address is no email is set by the plugin sending the email (for example Contact Form 7). This email may pass checks as a valid email address but in reality this email address most likely does not exist. The option to fix the “localhost” issue has been removed since this fix improves the behavior for all hosts (incl. localhost). [LOGIN]
Improvement Various wp-admin banners as well as some translations have been updated. Also a teaching bubble is shown on the Single Sign-on page to help admins quickly find the WPO365 documentation center at https://docs.wpo365.com/. [LOGIN]

4th July 2022 / v18.0

Change Administrators who selected OpenID Connect based single sign-on, can now choose between the Hybrid Flow and the Authorization Code Flow. New installations will automatically be configured using Authorization Code Flow. Read more [LOGIN]

Change Support for Azure AD B2C custom policies (sign-up, sign-in and password reset) is no longer a premium feature. [LOGIN]
Change All features of WPO365 | CUSTOM USER FIELDS extension are from now on supported by the WPO365 | LOGIN+ extension. See our website for details and pricing. [CUSTOM USER FIELDS, LOGIN+]
Change A new WPO365 Features Dashboard has been added that allows administrators to toggle features such as e.g. SSO, MAIL and SYNC on or off. [LOGIN]
Feature Admins can now choose to hide the WordPress Admin Bar for specific roles. [LOGIN]
Feature Requesting access tokens from Azure AD can now be further secured using a Proof Key for Code Exchange (PKCE). [LOGIN+, SYNC, INTRANET]
Feature Protect and secure your WordPress REST API with Azure AD generated oauth access tokens (PREMIUM). [LOGIN+, SYNC, INTRANET]
Feature Protect and secure your WordPress REST API with WordPress REST cookies. [LOGIN]
Improvement Azure AD B2C custom claims sent in the ID token can now be mapped to custom WordPress user meta fields. [LOGIN+, SYNC, INTRANET]
Improvement When specified in – for example – an email form the “From” address will be used to send the email from (instead of the configured “From” address and if the address specified in the form appears to be valid). This behavior is a premium feature and not enabled by default. [MAIL, SYNC, INTRANET]
Improvement Admins can now set a different Azure AD tenant for sending WordPress emails using Microsoft Graph when the plugin is configured for Azure AD B2C based single sign-on. [ALL]
Improvement Admins can now update the priority for the get_avatar hook on the plugin’s User sync page (default 1). [AVATAR, SYNC, INTRANET]
Improvement The plugin is now able to work with the more appropriate GroupMember.Read.All permissions instead of Group.Read.All and admins who configured role based access restriction are advised to update the API permissions for the registered application in Azure AD. [ROLES+ACCESS, SYNC, INTRANET]
Fix The logic to detect the blog ID in a WordPress Multisite (WPMU) will always test with a trailing slash. [LOGIN]
Fix A (custom) login message – for example created with LoginPress – will now show as expected. [ALL]
Fix Non-dynamic roles in an identities configuration used to enable RLS when embedding Power BI content no longer causes a fatal error. [M365 APPS, INTRANET]
Fix It is now possible to save empty custom user profile fields when manually updating a user’s profile. [CUSTOM USER FIELDS, SYNC, INTRANET]

26th May 2022 / v17.5

Change Sending mail as HTML is no longer a premium feature. [LOGIN, MAIL, SYNC, INTRANET]
Change Saving sent emails in Sent Items is no longer a premium feature. [LOGIN, MAIL, SYNC, INTRANET]
Change The plugin will now always force the use of the WPO365 avatar feature if this enabled by removing other similar filters. [AVATAR, SYNC, INTRANET]
Improvement Administrators can now configure the WPO365 plugin to prevent WordPress sending a notification to admins when a user changes a password. [LOGIN+, SYNC, INTRANET]
Improvement The Graph Mailer components have been refactored for improved logging / auditing. [LOGIN, MAIL, SYNC, INTRANET]
Fix Login button label’s text will not be wrapped on a new line. [LOGIN]
Fix The premium mail function to log all emails sent did not properly return and when used in combination with another mail plugin – e.g. WP HTML Mail – emails were not sent as expected. [MAIL, SYNC, INTRANET]
Fix The mail-log table can now be scrolled horizontally. [MAIL, SYNC, INTRANET]
Fix Sending a test email with attachment is now supported by all versions. [LOGIN]
Fix The plugin will not try and send attachments larger than 3 Mb (the prevent the mail being refused by the Microsoft Graph API). [LOGIN]
Fix The Azure AD based Employee Directory app will now retrieve the user’s profile and cache them separately from the cache of employees as this sometimes would break the hierarchy. [M365 APPS, INTRANET]

1st May 2022 / v17.4

Improvement You can now create a shortcode based app to embed Power BI content that supports the App owns data scenario and configure it to use the 2nd (app-only) AAD App registration. This is especially useful when the administrator configured Microsoft Azure AD B2C or SAML 2.0 based single sign-on and the AAD App registration for SSO cannot be used. [M365 APPS, INTRANET]
Fix Several issues related to PHP 8.x – e.g. support for deep-links – have been fixed. [ALL]
Fix When an administrator has hidden the login button the artifacts required to initiate the WPO365 Sign in with Microsoft flow – e.g. needed for a custom login button or Dual Login – are now loading correctly. [LOGIN]

19th April 2022 / v17.3

Change The default login button’s accessibility has been improved and now uses a BUTTON element (previously a DIV) with an aria-label that corresponds to the button’s caption. [LOGIN]
Improvement For new installations of the plugin the default value of the session duration has been updated to 0 (was 3600) and a user will not be automatically forced to re-authenticate after 1 hour. [LOGIN]
Fix The (basic / free version of the) Microsoft 365 shortcode app to embed a SharePoint / OneDrive Documents Library now correctly recognizes when it should use the new WPO365 REST API for Microsoft Graph instead of the older token service. [LOGIN]
Fix The exception level for Serious attempt to try to bypass authentication has been changed from ERROR to WARN since many false/positives have been reported. [LOGIN]

8th April 2022 / v17.2

Improvement When the WPO365 plugin is used to send WordPress emails, it will now honor a reply-to email address defined externally e.g. when using Contact Form 7. [ALL]
Fix The Microsoft 365 shortcode app for SharePoint Online Search now properly encodes the query template / custom written query to enable the use of double quotes when defining values for a managed property e.g. Path:”https://wpo365demo.sharepoint.com/sites/contoso/Shared Documents”. To benefit from this you must re-create the shortcode for the app. [M365 APPS, INTRANET]
Fix When using the Dual Login Feature the plugin no longer adds an HTML DIV element with a duplicate ID. [LOGIN+, SYNC, INTRANET]

25th March 2022 / v17.1

Change The Microsoft 365 shortcode app for embedding Power BI has been thoroughly updated to work with the recently introduced WPO365 REST API for Microsoft Graph. Existing shortcodes will continue to work with the WordPress AJAX API but it is recommended to update those apps by creating new shortcodes using the Shortcode Generator. Please refer to the updated documentation for guidance. [M365 APPS, INTRANET]
Change The Microsoft 365 shortcode app for embedding Power BI now supports dynamic tokens used when defining Effective Identities when row-level-security (RLS) is configured for the dataset. Dynamic tokes can be replaced with direct attributes of a WordPress user or alternatively user meta. Please refer to the updated documentation for guidance how to use dynamic tokens. [M365 APPS, INTRANET]
Improvement Newly created Microsoft 365 shortcode app for embedding Power BI will cache access tokens in the browser’s session storage and this cache will be emptied when the user navigates away from the page. [APPS, INTRANET]
Fix The license checker will not show a warning for development, test and staging environments if those web addresses can be identified as such. It will also not show a warning for each subsite in a WordPress Network. [ALL PREMIUM]
Fix Use the home URL instead of the site URL (where WordPress application files are accessible) for the base URI when connecting to the WPO365 REST API for Microsoft Graph. [ALL]
Fix Administrators can activate Internet Explorer 11 compatibility mode (at the cost of loosing the integration capability with Microsoft Teams) when they go to WP Admin > WPO365 > … > Miscellaneous and toggle the corresponding option. [ALL]

18th February 2022 / v17.0

Breaking The End User License Agreement will be updated from 1st April 2022 and a license for a premium extension will always be linked to the domain of the WordPress instance. Therefore you may need additional licenses for development, test and staging instances if those are set up under different domains. Starting with this version premium extensions / bundles will generate a warning that a license is required if no valid license was found for that particular instance. [ALL EXTENSIONS / BUNDLES]
Breaking Additional configuration is needed for the WPO365 REST API for Microsoft Graph that is currently used by the WPO365 | DOCUMENTS Gutenberg Block, WPO365 User synchronization and the updated versions of the M365 APPS (included in this release) to keep your data as safe and secure as possible. On the plugin’s Integration page in the section labelled Microsoft 365 Apps you must now specify whether user must be signed in (with Microsoft) when they connect to the API, which Microsoft Services endpoints are allowed, whether apps may request application-level tokens (instead of user-level tokens with delegated permissions) and whether proxy-type of requests are permitted. [ALL]
Breaking Because the direct use of PHP cURL has been removed in favor of WordPress’ builtin HTTP API the cURL Proxy Address setting has been removed. Please refer to the WordPress documentation for instructions how you can use WP_PROXY_HOST and WP_PROXY_PORT if you need to configure a proxy for outgoing network connections. [ALL]
Change The Microsoft 365 shortcode apps for embedding SharePoint Online Search, a SharePoint / OneDrive Online Document Library, a Microsoft Graph based Employee Directory and a Yammer Feed have been thoroughly updated to work with the recently introduced WPO365 REST API for Microsoft Graph. Existing apps will continue to work with the WordPress AJAX API but it is recommended to update those apps by creating new shortcodes using the Shortcode Generators. [M365 APPS, INTRANET]
Improvement The WPO365 SCIM Client for Azure AD User provisioning now can be configured to retrieve the user’s Azure AD object ID. This is needed if the plugin needs to retrieve additional user attributes, a user’s profile picture or Azure AD group memberships from Microsoft Graph. see the Troubleshooting paragraph of the SCIM online documentation for details. [SCIM, INTRANET]
Improvement The (Microsoft Graph) based Employee Directory shortcode app has been updated and can now be configured to use SharePoint People Search to search for users by skills, projects and other profile attributes. It will also include profile details on the user’s Info tab (when using the Contacts template and if the user has updated his / her profile). See the online documentation for details. [M365 APPS, INTRANET]
Improvement The (Microsoft Graph) based Employee Directory shortcode app also can now be used by users that did not sign in with Microsoft. See the online documentation for details. [M365 APPS, INTRANET]
Improvement The SharePoint / OneDrive Documents shortcode app (to embed a SharePoint library in WordPress) is no longer considered deprecated and has instead been updated and can now also be configured to allow access to anonymous users and to retrieve and render custom SharePoint columns / fields. See the online documentation for details. [M365 APPS, INTRANET]
Improvement The SharePoint / OneDrive Documents shortcode app also can now be configured to read its configuration (SharePoint site collection, title of the library and optionally a folder path) from a number of querystring parameters. See the online documentation for details. [M365 APPS, INTRANET]
Improvement Also the Documents Gutenberg Block has been updated and can now be configured to read its configuration (SharePoint site collection, title of the library and optionally a folder path) from a number of querystring parameters. See the online documentation for details. [M365 APPS, INTRANET]
Improvement: The Microsoft Graph mailer for WordPress feature can now log all outgoing WordPress transactional emails and allows you to try to re-send emails that previously failed to send. See the online documentation for details. [MAIL, SYNC, INTRANET]
Improvement The builtin Microsoft Graph mailer for WordPress now supports sending of attachments. See the online documentation for details. [ALL]
Improvement The Microsoft Graph mailer for WordPress can now be configured to send all outgoing transactional emails as BCC to help you prevent reply-to-all mail pollution. See the online documentation for details. [MAIL, SYNC, INTRANET]
Improvement On the plugin’s User sync configuration page in the section Custom user fields you can now select how you would like the WPO365 plugin to update a WordPress user’s display name. Possible choices are: Same as the display name according to Azure AD, given name and surname according to Azure AD or surname, given name according to Azure AD. [CUSTOM USER FIELDS, SYNC, INTRANET]
Improvement The plugin will now always apply the Azure AD user attribute to WordPress user meta mappings regardless of whether you have opted to show them on a WordPress user profile page. [CUSTOM USER FIELDS, SYNC, INTRANET]
Improvement A new endpoint have been added to the WPO365 REST API for Microsoft Graph where developers can send a preformatted Microsoft Graph request which will be transparently proxied to Microsoft Graph in the context of the current user. This endpoint must be separately enabled. [ALL]
Improvement Another endpoint have been added to the WPO365 REST API for Microsoft Graph where developers can request an oauth access token for Microsoft Graph in the context of the current user. This endpoint must be separately enabled. [ALL]
Improvement In accordance with the WordPress developer guidelines direct use of PHP cURL has been removed and instead the plugin now uses WordPress’s builtin HTTP API. [ALL]
Fix The OneLogin library (used for adding SAML support to the plugin) has been updated to the latest version. Small modifications have been made to further ensure compatibility with PHP 8. [ALL]
Fix In accordance with the WordPress developer guidelines all output has been secured / escaped. See the official WordPress documentation for details. [ALL]
Fix A bug has been fixed that prevent the Internet Auth.-only Authentication Scenario from working correctly. [LOGIN+, SYNC, INTRANET]
Fix A bug has been fixed that prevented the WordPress Users page from loading correctly when using WPO365 Audiences. [ROLES + ACCESS, SYNC, INTRANET]
Fix A bug has been fixed that prevented the WPO365 Wizard / Configuration pages to handle non-latin characters. [ALL]
Fix Version bump for all WPO365 plugins.

