Connecting WordPress with Azure AD and Microsoft 365

0 items - $0.00
0 items - $0.00

Change Log

Latest changes

19th April 2024 / v27.2

  • IMPROVEMENT The lis of Optional SCIM attribute mappings on the plugin’s User Sync configuration page has been deprecated. Administrators that have support for SCIM based Azure AD User provisioning enabled, are urged to migrate these mappings to the list SCIM attribute to WordPress user meta mappings in the section Custom User Fields using the corresponding Migrate optional SCIM attribute mappings button. [SCIM, INTRANET]
  • FIX Some SCIM attribute to WordPress user meta mappings e.g. “emails[type eq “work”].value” were only processed by WPO365 internally e.g. to update a user’s WordPress profile. With this change, these attributes can now also be mapped to WordPress user meta. [SCIM, INTRANET]
  • FIX An administrator now can (and should) – besides the ID token claim – also specify the corresponding AAD user property (and SCIM claim, if support for SCIM based Azure AD User provisioning has been enabled) that WPO365 should use for a new WordPress user’s username. This only concerns those administrators, who configured a custom claim as the username of a new WordPress user (on the plugin’s User registration configuration page). [(LOGIN+), CUSTOMERS, SCIM, SYNC, SCIM]
  • FIX By fixing a caching issue, WPO365 should – after this update – no longer show a notification that There is a new version of […] available […] for WPO365 premium addons and bundles, after those were updated to the lastest version. [ALL PREMIUM ADDONS / BUNDLES]

10th April 2024 / v27.1

  • FIXStrict Mode” for the Redirect URI can now also be enabled for the WPO365 | MICROSOFT GRAPH MAILER plugin (so it will only try process an Oauth response / payload detected at the exact URL which must be a path below the site’s home address e.g. /oidc-auth/). [MICROSOFT GRAPH MAILER]
  • FIX WPO365 will not try and process an Oauth response / payload if both features SSO and MICROSOFT GRAPH MAILER are disabled or if SSO is disabled but MICROSOFT GRAPH MAILER is enabled and but the administrator did not start an attempt to authorize an account to send emails from. [LOGIN, MICROSOFT GRAPH MAILER]
  • FIX WPO365 Health Messages are now correctly displayed on the corresponding panel for the MICROSOFT GRAPH MAILER plugin. [MICROSOFT GRAPH MAILER]
  • FIX A cached Authorization Code will now be correctly removed from that cache once it has been redeemed. [LOGIN]
  • FIX A user’s UPN is now correctly escaped before inserting it into the WPO365 User Synchronization database table (to support UPNs with single quotes). [SYNC, INTRANET]

26th March 2024 / v27.0

  • BREAKING CHANGE HTML and CSS for the default login-button has changed slightly and the wrapper is now a flex-box, to allow for an additional drop-down list in case the administrator configured multiple Identity Providers. An administrator, however, can revert this change and configure WPO365 to use the old login-button template (see the corresponding option on the plugin’s Miscellaneous configuration page). [LOGIN]
  • BREAKING CHANGE To support devOps workflows and site replication scenarios, WPO365 now automatically detects named constants in your website’s wp-config.php file that either configure an single Identity Provider (IdP) or any of the WPO365 settings that are not directly related to an IdP. As a result, the option Use WP-Config.php for AAD secrets has been renamed to Obfuscate AAD options and the option Use WP-Config.php to override (some) config options has been removed. [ANY PREMIUM ADDON / BUNDLE]
  • BREAKING CHANGE LearnDash enrollment rules are now also applied to existing users (when they sign in or when users are synchronized). [ROLES + ACCESS, SYNC, INTRANET]
  • FEATURE (PREVIEW) Administrators can now configure WPO365 to support multiple Identity Providers (IdP). If multiple IdPs have been configured, WPO365 will – by default – render a dropdown list enumerating IdPs by their “friendly name”. A user simply picks an IdP from the list before clicking “Sign in with Microsoft”. Refer to the new tutorial for further details. [ANY PREMIUM ADDON / BUNDLE]
  • FEATURE (PREVIEW) Now administrators can enable WPO365 Insights and aggregate various events into straightforward management dashboards. These dashboards are designed to offer valuable insights, such as tracking the count of users who have authenticated successfully or unsuccessfully, monitoring emails that have been sent successfully or unsuccessfully, and overseeing the synchronization status of users, whether through SCIM, WPO365 User synchronization, or during their initial sign-in. See the new online guide for further details. [ALL]
  • FEATURE (PREVIEW) Administrators can now add app roles to an App registration in Microsoft Entra Admin Center and use them to dynamically assign WordPress roles to users. See the online documentation for further details. [ROLES + ACCESS, SYNC, INTRANET]
  • FEATURE (PREVIEW) WPO365 now also supports the SAML 2.0 protocol for use with Azure AD’s multi-tenancy feature. See the online documentation for further details. [LOGIN+, SYNC, INTRANET]
  • IMPROVEMENT WPO365 can now be configured to skip saving the default WP avatar for a user without a profile picture. See the online documentation for further details. [AVATAR, SYNC, INTRANET]
  • IMPROVEMENT An administrator can now choose between the WordPress site URL or the WP Admin URL as the default landing page after a user successfully signed in with Microsoft. Alternatively, a custom URL can be defined when the LOGIN+ addon, or the SYNC or INTRANET is detected. [LOGIN, LOGIN+, SYNC, INTRANET]
  • IMPROVEMENT When a SAML 2.0 X509 certificate is missing from the configuration, is expired or has been withdrawn, WPO365 will try and read the tenant’s federation metadata to obtain (and cache) a new signing key. [LOGIN]
  • IMPROVEMENT WPO365 Health Messages will no longer be displayed on a default WordPress notification banner, but instead a dismissable panel will slide over the configuration app. [LOGIN]
  • IMPROVEMENT After running the Plugin self-test for SAML 2.0 based SSO, the raw SAML response can now be viewed by clicking the corresponding link for the “SAML response has been processed and no errors occurred” test case. [LOGIN]
  • IMPROVEMENT Generated passwords are checked to ensure that the generated password