3rd December 2021 / v16.1

Fix Audiences no longer generates a warning for users that not signed in with Microsoft. [ROLES + ACCESS, PREMIUM, INTRANET]

30th November 2021 / v16.0

Feature Audiences Create virtual groups of users and restrict access to WordPress posts and pages to members of these groups. An Audience is a group of users that is dynamically populated based on rules (or better: one or more of Azure AD group ID’s) that define who is a member of that Audience. See the online documentation for details. [ROLES + ACCESS, PREMIUM, INTRANET]
Feature Secured by Azure Active Directory Two new authentication scenarios have been added that require visitors to sign in with Azure AD / Microsoft without attempting to sign them in as WordPress users. See the updated online documentation for details. [LOGIN+, PREMIUM, INTRANET]
Change Your users can now benefit from true Single Sign-on support for Microsoft Teams Tabs and Apps that embed a WordPress website (without additional popups if the user is from the own organization). See the updated online documentation for instructions how to update the App registration in Azure AD. [ALL]
Change The loading bars (when redirecting to Microsoft) have been replaced with a circular spinner. Administrators can choose to re-activate the old loading bars when they navigate to WP Admin > WPO365 > … > Miscellaneous. [ALL]
Improvement Administrators can now choose to use WP-Config(.php) for AAD secrets when they navigate to WP Admin > WPO365 > Single Sign-on, click to show the advanced configuration options and check the corresponding option. See online documentation for details.[LOGIN+, PREMIUM, INTRANET]
Improvement Administrators can now define the length of WordPress passwords created by the plugin when they go to WP Admin > WPO365 > … > Miscellaneous. See online documentation for details. [ALL]
Fix When switching between configurations the plugin now resets the settings before switching, preventing newer settings to be added automatically to an older configuration. [PREMIUM, INTRANET]
Fix The page on which a Documents apps(s) has been embedded will no longer jump to the top of the app. [ALL]
Fix Uncaught error: Class DateTime not found [ALL].
Fix The plugin will now recognize correctly – when WordPress Multisite has been enabled – the subsite’s ID when the Azure AD Redirect URI points to WP-Admin. [ALL]
Fix The plugin will now delete an itthinx Groups assignment for a user if that user has been removed from the mapped Azure AD group. [GROUPS, INTRANET]
Fix Anonymous users no longer are asked to sign in when they attempt to download a document from SharePoint. [DOCUMENTS, INTRANET]
Fix Version bump for all plugins, extensions and bundles. [ALL].

29th September 2021 / v15.4

Fix This version patches two XSS (cross-site) security flaws (thanks to Gary O’Leary-Steele from AppCheck and Sailesh Parmar) [ALL].
Fix Password reset is no longer blocked for users that are administrators for the WordPress site [ALL].
Improvement If the user clicks the Sign in with Microsoft button on the (default) login form in Teams the user will now be redirected to the home page (or to the page the user intended to navigate to) [ALL].

27th September 2021 / v15.3

Fix Overall stability of user synchronization when starting, re-starting and stopping manually [SYNC, INTRANET].

23nd September 2021 / v15.2

Change Administrators can now choose to grant application type permissions to the existing App registration and creating a 2nd App registration is (still supported but) no longer necessary or recommended [ALL].
Fix The domain hint variable was undefined for one of the plugin’s self-tests [ALL].
Fix The avatar self-test will no longer fail if the request is successful but no image was found [AVATAR, SYNC, INTRANET].

22nd September 2021 / v15.1

Improvement Administrators can now configure a reply-to address when sending WordPress mail using Microsoft Graph [MAIL, SYNC, INTRANET].
Fix A cross-site scripting issue with the redirect JavaScript has been resolved [ALL].
Fix The User synchronization processor will now skip Azure AD (directory) objects that are not users (e.g. but groups instead) [SYNC, INTRANET].
Fix The plugin will now determine correctly whether or not a request is for the WordPress REST API or not [ALL].
Fix Instant help pages will now only be loaded on-demand [ALL].

9th September 2021 / v15.0

Feature User synchronization V2 (see this article for details) [SYNC, INTRANET].
Change Emails sent will respect the Content-Type header and if no header is defined emails will be sent as text by default (only applies to emails sent using Microsoft Graph) [ALL].
Improvement Administrators can now configure the plugin to update attributes of users that are administrators (incl. dynamically assigned roles, see this article for details) [ROLES + ACCESS, SYNC, INTRANET]
Improvement When the author of a post is deleted through Azure AD User provisioning (SCIM) that post can now be re-assigned to another WordPress user [SCIM, INTRANET].
Improvement When a user’s manager is already provisioned to WordPress through Azure AD User provisioning (SCIM) the manager’s details will be collected if a custom field mapping for the ‘manager’ field has been configured [SCIM, INTRANET].
Improvement An administrators of a WordPress Multisite can now configure Azure AD group based mappings to dynamically assign the Super Administrator role (see this article for details) [ROLES + ACCESS, SYNC, INTRANET].
Improvement An administrator can now configure an external URL as custom error page where a user will be sent when authentication fails [LOGIN+, SYNC, INTRANET].
Improvement Support for Report control filters when embedding Power BI reports in WordPress [M365 APPS, INTRANET]
Improvement A new configuration will prevent the Content by Search app to scroll the page to the top of the search results [M365 APPS, INTRANET].
Improvement Additional translations for the Employee Directory app [ALL].
Improvement An administrator can configure the plugin so that a deactivated user can be re-activated when he / she successfully signs in with Microsoft (see this article for details) [SCIM, PREMIUM, INTRANET].
Improvement The Plugin self-test results can now be downloaded as a JSON file [ALL].
Improvement Additional tests have been added to the Plugin self-test to improve the configuration of user synchonization [SYNC, INTRANET].
Improvement Some issues identified by the Plugin self-test can now be fixed by a simple button click [ALL].
Improvement The Plugin’s Debug Log can now be downloaded as a JSON file [ALL].
Improvement More custom hooks were added for when a user is created, authenticated and added to a blog (see this article for details) [ALL].
Fix A de-activated users can now be re-activated when that user is added again by Azure AD User provisioning SCIM [SCIM, INTRANET].
Fix When a user is de-activated by Azure AD User provisioning (SCIM) all roles will be removed [SCIM, INTRANET].
Fix A deactivated user can no longer sign in with WordPress credentials [SCIM, SYNC, INTRANET].
Fix Administrators can fix an issue when sending emails using Microsoft Graph from localhost by checking the corresponding option on the plugin’s Mail configuration page [ALL].

12th July 2021 / v14.1

Fix Added URL decoding for base64 encoded ID tokens that contain special characters [ALL].
Fix The plugin will no longer try to get tenant specific JSON Web Key sets when verifying the ID token’s signature if support for multi-tenancy is enabled but instead download the common keys from https://login.microsoftonline.com/common/discovery/v2.0/keys [ALL].

5th July 2021 / v14.0

Feature Full support for Azure AD B2C incl. the configuration of a custom domain and an Azure AD B2C policy to redirect users to corresponding custom Azure AD B2C endpoints to login and obtain ID and access tokens [LOGIN+, SYNC, INTRANET].
Change Now the plugin uses the phpseclib (see https://phpseclib.com/) to verify the signature of the ID token received from Microsoft. The previously used Firebase/JWT library is still included for fallback purposes and administrators can navigate to WP Admin > WPO365 > … > Miscellaneous to enable the use of the older ID token parser in case of any issues.
Fix All WP AJAX endpoints have been renamed and include a namespace to avoid conflicts with other plugins after some users reported that they were not able to save the configuration [ALL].
Fix Improved HTML encoding for the Employee Directory app’s query expression [ALL].
Fix When retrieving data from Microsoft Graph the plugin will now (in most cases) try to do so by a user’s Object ID and only use the user principal name (UPN) for fallback [ALL].
Fix When the Documents Gutenberg Block tests its configuration it now does so independent of the configured Microsoft Graph Version (recommended version – however – remains Beta) [ALL].
Fix Version bump for all plugins, extensions and bundles [ALL].

24th May 2021 / v13.0

Feature A brand new Gutenberg Block to display a SharePoint or OneDrive Document Library (or recently used documents) with an advanced column / field configuration editor and the exciting new option to grant anonymous users (that didn’t sign in with Microsoft) access to those files (see online documentation for details) [LOGIN, (premium features: DOCUMENTS, INTRANET)].
Feature A new RESTful API that transparently gives developers access to selected Microsoft Graph API endpoints so they can build client-side Microsoft 365 integrated apps for WordPress in their favorite programming language and without the hassle and complexity of implementing authentication and authorization because the WPO365 | LOGIN plugin takes care of all that (see online documentation for details) [LOGIN].
Improvement The Contacts (Employee Directory) App now “remembers” its search results when an employee is selected from the result list [APPS, INTRANET].
Improvement The (premium version) Content by Search App now checks if the default search parameter “s” is present in the current page’s URL when the auto-search option has been enabled, allowing for a deep integration of the app on a WordPress search result page [APPS, INTRANET].
Improvement The plugin now detects a Microsoft Graph $count query and automatically adds the ConsistencyLevel = True header and thus allowing for advanced queries with $filter that use endsWith and $search. For example you can write a User sync query that includes all users from a specific organization now as follows: myorganization/users?$count=true&$filter=endsWith(userPrincipalName,%27@example.com%27)&$top=10 [LOGIN].
Fix When a user attribute in Azure AD has been deleted the plugin will delete the corresponding custom user field in WordPress [CUSTOM USER FIELDS, SYNC, INTRANET].
Fix The Content by Search App no longer will fail if it’s fetched data before the page has finished loading [APPS, INTRANET].
Fix When sending an email from WordPress using Microsoft Graph fails, only the error (instead of the message as a whole) will be logged [LOGIN].
Fix The plugin’s configuration pages (wizard) is now loaded using WordPress’ own script enqueueing mechanism [LOGIN].
Fix Version bump for all plugins, extensions and bundles [ALL].

16th April 2021 / ALL / v12.14

Fix The Plugin self-test would encounter an error when the administrator configured SAML 2.0 [ALL].
Fix When using the SAML 2.0 the plugin will now also read the user’s AAD object ID (which is needed for integration scenarios such as retrieval of a user’s profile, Azure AD group memberships etc.) [ALL].

7th April 2021 / ALL / v12.12

Feature Administrators can save multiple WPO365 configurations and select one of the saved configurations as the current one [SYNC, INTRANET]
Feature Administrators can edit and save / import and export a configuration‘s JSON representation [SYNC, INTRANET].
Improvement The Plugin self-test has been greatly improved and now tests various scenarios in an attempt to provide better support and guidance when configuring the plugin [ALL].
Fix The option to de-activate instead of delete users when synchronizing was working in the opposite way and this has been corrected [SYNC, INTRANET].
Fix An administrator can now update passwords for users that sign in with Microsoft even if he / she configured the plugin to block password updates [ALL].
Fix When determining whether a user has properties that match with (one of the) the tenant’s domain(s) the plugin now tries to do so in a case-insensitive way [ALL].
Fix When scheduling daily user synchronization the first event will be scheduled for this week and no longer jump the first week [SYNC].

Improvement Tested up to 5.7.
Fix The plugin will now save a user’s Azure AD object ID and use it when retrieving a user’s profile image, which otherwise fails for guest users when using the Azure AD user principal name [LOGIN, AVATAR, SYNC, INTRANET].
Fix The Microsoft 365 Documents App ability to restrict content to a specific folder (and its sub folders) stopped working and the error causing it has been fixed [APPS, INTRANET].

Fix The Microsoft Teams integration now will honor the login hint (if you add ?login_hint={loginHint} to your WordPress URL that for your Tab or App) [ALL].
Fix The plugin now tries to recognize SSL and will update the WordPress (Site) Address (URL) whenever it retrieves the WordPress home option from WordPress [ALL].

Improvement Administrators who configured SAML 2.0 based Single Sign-On can now request that users re-authenticate by including a forceAuthn=true flag in the SAML request [LOGIN+, SYNC, INTRANET].
Fix The error reason for failed SAML sign-in requests is now included in the error message [ALL].
Fix The full email message (JSON) is now logged in case of an error when sending WordPress emails using Microsoft Graph [ALL].
Fix The plugin no longer tries to create a folder for downloaded Microsoft 365 profile images when it already exists [AVATAR, SYNC, INTRANET].

Fix When embedded in Microsoft Teams (Web App) as Tab or App or as iframe, further improvements now ensure that the login dialog will popup [ALL].

Fix The plugin no longer requires an authorization code / refresh code to retrieve an access token when configuring a Power BI embed for your customers (also known as Application owns data) [LOGIN, M365 APPS, INTRANET].

Fix Earlier saving of the user information retrieved from the ID token / SAML response resolves an issue for multi-tenanted apps to request an access token from another tenant than the home tenant [WPO365 | LOGIN].

25th January 2021 / WPO365 | ALL extensions and bundles / v12.5

Feature Administrators can now enable Single Sign-On for the (default / custom) login page (see online documentation for details) [ROLES + ACCESS, LOGIN+, SYNC, INTRANET].
Feature [preview] Administrators can now enable Single Sign-On for pages / posts that have limited (private) visibility (see online documentation for details) [ROLES + ACCESS, LOGIN+, SYNC, INTRANET].
Improvement Administrators can now navigate to WP Admin > WPO365 > … > Translations and update the caption for the Sign in with Microsoft button as well as several other error message.
Improvement Administrators of WordPress Multisite networks can now prevent the plugin from adding users to a subsite (see online documentation for details) [LOGIN+, SYNC, INTRANET].
Improvement Administrators can now disable the WPO365 session expiration when they navigate to WP Admin > WPO365 > Single Sign-On and reconfigure the Session Duration option and set it to 0 (see online documentation for details) [LOGIN].
Improvement The WPO365 configuration pages have been optimized and streamlined with the new recently added extensions [LOGIN].

14th January 2021 / WPO365 | ALL extensions and bundles / v12.4

Fix Administrators can now choose a default avatar when they navigate to WP Admin > Settings > Discussion and scroll to the Default Avatar section [AVATAR, SYNC, INTRANET].
Fix User synchronization now will recognize Azure AD Guests by their UPN instead of their preferred user name and thus no longer ignore Azure AD Guests when processing batches of users retrieved from Microsoft Graph [SYNC, INTRANET].
Fix The /me context will only be used if the plugin believes it can acquire an access token on behalf of that user [ALL extensions / bundles].

Fix Active extension (SYNC and / or INTRANET) was not correctly detected, causing (manual) user synchronization not to reload as expected but instead showing a white screen.

Fix License management page for WordPress Multisite now showing as expected (network admin only).

Fix Item ID search algorithm not finding item to activate the license for and failing without a notification showing.

(Breaking) Change Licenses are now administered on a separate configuration page. The new License (administration) page can be accessed via WP Admin > WPO365 > Licenses. Existing licenses must be re-entered for the automatic update function to work as expected.
Change Introduction of new Extensions for MAIL, AVATAR, CUSTOM USER FIELDS, GROUPS, APPS, ROLES + ACCESS and SCIM.
Improvement In an attempt to unclutter the WordPress Admin Dashboard, the plugin will no longer show the last (three) error(s). Instead a notification that errors have been encountered will be shown with a link to the main WPO365 configuration page where the full error message(s) are shown.

Improvement Users who have configured SAML 2.0 can create a custom button to include a domain hint that translates to an additional whr parameter. See the updated documentation for recommended configuration.
Improvement The request for a plugin-review now only shows on the WPO365 configuration pages and can be turned off permanently.
Fix Avatar filter priority lowered to 99999 to have precedence over other plugins e.g. Ultimate Member.

Fix User synchronization no longer deactivates / deletes users that cannot be linked to an existing Microsoft 365 / Azure AD account (administrators must make sure the update the Custom domains list on the plugin’s User registration page).
Fix (Array to string conversion) Error when ever an email could not be sent successfully through Microsoft Graph.

(Breaking) Change Improved support for WordPress Multisite with mapped domains and subsite specific WPO365 configuration. See updated online documentation for recommended configuration scenarios of WordPress Multisite installations.
Feature Administrators (of the LOGIN+, SYNC and INTRANET extensions) can navigate to WP Admin > WPO365 > User registration and configure the plugin to create shorter WordPress names e.g. john.doe instead of john.doe@your-tenant.onmicrosoft.com. See online documentation for details.
Improvement: Prevention of users getting stuck in infinite loops through smart detection. See updated online documentation for additional considerations.
Improvement: Administrators can now navigate to WP Admin > WPO365 > … > Miscellaneous and delete the current WPO365 configuration.
Improvement: When administrators (of the LOGIN+, SYNC and INTRANET extensions) have configured the Post sign-out URL option, the plugin will now also redirect users that did not sign in with Microsoft.

Fix When using the optimized internet authentication mode (preventing the plugin from interfering with requests for pages and posts) the Sign in with Microsoft button now redirects the user correctly to the WordPress Administration instead of to the homepage.

Fix After a recent change the global constant WPO_AUTH_SCENARIO had been erroneously rename to WPO_AUTH_MODE.

(Breaking) change The out-of-the-Box algorithm for trying to find a WordPress user for the user currently signing in with Microsoft has changed. The rule to match a user by his / her Login Name (= Azure AD preferred login name without domain suffix) has been removed. Administrators can still add this option back. See the online documentation).
Improvement Administrators (of the SYNC and INTRANET extensions) can now specify nested user profile properties when synchronizing WordPress user profiles with Microsoft Graph e.g. businessPhones.0 (to retrieve the first business phone of an array of possible entries) or onPremisesExtensionAttributes.extensionAttribute1 (to retrieve a custom attribute synced from Active Directory).
Improvement Administrators (of the LOGIN+, SYNC and INTRANET extensions) can now choose to show (new) users the option to sign up and create a new account in Azure AD B2B when the sign in with Microsoft. See the online documentation for additional considerations and prerequisites.
Fix When the plugin fails to create a new user during scheduled user synchronization, the schedule will continue to run and finish as expected.
Fix The double ‘/’ when loading the (pintra-)redirect.js file has been removed.

Improvment Administrators that have configured SAML 2.0 and have received error reports such as “Authentication method ‘WindowsIntegrated’ by which the user authenticated with the service doesn’t match requested authentication method ‘Password, ProtectedTransport'” can now try to configure advanced settings. See the online documentation for details.
Fix The option to Skip the NONCE verification – on the plugin’s Miscellaneous configuration page – has been restored.
Fix Due to the NONCE verification causing many false-positives, it now generates a warning instead of an error and will no longer prevent users from being able to log in. Administrators are advised to regularly check their debug logs (or configure logging to Application Insights).

Fix The plugin will now use WordPress nonces instead.
Fix For WordPress Multisite installations the plugin will now try to delete the top level auth cookies to prevent an infinite loop.
Fix When the license activation receives a 403 Forbidden it will transparently show this to customers who try to activate their license.

Fix Now the plugin – when requesting data from Microsoft Graph’s /me endpoint – will enforce using delegated (instead of application) permissions.
Fix When activation of a license of a premium extension fails the plugin will now log the raw response as an error.

Fix The (WPO365 | INTRANET edition’s version of the) Employee Directory app now allows for configuring a separate initial query when auto-search has been enabled.
Fix Functionality to activate the license of the WPO365 | PROFILE+ extension has been restored after it was broken after an earlier change.

Fix The user look-up algorithm did not search for preferred_username and as a result would not find users with no UPN and email address in their ID token. However, when it then tried to create a new user, an error was thrown in case that user already existed.
Fix If the SAML 2.0 response is deemed not valid the plugin will now log the reason as a warning in the debug log.

Improvement Administrators of all premium extensions can now choose to disable the default WordPress behavior of sending an email to a user when his / her email has changed. See the online documentation for details.
Improvement The plugin will not intercept requests if initiated from WP CLI.
Fix Functionality to activate the license of a premium extension has been restored after it was broken after an earlier change.
Fix Functionality to retrieve (partial) templates has been restored after it was broken after an earlier change.
Fix Arguments now passed to the developer hooks (as documented here) updated.

Feature An Administrator (of the WPO365 | LOGIN+, WPO365 | SYNC and WPO365 | INTRANET extension) can now upload a custom HTML template and replace the default loading bars. See the online documentation for details.
Improvement An administrator can now configure the plugin to tell Microsoft to show the Select Account prompt, when it redirects a user to sign in with Microsoft. See the online documentation for details.
Improvement An administrator (of the WPO365 | INTRANET extension) can now configure the full Microsoft Graph query for the Employee Directory / Contacts app when searching for employees and colleagues. This allows for more advanced queries for example using $count, $filter, $search. This improvement now also allows to search in (transitive) members of a group. See the online documentation for details.
Improvement An administrator (of the WPO365 | SYNC and WPO365 | INTRANET extension) that configured the synchronization of Microsoft 365 profile images (to replace the user’s default WordPress Avatar) now has an extra option to instruct the plugin only to refresh an expired profile image of the logged-in user. The plugin will, however, bypass this restriction whenever the administrator synchronizes users on-demand, users are synchronized based on a schedule or a user is being updated through Azure AD’s User provisioning (SCIM). See the online documentation for details.
Improvement An administrator (of the WPO365 | LOGIN+, WPO365 | SYNC and WPO365 | INTRANET extension) can now configure the order in which the plugin tries to find a matching WordPress user for the user that signs in with Microsoft (choices are upn, preferred_username, email and login). See the online documentation for details.
Improvement An administrator (of the WPO365 | LOGIN+, WPO365 | SYNC and WPO365 | INTRANET extension) can now configure the plugin to bypass updating a WordPress user role. This is especially useful for WordPress installations where the users are created manually or WordPress roles are not managed by a WPO365 plugin extension.
Improvement An administrator of the WPO365 | LOGIN (free) edition can now choose to disable the automatic registration of new users.
Fix Customers reported seeing the ID token not found in posted data error which may be a result of the plugin’s test mode not being disabled. The plugin will now immediately toggle the test mode and only start the Plugin self-test when an ID token is found (in case SAML 2.0 is not configured).
Fix The Documents (Microsoft 365) App now support library titles with special characters.
Fix The plugin now checks for existing (WordPress) roles when analyzing whether it should add the default role as fallback or not.

Feature The plugin can now be configured to send WordPress emails using Microsoft Graph as an attractive alternative to sending mail via SMTP.
Change Support for symmetric algorithms to decrypt the JWT tokens have been removed.
Change The user-look-up algorithm first tries to look up a WordPress user by its user principal name (UPN) when that user is not an external user / guest user before it retries using the preferred login name, the user’s email address and last the user’s account name.

Fix The automatic update functionality for WPO365 extensions is now better embedded in the overall WordPress update experience.

Feature The plugin can now dynamically assign WordPress roles to new and existing users based on properties of that user’s Azure AD user account e.g. ‘Department’ (see https://docs.wpo365.com/article/106-map-between-azure-ad-user-properties-and-wordpress-roles for details).
Feature The plugin can now dynamically assign (itthinx) groups to new and existing users based on properties of that user’s Azure AD user account e.g. ‘Department’ (see https://docs.wpo365.com/article/107-map-between-azure-ad-user-properties-and-itthinx-groups for details).
Improvement Now administrators can configure the plugin to use a proxy for the upcoming outgoing server-side request – when ever the plugin tries to build up a connection with PHP cURL e.g. to Microsoft Graph to retrieve information on behalf of a user (see https://docs.wpo365.com/article/105-curl-proxy-address for details).
Fix Now throttling of retrieving avatars is working as expected and max. 5 avatars will be refresh per request, to avoid some users experiencing performance degradation.

Fix Activation of (premium) licenses is now working as expected.
Fix Auto-update of (premium) extensions is now working as expected.

Improvement The nonce generator and validator have been updated in an effort to reduce the risk of nonce not being found.
Improvement The plugin won’t generate errors anymore when it cannot connect to Microsoft Graph to retrieve the current user’s profile in an attempt to improve the data quality when the administrator has not configured the integration portion of the plugin.
Fix For reasons of backward compatibility, the plugin now only tries and retrieve all groups that a user is a member of if the ID token doesn’t contain this information
Fix The plugin now generates a warning instead of an error when it cannot retrieve a user’s manager.

Fix Added missing class method to parse manager details.

Fix Domain whitelist now looks both at the email and the login domain.
Fix The plugin now checks if the administrator has configured an application secret.
Fix The plugin now only tries to save a refresh token if one is present.
Fix The wizard now ensures that the INTRANET apps are loaded from the correct source folder.

Breaking Change The source code of the plugin has been completely restructured. Developers that extended the plugin with own functionality must carefully review the changes.
Breaking Change All premium editions of the plugin now require the latest BASIC edition of the plugin to be installed and activated. An notification will be shown to admins upon upgrade to update, install and / or activate it.
Breaking Change Support for legacy Azure AD App registrations has been removed. The plugin will now always try and connect to Azure AD v2 endpoints for authorization and optionally to obtain tokens.
Breaking Change Support for Avatars stored as WordPress user meta (in the WordPress database) has been removed. Avatars downloaded from Microsoft 365 / Azure AD will now always be stored in the /wp-content folder.
Breaking Change Support for the deprecated Dual Login feature is removed. Admins can instead toggle WP Admin > WPO365 > Login / Logout > Dual login V2.
Breaking Change Support for the deprecated Sign in with Microsoft shortcode [wpo365-sign-in-with-microsoft-sc] has been removed. Admins should configure the Sign in with Microsoft v2 shortcode instead.
Feature Administrators can now choose between SAML 2.0 based single sign-on and OpenID Connect single sign-on (which remains the default option).
Feature The BASIC edition of the plugin will automatically create a new user in WordPress (but not synchronize user profile fields such as first and last name). However, this feature can be disabled by admins.
Improvement User synchronization now supports WordPress Multisite (WPMU) installations and always synchronizes users to the subsite from which the synchronization was started.
Improvement The plugin now remembers the tenant ID of a user and uses that information when – in case of multi tenancy – it needs to retrieve data e.g. a user’s profile image from Microsoft Graph.
Fix The plugin no longer relies on the ID token to contain the (Azure AD / Microsoft 365 / distribution list) groups that a user is member of. Instead the plugin will always try to obtain this information from Microsoft Graph (but only if needed).
Fix The plugin no longer replaces stored avatars when it tries to refresh that avatar but it fails e.g. because of insufficient permissions.

9th August 2020 / wp365-login[ALL VERSIONS] / v10.10

Improvement: The plugin will try to detect a possible infinite loop when the host name of the requested URL is different than the host name of the (Azure AD) redirect URI and inform the administrator to update the wp-config.php (see https://docs.wpo365.com/article/5-infinite-loop for details).
Improvement: Thanks to customer feedback, the Teams integration will now automatically redirect the user to the Microsoft login.
Fix: When using Azure AD customized claims the plugin will use a tenant specific endpoint to retrieve the public keys needed to decode the ID token.
Fix: The Employee Directory now handles the auto-search flag as expected and does not ignore the query template, page and select properties configuration.
Fix: Error messages now will show on the login page, even when the administrator configured the internet-scenario specific performance optimization (see https://docs.wpo365.com/article/36-authentication-scenario for details).
Work in progress: Added the needed prerequisites for l10n based translations for the text domain wpo365-login (a new .POT file has been added to the plugin’s /languages folder that can be used e.g. to translate error messages and the Sign in with Microsoft text on login button).

24th June 2020 / wp365-login[ALL VERSIONS] / v10.9

New Capability: The PREMIUM and INTRANET edition now support mappings between Azure AD group memberships and (itthinx) Groups that you created with the Groups plugin.
Improvement: The Plugin self-test will now also allow you to inspect the ID token received during the execution of the test.
Improvement: The WordPress Admin Notification now includes details of the last three errors plus useful links to help resolve those errors.
Improvement: Several improvements have been made in an attempt to make a first-time installation / configuration successful e.g. direct links to Azure Portal an an option to hide advanced configuration options.
Improvement: Even when an administrator configured the global constant WPO_AUTH_SCENARIO and set its value as ‘internet’ to prevent the plugin from initializing when running in intranet authentication mode, the plugin will still initialize when a Microsoft authentication response (= ID token) is detected or the login_init hook is triggered (which is the case for the default login page).
Improvement: The Employee Directory / Contacts app now supports a query template that can include a {searchterms} placeholder and if it does it will override the default query, for example startswith(department, ‘{searchterms}’)
Fix: Microsoft Teams integration accidently was not included in the latest versions v10.6 – v10.7.
Fix: Express login that can be togged for the PREMIUM and INTRANET edition now works as expected.
Fix: When an error occurs in one of the Microsoft Office 365 Apps, the error message now starts with Oops (instead of Ups).
Deprecated: The Nonce secret option is no longer used (no action required).
Deprecated: The Default domain option is now edited as a Custom domain instead (no action required).

28th May 2020 / wp365-login[ALL VERSIONS] / v10.7

Change: All editions now feature the ability to embed Power BI artifacts such as reports and dashboard in any WordPress page or post. The INTRANET edition – in addition – allows administrators to directly edit the JSON source for generating tokens and embedding artifacts. See https://www.wpo365.com/power-bi-for-wordpress/ for details.
Change: The INTRANET edition now features a brand new Yammer app that can be embedded in any WordPress page or post. Users are authenticated when they sign into the WordPress website with Microsoft using the single sign-on experience. See https://www.wpo365.com/yammer-for-wordpress/ for details.
Improvement: The “wpo365_openid_token_processed” developer hook now receives the ID token as a third argument. See https://docs.wpo365.com/article/82-developer-hooks) for details.
Fix: The (Microsoft Graph) Employee Directory app now correctly clears the list of existing results when the user continues to type the search query.

2nd May 2020 / wp365-login[ALL VERSIONS] / v10.6

Change: All editions of the plugin will now always show a “Sign in with Microsoft” button on the (default) WordPress login form. Administrators, however, can choose to hide the button. See https://docs.wpo365.com/article/81-enable-dual-login for details.
Change: The plugin no longer rejects the ID token of a user without a valid email address. This may result in premium editions of the plugin creating WordPress users without a valid address.
Change: The plugin now provides 3 hooks for developers to respond when a user signs in with Microsoft, receives an access token and when the plugin analyzes reasons to skip authentication. These hooks are not enabled by default. See https://docs.wpo365.com/article/82-developer-hooks for details.
Improvement: The (Helpscout) Support Beacon is now loaded whenever the plugin’s configuration wizard is loaded. This makes it very easy to search the available documentation when configuring the plugin without the need to open a new browser window.
Improvement: A new toolbar has been added to the plugin’s configuration wizard the interacts with the (Helpscout) Support Beacon, making it really easy to contact WPO365 support.
Improvement: The wizard now tries to load pages from the new (but still work-in-progress) documentation service https://docs.wpo365.com.

18th April 2020 / wp365-login[PREMIUM, INTRANET] / v10.5

Fix: The (PREMIUM and INTRANET editions of the) plugin now checks if the BuddyPress avatar is requested for a user (e.g. and not for a group).
Fix: The (INTRANET edition’s) Content by (SharePoint Online) Search app auto-search function did not automatically started a new search immediately after being loaded.
Improvement: The (INTRANET edition’s) Content by (SharePoint Online) Search app now injects a count property into the Handlebar template to make it possible e.g. to show a table header before the first row.

13th April 2020 / wp365-login[all versions] / v10.4

Fix: The Content by Search (SharePoint Online) and Documents (SharePoint Online / OneDrive) apps will now format dates based on the detected user’s browser (language) preference.
Fix: A missing (global) namespace declaration in the plugin’s update checker could cause a serious error.
Fix: The plugin now saves the request ID variable as a GLOBAL variable.

8th April 2020 / wp365-login[all versions] / v10.3

Fix: Accented characters e.g. é, è or ä would prevent the wizard from saving updated options (e.g. custom error messages, Office 365 profile field labels etc.).
Fix: The PLUS+ edition’s update checker was not tracking the correct item in the online store and therefore didn’t show that updates were availabled.

4th April 2020 / wp365-login[all versions] / v10.2

Fix: Usage of trailing comma’s after method parameters is not supported before PHP 7.3 and hence for older PHP versions the plugin may not load as expected (affected the INTRANET edition v10.1).
Fix: Usage of the PHP function get_file_contents to retrieve the WordPress gravatar for a user may cause a warning if the IT administrator had disallowed allow_url_fopen in php.ini (affected PREMIUM and INTRANET editions v10.1).
Fix: The table that tracks the user synchronization results was only updated with the results of the last batch (affected the PREMIUM and INTRANET editions v10.0 and higher).

4th April 2020 / wp365-login[all versions] / v10.1

New capability: An administrator (of the INTRANET edition of the plugin) can now configure Azure AD User provisioning by configuring the custom WPO365 SCIM endpoint for WordPress. See https://docs.wpo365.com/article/59-wordpress-user-provisioning-with-azure-ad-scim for details.
Improvement: The plugin now tries to detect whether the requested WordPress page is loaded inside of Microsoft Teams e.g. as Content Page of a custom built Microsoft Teams App. If this is the case, the plugin will show a “Sign in with Microsoft” button that – when clicked – will then start the authentication workflow in a popup window that is controlled by Microsoft Teams. See https://docs.wpo365.com/article/70-adding-a-wordpress-tab-to-microsoft-teams-and-use-single-sign-on for details.
Improvement: Additional Office 365 fields can now be mapped to BuddyPress Extended Profile Fields. See https://docs.wpo365.com/article/73-update-matching-buddypress-extended-profile-fields for details.
Improvement: An administrator can now choose to stream the WPO365 log to a remote instance of Microsoft ApplicationInsights and by doing so benefit from the advanced search, analytics and alert functions the platform offers. See https://docs.wpo365.com/article/60-use-applicationinsights for details.
Improvement: When synchronizing users (with the PREMIUM and / or INTRANET edition of the plugin) an Administrator can now choose to soft-delete users which will result in soft-deleted users no longer being able to sign into the WordPress. Instead those users will see an Account deactivated error message.
Fix: The Documents app’s breadcrumb navigation will now start with the folder name if a folder path has been provided.
Fix: Checked PHP 7.3 compatibility with PHP Compatibility Checker and fixed two issues.

10th March 2020 / wp365-login[all versions] / v10.0

New capability: An adminstrator (of the PREMIUM and INTRANET edition of the plugin) can now create a schedule to synchronize users between Azure AD and WordPress at regular (daily or weekly) intervals. Please note that doing so requires you to have configured the (App-only) Application (client) ID and corresponding secret (see https://www.wpo365.com/use-app-only-token/ and https://www.wpo365.com/app-only-application-id/ for more details about app-only permissions). Please also note that scheduled user synchronization relies on WordPress cron jobs.
New capability: In addition to the Employee Directory the (INTRANET edition of the plugin) now offers an advanced Contacts app that allows users to search for users, view their contact details and see their direct reports as well as their managers in the form of an interactive clickable organization chart. The app uses Handlebar templates that can be used to further customize the user experience.
Improvement: The Documents app (of the INTRANET edition of the plugin) can now be configured to only show the contents of a SharePoint Online / OneDrive folder. In addition it can be configured to show the recently used documents of the logged-in user.
Improvement: Most apps now offer the ability to add translations for (most of) the user interface elements (error information not always included).
Improvement: To optimize performance in case of the Internet authentication mode, administrators can now add the following line to the wp-config.php: define( ‘WPO_AUTH_SCENARIO’, ‘internet’ ); This will prevent the plugin from loading for all requests that are not for WordPress administration pages. Please be aware that – if you add this line to your wp-config.php – you must ensure that the Redirect URI ends with /wp-admin/. If this is not the case, the plugin won’t be able to receive the authentication response sent by Microsoft and the plugin will not work as expected. Please also note that the following Login / Logout capabilities won’t work and must be de-activated in advance: Dual Login, Error Page.
Improvement: All apps have been refactored from the ground up and have been greatly simplified from a technical / maintenance point of view by utilizing Function Components combined with React Hooks and removing React Redux. Administrators are advised to test the apps before upgrading in production.
Fix: Previously, the plugin would overwrite the array containing a user’s (Azure AD) groups with an empty array when it tried to retrieve missing profile fields from Microsoft Graph.

12th January 2020 / wp365-login[all versions] / v9.6

Improvement: The plugin will now try to request data from Microsoft Graph for the current user if essential information (user principal name, email, first or last name) is not included in the initial authentication response (ID token) (PROFESSIONAL, PREMIUM and INTRANET editions only).
Improvement: The WordPress session will expire automatically whenever the user closes the browser. A new setting has been added (on the Single Sign-on tab of the plugin’s wizard) to remember the user.
Improvement: The (INTRANET edition of the) Employee Directory now includes an Org Chart template that allows users to see an employee’s manager and direct reports.
Improvement: You can now customize the appearance of the (INTRANET edition of the) Documents app by adding your own translations for the available columns (or choose not to show a column at all).
Improvement: The plugin is now capable of running a self-test sequence that validates core configuration and received ID and access tokens. Test results include hints and recommendations for improvement.
Improvement: The debug log now shows an ID for each request, making it easier to understand the program flow when executing multiple requests simultaneously.
Improvement: The (PREMIUM and INTRANET) edition of the plugin now allows storing Office 365 profile images as avatars in the wp-content folder without the need to configure a secondary App registation for app-only tokens.
Tested: Compatibility with WordPress 5.3.
Fix: PREMIUM and INTRANET edition of the plugin do not retrieve Avatar for another user when synchronizing.
Fix: PREMIUM and INTRANET edition of the plugin do not update extra O365 fields if that field is a boolean and changes from true to false.
Fix: Compatibility with PHP 7.4 (create_func deprecation).
Fix: By default the plugin now starts validation of the current session on WordPress’ init hook. Administrators can, however, override this and choose to start validation earlier on the plugins_loaded hook.

22nd November 2019 / wp365-login[all versions] / v9.5

Improvement: An administrator can now configure to save the retrieved O365 user profile images in wp-content/uploads/wpo365/profile-images (instead of in the database), helping boost performance significantly.
Improvement: An administrator can now configure a 2nd Azure AD App registration for so-called application permissions. Doing so eliminates the need for sensitve permissions such as Groups.Read.All and User.Read.All being granted for all users.
Improvement: Apps can now be customized with the help of (Handlebars.js) templates (Employee Directory, Content by Search).
Improvement: Using (colorful) branded icons for Office products (Content by Search).
Improvement: Specify the (custom Azure AD extension) properties that should return from a Microsoft Graph users query e.g. employeeId (Employee Directory).
Improvement: Specify to use the current user’s OneDrive as the library source instead of entering the OneDrive site address and library title (Documents).
Fix: IE 11 compatibility (all apps).
Fix: Rendering of (user profile) images in search results (Employee Directory, Content by Search).
Fix: Increased time-out waiting to start searching after a user entered a query (Employee Directory).

11th October 2019 / wp365-login[all versions] / v9.4

Improvement: An administrator can now configure the plugin to automatically assign users a WordPress role by creating one or more mappings between a (username’s login) domain on the one side and a WordPress role on the other side. Visit https://www.wpo365.com/domain-roles-mappings/.
Improvement: Added support for so-called Azure single sign out. Visit https://www.wpo365.com/enable-logout-without-confirmation/.
Improvement: An administrator can now configure a domain hint to prevent users that are already logged on toanother Azure AD / Office 365 tenant from signing in with possibly the wrong Microsoft work or school account. Visit https://www.wpo365.com/domain-hint/.
Improvement: The plugin, when receiving the authentication response from Microsoft, will now additionally search in WordPress for users by account name i.e. the user’s principal name (= Office 365 login name) without the domain suffix. However, please be aware that some plugin features expect a WordPress username to be a legitimate Azure AD login name. Features not working when the WordPress user name is not a fully qualified Azure AD user principal name are the Avatar synchronization, mapping of Azure AD group memberships to WordPress roles and adding additional Office 365 user profile properties to a user’s WordPress and / or BuddyPress profile as well as the deep integration in MS Graph and SharePoint Online.
Improvement: Some 3rd party themes and plugins that hook into the user_register action e.g. to send an email with a confirmation link, would run into a fatal error when the action was triggered. This new configuration setting (on the Miscellaneous tab) – when checked – is a work-around to disable the action from being triggered (when a new user is created automatically by the plugin). Visit https://www.wpo365.com/skip-user-register-action/.
Fix: Error “Undefined variable: resource Auth.php on line 774”.

19th September 2019 / wp365-login[all versions] / v9.3

Change: The plugin now ships with a built-in SharePoint Online Documents app (see https://www.wpo365.com/documents/https://www.wpo365.com/documents/).
Improvement: A new setting “Retrieve all group memberships” allows you to retrieve all sorts of groups memberships when synchronizing users instead of only the security-enabled group memberships.

5th September 2019 / wp365-login[all versions] / v9.2

Fix: Now getting / setting WordPress transients take into account WordPress multisite to prevent “Your login has been tampered with” error when signing into a subsite (when authentication configuration is shared between all sites in the network).

1st September 2019 / wp365-login[all versions] / v9.1

Improvement: Optionally you can specify your custom query when synchronizing users (see https://www.wpo365.com/user-sync-query/).
Improvement: Optionally you can specify a Welcome Page URL where new users are sent after they signed on with Microsoft the very first time (see https://www.wpo365.com/welcome-page-url/).
Improvement: You can now (try to) activate your license.
Fix: When redirecting, the plugin now writes a proper HTML document incl. doctype.
Fix: The plugin now tries to obtain the initial URL the users intended to load on the client and preserves query parameters and fragments (hash).

2nd August 2019 / wp365-login[all versions] / v9.0

Change: The plugin now ships with a built-in SharePoint Online Search app (see online documentation).
Change: The plugin now ships with a built-in Employee Directory app that queries Microsoft Graph (see online documentation).
Change: When using BuddyPress you can now instruct the plugin to show the Office 365 profile picture instead.
Fix: When synchronizing users the plugin will now also update core user fields (email, first name, last name, display name).
Fix: When synchronizing users the plugin will now also retrieve a user’s Office 365 profile picture (if this feature is enabled and if an older version that has not yet expired is not found).
Fix: If the plugin detects a different scheme between the Azure AD redirect URL and the URL the user navigated to before the SSO workflow started the plugin autocorrects the scheme (changes http:// to https://) to avoid infinite loops. An error will be generated in the log and the admin should take appropriate measures e.g. updating .htaccess to ensure the site automatically redirects to its secure version.

23rd July 2019 / wp365-login[all versions] / v8.6

Fix: The plugin will only (try to) retrieve additional user fields (from O365) if the user signed in with Microsoft (assumption made by analyzing the email domain).
Fix: When the Dual Login feature is activated, the plugin now redirects the user to the WordPress site instead to initiate the login workflow.
Fix: A typo caused the BASIC edition to cause a warning when trying to show the discount banner.
Fix: When redirecting to Microsoft the plugin would sometimes not remember the state correctly, resulting in a login error.
Fix: Cache buster for the wizard was not set correctly and therefore wizard updates were not immediately visible after an upgrade.
Fix: More robust detection whether WordPress is loaded in an iframe.

10th July 2019 / wp365-login[all versions] / v8.5

Change: Now the plugin will no longer require access to WP REST API or WP AJAX API. Instead the plugin adds an additional POST request to trigger the Single Sign-on workflow. This request uses a cache breaker to work-around server-side cache, allowing admins to configure the home url (instead of the WP Admin url) as a Redirect URI for the Azure AD App registration.
Change: User synchronization no longer requires (unattended) access to the WP AJAX API. Instead the plugin will “loop” until all users found in Microsoft Graph have been processed. For the admin starting the synchronization this will appear as a synchronous action but in reality the synchronization is executed in batches of 10 users. By doing so the synchronization will not eventually time out (but as a drawback can also not be executed unattended).

7th July 2019 / wp365-login[all versions] / v8.4

Fix Removed the “too” opinionated validation of schemes used for redirect URI and WordPress URL.
Fix: Improved the detection of HTTPS (but it is up to the administrator to ensure SSL is being enforced for the front and back end).
Fix: Removed dead code.

1st July 2019 / wp365-login[all versions] / v8.3

Change: Moved the custom API for users to obtain the Microsoft authentication endpoint e.g. login.microsoftonline.com to the WordPress REST API. Please ensure that this endpoint i.e. https://www.example.com/wp-json/wpo365/ is not blocked e.g. by basic auth, another plugin or your firewall.
Change: If the custom (WP REST) API is not available to end users (e.g. because it is disabled or blocked) the user will see an error message and instructions on how to resolve the issue are printed to the developer console (F12).
Change: The option to bypass the NONCE verification (at your own risk) to work around server-side cache has been re-activated. This options should only be used in combination with SSL.
Change: The client-side redirect script will try and detect if it’s being loaded in an iframe (which is by default not supported by Microsoft) and if this is the case it will try and open a popup instead. Please make sure popup blockers are disable for your domain, if you are trying to place your website in an iframe. For Internet Explorer / Edge please make sure that login.microsoftonline.com and your website are both added to the same security zone.
Change: Logging has been improved with a filter to only show errors and error descriptions now offer more guidance on how they can be resolved.
Fix: When WordPress multisite has been installed, the plugin will detect when the user changes the (sub) site (when the admin configured WPO_MU_USE_SUBSITE_OPTIONS (true)) and if this is the case signs out the user and eventually redirects the user to Microsoft to authenticate for the new (sub) site.

25th June 2019 / wp365-login[all versions] / v8.2

Fix: WPO365 admin menu not available when WPO_MU_USE_SUBSITE_OPTIONS (true) has been configured.
Fix: O365 user fields now requested using the user’s principal name (upn) instead of email address.

21st June 2019 / wp365-login[all versions] / v8.1

Fix: Compatibility with older browsers, specifically IE11.
Fix: Added a plugcache breaker when loading pintra-redirectjs.

18th June 2019 / wp365-login[all versions] / v8.0

Change: To work-around server-side caching the previous solution to redirect via /wp-admin has been discontinued. Instead the plugin will now output a short (cachable) JavaScript that will request the authentication URL from a custom WordPress AJAX service and redirect the user accordingly.
Change: The way nonces are generated and validated has been changed to ensure that nonces are really used only once.
Change: A version 2 of the “Sign-in with Microsoft” shortcode has been added to take advantage of the beforementioned client-side redirection to prevent server-side caching. Older “Sign-in with Microsoft” shortcode templates will continue to work but it is recommended that they are updated accordingly.
Change: A version 2 of the “Dual Login” feature (= previously referred to as “Redirect to login”) has been added to take advantage of the beforementioned client-side redirection to prevent server-side caching. Older Dual Login templates will continue to work but it is recommended that they are updated accordingly.
Change: The plugin now requires that the Azure AD “Redirect URI” and your WordPress (Site) Address use the same scheme e.g. http(s). If this is not the case it will show a “Plugin is not configured” error and will basically disable it self, to prevent infinite loops.
Change: Debug log will now show the debug in descending order (latest entries first).
Change: The plugin will now try and automatically add a trailing slash whenever it tries to redirect the user.
Change: When using the “Dual Login” feature (= previously referred to as Redirect to login) the plugin will now remember the URL the user initially requested and redirect the user accordingly upon successful authentication.
Change: The plugin’s wizard “Test authentication” button has been removed. Instead the configuration is always saved and then tested. The authentication URL used for testing will now appear after clicking “Save configuration” since this URL (and the corresponding nonce) is generated server-side and must be unique.
Fix: A legacy function to prevent client-side caching that generated unnecessary error log entries (and thus unnecessary warnings in WP admin) has been removed..

4th June 2019 / wp365-login[all versions] / v7.18

Change: The plugin will regularly check the error log to see if recently new errors were logged and if so show a dismissable notice in the WordPress admin area.
Change: The administrator can choose to surpress the error notice in the WordPress admin area.
Fix: Improved the improved way of parsing the ID token (trying to get the user principal name first if available).
Fix: The plugin would throw an previously uncaught exception when trying to log an event when the synchronization of users would fail.

30th May 2019 / wp365-login[all versions] / v7.17

Change: Now that Microsoft has made the new Azure App registration portal General Available, the recommended Azure AD endpoint to use is v2.0 (see https://www.wpo365.com/azure-application-registration/)
Change: The plugin now supports retrieving manager data (display name, email, telephone number(s), office location, country) of an O365 user through Microsoft Graph.
Change: When configuring “Redirect to login” you can now choose to hide the SSO link which is otherwise shown above the login form.
Change: You can now configure a custom login URL (which is automatically added to the Pages Blacklist).
Fix: Improved way of parsing the ID token, avoiding unexpected WP user names, especially for Azure AD guests and users from other tenants.
Fix: Display name property now correctly set when creating a new WP user using the information from the parsed ID token.
Fix: Now the plugin will check – when multisite is activated – whether the logged in user autenticated for the current site and if not the user will be logged out and forced to authenticate again.
Fix: WP user now created with a stronger default password.

15th May 2019 / wp365-login[all versions] / v7.16

Fix: Improved caching of license check result to prevent it from impacting the overall website performance.
Fix: Now the wizard is loaded with a cache breaker to ensure with each new plugin version the latest version shows immediately.
Fix: White spaces at the beginning and end of configuration options that are strings are now properly trimmed.

12th May 2019 / wp365-login[all versions] / v7.15

Change: Added software licensing and replaced automated upgrade with license key based solution (professional and premium version).
Fix: Additional logging when synchronizing user (premium version).

5th May 2019 / wp365-login[all versions] / v7.14

Change: Added an extra option (see Miscellaneous tab of the plugin’s configuration wizard) to prevent the wp-login hook from being fired as it may cause an error in combination with some 3rd party themes.
Fix: The plugin now recognize the super administrator (available only for WordPress multisite) as an administrator of (any) subsite.

28th April 2019 / wp365-login[all versions] / v7.13

Fix: The plugin now checks whether a user is an administrator by verifying roles instead of capabilities.
Fix: The plugin’s URL cache now resolves the WordPress home URL instead of the site address for the website’s front end home.
Fix: The plugin now correctly recognizes a “bounced” request when preparing to redirect the user to Microsoft’s authentication endpoint.

26th April 2019 / wp365-login[all versions] / v7.12

Change: The plugin can be configured to skip authentication when requesting data from the WordPress REST API when a Basic authentication header is present (professional and premium editions only).
Change: You can configure the plugin to skip nonce verification (however, it is not recommended to do so but instead find the root cause e.g. an aggressive server-side caching strategy).
Change: User synchronization is now supported at the level of a (sub) site in a WordPress Multisite WPMU network (premium edition only).
Change: User synchronization now checks user capabilities and won’t delete users that have the administrator capability (premium edition only).
Fix: Check for admin capabilities would not always return true for a WordPress Multisite WPMU Network.
Fix: Due to a regression the number of user synced per batch was set to 1 instead of 10 (premium edition only).
Fix: Manual login attempts will now be intercepted even when redirect to login is checked (professional and premium editions only).

9th April 2019 / wp365-login[all versions] / v7.11

Change: User Synchronization is now executed in asynchronous batches of 25 users each until finished to prevent a timeout exception. As soon as the asynchronous user synchronization has finished the plugin will (try and) send an email to website’s administrator (premium version only).
Change: When you have selected the Intranet (Authentication) Scenario, you can check the “Public Homepage” option to allow anonymous access to the WordPress frontpage i.e. your website’s home page (premium and professional version only).
Change: A direct link to the WPO365 Wizard has been added to the Admin Dashboard Menu.
Change: You can now toggle debug mode comfortably from the “Debug” tab that has been added to the plugin’s configuration wizard. The debug log can now be viewed on that tab as well and you can copy the log to the clipboard.
Change: The plugin now partially obscures a number of configuration secrets e.g. application ID, application secret, nonce etc.
Change: The plugin’s wizard has been enhanced with a number of warnings in the form of popups to provide more guidance when configuring the plugin.
Fix: Synchronizing external users has been improved and the user name configured by the plugin is the external user’s own email address (instead of the – sanitized – Azure AD User Principal Name) (premium version only).
Fix: When a user – for any reason – cannot be created, the plugin would try and log that user’s ID, causing an irrecoverable exception, which is now caught and logged adequately.

30th March 2019 / wp365-login[all versions] / v7.10

Fix: Stricter validation of the Error Page URL and Pages Blacklist entries to ensure that the website is not accidently added (causing the plugin to skip authentication alltogether).
Fix: Automatic update for the PROFESSIONAL edition failed.

28th March 2019 / wp365-login[all versions] / v7.9

Fix: Custom error messages were ignored due to an error with the property’s casing.
Change: The professional and premium version now offer a Redirect to login option that when checked will send the user to the default WordPress login form (instead of the Microsoft) and on the login form a message will inform the user that he / she can also sign into the website using his / her Microsoft Office 365 / Azure AD account (and provide a link that when clicked will sign in the user with Microsoft).

21st March 2019 / wp365-login[all versions] / v7.8

Fix: Auto-fix for bypassing server-side cache dind’t work as expected.
Change: The BASIC edition will now show an appropriate error message when user not found.
Change: Added a short code that can be used on a custom error page to display the plugin’s error message (professional / premium only).

19th March 2019 / wp365-login[all versions] / v7.7

Fix: Removed “Plugin not configured” error redirection which prevented users to logon with their WordPress-only admin account when then plugin was not yet configured.
Fix: (Smoke) Tested against PHP 7.3.3 and replaced deprecated create_function call.

17th March 2019 / wp365-login[all versions] / v7.6

Change: You can now configure an Error Page. When configured, the plugin will redirect the user to this page each time it runs into an error e.g. user not found, plugin not configured etc. If no Error Page is configured, the plugin will instead redirect the user to the default WordPress login form. The plugin will automatically skip the Error Page when authenticate a request (to avoid an infinite loop). The error code will be sent along as query string parameter and can be used to customize your own Error Page.

17th March 2019 / wp365-login[professional / premium] / v7.6

Change: When you change the authentication scenario to “Internet” the Pages Blacklist will be replaced by a Private Pages list. Posts and Pages added to the new Private Pages list will only be accessible for authenticated users. If the user is authenticated, the plugin will try and sign in the user with Microsoft.
Fix: Added MIME Type and Content Headers to the New User Notification email template..

3rd March 2019 / wp365-login[professional / premium] / v7.5

Change: The plugin can now be configured to send a (customizable) new user registration email.

3rd February 2019 / wp365-login[ all versions] / v7.4

Fix: If a user is not manually registered prior to trying to sign into the WordPress site with Microsoft, the user would end up in an infinite loop (only impacts basic version).
Fix: Remove crossorigin from Pintra Fx template since this was causing an issue downloading react files from UNPKG CDN.

3rd February 2019 / wp365-login[ all versions] / v7.3

See Important Upgrade Notice v7.3
Fix: A new setting Don’t try bypass (server side) cache on the Miscellaneous Tab now controls whether the plugin will try and bypass the server side cache by redirecting the user first to /wp-admin before redirecting the user to Microsoft’s Identity Provider.
Fix: A new global constant WPO_MU_USE_SUBSITE_OPTIONS allows administrators of a WordPress multisite network to toggle between a shared scenario in which all subsites in the network share the same Azure AD application registration and a dedicated scenario in which all sites in the network will have to be configured individually.

17th January 2019 / wp365-login[ all versions ] / v7.2

Fix: Missing namespace import causing server error when user cannot be added successfully [professional, premium]

17th January 2019 / wp365-login[ all versions ] / v7.1

Change: Now the plugin can redirect users based on their Azure AD Group Membership [premium]
Fix: User synchronization would not work correctly with Graph Version set to beta
Fix: Added support for wp_login hook
Fix: Lowered priority when hooking into the wp_authenticate hook

15th January 2019 / wp365-login-premium / v7.0

See Important Upgrade Notice v7.0

14th January 2019 / wp365-login / v7.0

See Important Upgrade Notice v7.0

13th December 2018 / wp365-login-premium / v5.3

Change: Extra user fields will now show on a BuddyPress profile page as Directory Info
Change: User synchronization will never update a user that is an administrator (the option *Do not update existing admins* has been deleted)
Fix: User synchronization does not work for WordPress Multisite
Fix: User synchronization for WordPress Multisite should only be available for the main (root) site

5th December 2018 / wp365-spo-premium / v2.0

Change: The app is now a Pintra Framework app and uses the new AJAX token service from the wpo365-login plugin
Change: Added a Pintra Framework shortcode generator – Now it’s a breeze to configure the app

5th December 2018 / wp365-login-premium / v5.2

Change: Removed the (Redux) WPO365 Option for scope
Change: Support for Azure AD v2.0 authentication and access token requests (preview, more information will follow in a separate upcoming post)
Change: Updated the access token (AJAX) service API to support Azure AD v2.0 scope based token requests
Change: Authorization, access and refresh codes and tokens are now stored as JSON encoded classes
Change: Previously deprecated methods have been removed (other / third party plugins and apps must integrate using the API now)

4th December 2018 / wp365-login / v6.1

Change: Removed the (Redux) WPO365 Option for scope
Change: Support for Azure AD v2.0 authentication and access token requests (preview, more information will follow in a separate upcoming post)
Change: Updated the access token (AJAX) service API to support Azure AD v2.0 scope based token requests
Change: Authorization, access and refresh codes and tokens are now stored as JSON encoded classes
Change: Previously deprecated methods have been removed (other / third party plugins and apps must integrate using the API now)

4th December 2018 / wp365-spo/ v2.0

Change: The app is now a Pintra Framework app and uses the new AJAX token service from the wpo365-login plugin
Change: Added a Pintra Framework shortcode generator – Now it’s a breeze to configure the app

18th November 2018 / wp365-login-premium / v5.1

Fix: Msft_Graph::fetch may return WP_Error and the avatar function was not handling this correctly

16th November 2018 / wp365-login-premium / v5.0

Change: A configuration option has been added to always redirect a user to a designated page upon signin into the website
Change: A client (side) application can now request an oauth access token for any Azure AD secured resource e.g. Graph and SharePoint Online
Change: A configuration section has been added to configure / disable the aforementioned AJAX service for Azure AD oauth access tokens
Change: A Configuration section has been added that allows administrators to define custom login error messages
Change: Refresh tokens e.g. for Graph and SharePoint Online are now set to expire after 14 days
Change: The plugin will now cache the Microsoft signin keys used to verify the incoming ID token for 6 hours to improve overall performance
Change: The flow to obtain access tokens has been refactored and greatly simplied (existing methods have been marked deprecated)
Fix: Dynamic role assignment will not add default role when user has existing role(s)

16th November 2018 / wp365-login / v6.0

Change: A configuration option has been added to always redirect a user to a designated page upon signin into the website
Change: A client (side) application can now request an oauth access token for any Azure AD secured resource e.g. Graph and SharePoint Online
Change: A configuration section has been added to configure / disable the aforementioned AJAX service for Azure AD oauth access tokens
Change: A Configuration section has been added that allows administrators to define custom login error messages
Change: Refresh tokens e.g. for Graph and SharePoint Online are now set to expire after 14 days
Change: The plugin will now cache the Microsoft signin keys used to verify the incoming ID token for 6 hours to improve overall performance
Change: The flow to obtain access tokens has been refactored and greatly simplied (existing methods have been marked deprecated)
Fix: Dynamic role assignment will not add default role when user has existing role(s)

21st October 2018 / wp365-spo-premium / v1.1

Fix: Access token will only be requested on pages where the app is added using the shortcode
Fix: Don’t delete plugin version number each time the plugin is loaded
Refactoring: Standardized the naming of the user meta key used to cache the access token
Refactoring: Reduced the number of dependencies on the wpo365-login plugin

21st October 2018 / wp365-spo / v1.3

Fix: Access token will only be requested on pages where the app is added using the shortcode
Fix: Don’t delete plugin version number each time the plugin is loaded
Refactoring: Standardized the naming of the user meta key used to cache the access token
Refactoring: Reduced the number of dependencies on the wpo365-login plugin

8th October 2018 / wp365-spo / v1.2

Fix: item path property was wrongly set to author

4th October 2018 / wp365-login-premium / v4.6

Change: Pages Blacklist can now include query string parts e.g. “?api=” but administrators need to be aware that this can potentially weaken overall security read more

4th October 2018 / wp365-login / v5.3

Change: Pages Blacklist can now include query string parts e.g. “?api=” but administrators need to be aware that this can potentially weaken overall security read more

27th September 2018 / wp365-login-premium / v4.5

Fix: user_nicename – a WP_User field that is limited to 50 characters – was wrongly set to a user’s full name which under circumstances prevented a user from being created successfully

27th September 2018 / wp365-login / v5.2

Fix: user_nicename – a WP_User field that is limited to 50 characters – was wrongly set to a user’s full name which under circumstances prevented a user from being created successfully

4th September 2018 / wp365-login-premium / v4.4

Fix: Change PHP language construct to restore compatibility with PHP 5.3.29

4th September 2018 / wp365-login-premium / v4.3

Change: An extra configuration option has been added to instruct the plugin to only try and add the default role if no other role(s) could be assiged i.e. no valid Azure AD to WordPress role mapping exists for that user
Fix: Check before redirecting whether headers are sent and if yes the plugin now falls back to an alternative method to redirect

30th August 2018 / wp365-login/ v5.1

Fix: When searching for O365 users search both in email and login name
Fix: Check before redirecting whether headers are sent and if yes falls back to an alternative method to redirect
Fix: search_columns argument for WP_User_Query must be an array

22nd August 2018 / wp365-login-premium / v4.1

The User Synchronization job will now show additionally a list of existing WordPress users with an Office 365 account
When running User Synchronization you can choose to update existing WordPress users – if properly configured – the plugin will retrieve 1) additional user information from Microsoft Graph and 2) evaluate the Office 365 Azure AD Security Groups to WordPress roles mappings (and assign new roles when needed)
For the User Synchronization to be able to retrieve Office 365 Azure AD Security Group information for a user the permissions for the corresponding Azure AD Application Registration must be updated (see online documentation here)
When creating new WordPress by either running a User Synchronization job or by manually clicking Create – if properly configured – the plugin will retrieve 1) additional user information from Microsoft Graph and 2) evaluate the Office 365 Azure AD Security Groups to WordPress roles mappings (and assign new roles when needed)
The plugin is now capable of assigning multiple roles to a user and when doing so it will either first delete any existing roles before assigning new ones or instead preserve existing roles prior to adding new ones
The setting Update user role has been deprecated and instead the plugin will always try to update the user’s role in one of two possible modes: “add” (default) or “replace”
The plugin offers a new setting User role update scenario that let’s you choose between replacing all existing roles with new ones or instead only add any possible new roles (default behaviour)
Now that the plugin is capable of assigning multiple roles it will always (at least) add the default role for the main site as per configuration before adding any applicable roles as per Office 365 Azure AD Security Group to WordPress role mappings
The HTML template for the Sign in with Microsoft shortcode can be customized in the shortcode body (see documentation)
When the premium plugin is activated it will check whether the “personal blog / free” version is still activated and if yes try and deactivate it

10th August 2018 / wp365-login-premium / v4.0

Administrators can now configure which additional Office 365 user fields should be retrieved from Microsoft Graph and what the corresponding field title is in WordPress
Additional Office 365 user fields e.g. Job Title, Mobile Phone etc. are now editable by a user (when this user has sufficient permissions to update his or her WordPress profile in the first place) and those changes are not synchronized back to Office 365 Azure AD
Use a WordPress shortcode wpo365-sign-in-with-microsoft-sc to place a login link on your site wherever you want
When synchronizing users with Office 365 Azure AD the plugin will try and retrieve additional user information immediately
Now you can supply a list of semi-colon separated own domains (e.g. “wpo365.com;wp-o365.com”) to support enterprises that have mapped multiple domains to their Office 365 tenant
Select the preferred Microsoft Graph version i.e. v1.0 or beta (which is experimental but returns – for example – more user fields)
Moved the JWT class into the Wpo namespace (to avoid class loading issues)
Added psr-4 type auto class loading
Code refactoring to allow for the SharePoint Online Plugin and other extensions to re-use existing code base

10th August 2018 / wp365-login/ v5.0

Moved the JWT class into the Wpo namespace (to avoid class loading issues)
Added psr-4 type auto class loading
Code refactoring to allow for the SharePoint Online Plugin and other extensions to re-use existing code base

10th August 2018 / wp365-spo-premium/ v1.0

Initial version

10th August 2018 / wp365-spo/ v1.0

The plugin has been fully modernized and re-written from the ground up to better intergrate with the other WPO365 plugins for user authentication, registration and synchronization
Using the short code [wpo365-content-by-search-sc] any page can be turned into a SharePoint Online Search Center
Support for incremental searching

24th June 2018 / wp365-login-premium / v3.2

Now Azure AD group to WordPress role mappings can be used to check and possibly update a user’s WordPress role dynamically each time a user signs into your website

15th June 2018 / wp365-login-premium / v3.1

Support for granting customers, partners etc. access to your (extranet) website
Log out users from Office 365 when they log out from your WordPress website

8th June 2018 / wp365-login-premium / v3.0Version 3.0 adds Azure AD user synchronization as a new feature.

The ability to quickly rollout new users to WordPress from Active Directory
Disable user access to WordPress for users that are disabled in your tenant / domain

6th June 2018 / wp365-login-premium / v2.4

Added an option to force WordPress to sent no-cache headers when the global variable WPO_NOCACHE has been defined and set to true e.g. define( 'WPO_NOCACHE', true );
Fixed an issue where the plugin tried to read the session duration from a global variable without a fallback option to a Redux variable causing unnecessary token refresh roundtrips
Fixed a minor bug where the plugin not checked whether an error occurred when creating a new WP user

23th May 2018 / wp365-login-premium / v2.3

Added plugin update checker. Please add a new wp-config.php setting WPO_LOGIN_DOWNLOAD_LINK or when using Redux, please visit WPO365 Options > Downloads > wpo365-login download link and copy the download link you have received when purchasing the plugin
Fixed an issue with array function dereferencing
Removed email settings
Minor refactoring

14th May 2018 / wp365-login-premium / v2.2

Fixed an issue in the Auth class (line 96) where the PHP language construct empty() was given a function but it can only handle variables

10th May 2018 / wp365-login-premium / v2.1

Fixed an issue with the Aure AD Groups Whitelist – When an Azure AD Groups Whitelist was configured, a user was required to be a member of all groups rather than just one
Added license file
Updated README

8th May 2018 / wp365-login / v4.0

Added license validation for the Personal Blog (free) version, in order to prevent the creation of more than 3 users (unlimited users can still be created manually).

6th May 2018 / wp365-login / v3.13

New information banner on wpo365-options page.

5th May 2018 / wp365-login-premium / v2.0

Enhances a user’s profile with additional fields from Microsoft Graph (mobilePhone, businessPhones, officeLocation, jobTitle)
New WP_CONFIG settings WPO_GRAPH_USER_DETAILS (true|false) to enable|disable retrieving and showing additional user fields from Microsoft Graph
Fixed an issue with the avatar always showing the profile picture from the current user
Fixed an issue when retrieving global boolean variables that were set to false
Fixed an issue when exploding an empty string which returned a non-empty array

4th May 2018 / wp365-login-premium / v1.7

Replaced array construct to remain compatibel with older PHP versions
Now the plugin decides to prepend https to the state property based on the protocol used for the redirect url. Some WordPress hosters use SLL terminating proxies, causing default WordPress SSL detection to fail. This may cause the plugin to redirect the user after login to the wrong website address starting with http instead of https and this eventually may lead to the user being caught in an infinite authentication loop.
Simplified the nonce algorithm

3rd May 2018 / wp365-login / v3.12

Now the plugin decides to prepend https to the state property based on the protocol used for the redirect url. Some WordPress hosters use SLL terminating proxies, causing default WordPress SSL detection to fail. This may cause the plugin to redirect the user after login to the wrong website address starting with http instead of https and this eventually may lead to the user being caught in an infinite authentication loop.
Simplified the nonce algorithm.

30th April 2018 / wp365-login / v3.11

* Replaced array construct to remain compatibel with older PHP versions.

26th April 2018 / wp365-login-premium / v1.6

Replaced the nonce algorithm to try and minimize “Your login has been tampered with” security warning
New WP_CONFIG setting WPO_NONCE_SECRET
Fixed error related to callback for destroy_wpo365_session action

26th April 2018 / wp365-login / v3.10

Replaced the nonce algorithm to try and minimize “Your login has been tampered with” security warning

24th April 2018 / wp365-login-premium / v1.5

Prevent email and password changes exclusively for Office 365 users only
Forward any manual login request from an Office 365 user to Microsoft
new WP_CONFIG settings WPO_CUSTOM_DOAMIN (string), WPO_DEFAULT_DOMAIN (string), WPO_INTERCEPT_WP_LOGIN (true|false) and WPO_GOTO_AFTER_SIGNON_URL (string)

17th April 2018 / wp365-login-premium / v1.4

Replaces a user’s default WordPress avatar with the Office 365 (O365) profile picture and caches it
New WP_CONFIG settings WPO_USE_AVATAR (true|false) and WPO_AVATAR_REFRESH (1296000)

15th April 2018 / wp365-login-premium / v1.3

Bug / Fixes

15th April 2018 / wp365-login-premium / v1.2

Added a configurable leeway time to account for clock skew when checking the id token validity
New WP_CONFIG setting WPO_LEEWAY (300)

15th April 2018 / wp365-login-premium / v1.1

Limit access by Office 365 or Azure AD Security Group (new WP_CONFIG setting WPO_GROUPS_WHITELIST)
Allow creating mappings between Office 365 or Azure AD Security Groups (new WP_CONFIG setting WPO_GROUP_MAPPINGS)

1st April 2018 / wp365-login-premium / v1.0

Initial version (based on wp365-login free version)

Connecting WordPress with Azure AD and Microsoft 365

Change Log | Archive

24th October 2023 / v24.3

8th October 2023 / v24.2

25th September 2023 / v24.1

15th September 2023 / v24.0

9th June 2023 / v23.1

6th June 2023 / v23.0

3rd April 2023 / v22.1

3rd April 2023 / v22.0

16th March 2023 / v21.8

8th March 2023 / v21.7

2nd March 2023 / v21.6

26th January 2023 / v21.5

26th January 2023 / v21.4

26th January 2023 / v21.3

25th January 2023 / v21.2

17th January 2023 / v21.1

16th January 2023 / v21.0

22nd November 2022 / v20.4

14th November 2022 / v20.3

28th October 2022 / v20.2

21st October 2022 / v20.1

18th October 2022 / v20.0

14th September 2022 / v19.4

2nd September 2022 / v19.3

29th August 2022 / v19.2

29th August 2022 / v19.1

28th August 2022 / v19.0

22th July 2022 / v18.2

18th July 2022 / v18.1

4th July 2022 / v18.0

26th May 2022 / v17.5

1st May 2022 / v17.4

19th April 2022 / v17.3

8th April 2022 / v17.2

25th March 2022 / v17.1

18th February 2022 / v17.0

3rd December 2021 / v16.1

30th November 2021 / v16.0

29th September 2021 / v15.4

27th September 2021 / v15.3

23nd September 2021 / v15.2

22nd September 2021 / v15.1

9th September 2021 / v15.0

12th July 2021 / v14.1

5th July 2021 / v14.0

24th May 2021 / v13.0

16th April 2021 / ALL / v12.14

7th April 2021 / ALL / v12.12

12th March 2021 / LOGIN, APPS, AVATAR, SYNC, INTRANET / v12.11

7th March 2021 / LOGIN / v12.10

25th February 2021 / LOGIN | AVATAR | LOGIN+ | SYNC | INTRANET / v12.9

7th February 2021 / WPO365 | LOGIN / v12.8

4th February 2021 / WPO365 | LOGIN / v12.7

1st February 2021 / WPO365 | LOGIN / v12.6

25th January 2021 / WPO365 | ALL extensions and bundles / v12.5

14th January 2021 / WPO365 | ALL extensions and bundles / v12.4

4th January 2021 / wp365-login[LOGIN, SYNC, INTRANET] / v12.3

2nd January 2021 / wp365-login[LOGIN] / v12.2

31th December 2020 / wp365-login[LOGIN] / v12.1

30th December 2020 / wp365-login[ALL] / v12.0

18th December 2020 / wp365-login[LOGIN] / v11.20

14th December 2020 / wp365-login[LOGIN, SYNC, INTRANET] / v11.19

25th November 2020 / wp365-login[ALL] / v11.18

11th November 2020 / wp365-login[WPO365 | LOGIN] / v11.17

10th November 2020 / wp365-login[WPO365 | LOGIN] / v11.16

10th November 2020 / wp365-login[ALL] / v11.15

27th October 2020 / wp365-login[WPO365 | LOGIN] / v11.14

21st October 2020 / wp365-login[WPO365 | LOGIN] / v11.13

14th October 2020 / wp365-login[ALL VERSIONS] / v11.12

13th October 2020 / wp365-login[WPO365 | LOGIN, WPO365 | INTRANET] / v11.11

12th October 2020 / wp365-login[WPO365 | LOGIN] / v11.10

8th October 2020 / wp365-login[ALL VERSIONS] / v11.9

4th October 2020 / wp365-login[ALL VERSIONS] / v11.8

26th September 2020 / wp365-login[ALL VERSIONS] / v11.7

21st September 2020 / wp365-login[ALL VERSIONS] / v11.6

21st September 2020 / wp365-login[ALL VERSIONS] / v11.5

18th September 2020 / wp365-login[ALL VERSIONS] / v11.4

17th September 2020 / wp365-login[ALL VERSIONS] / v11.3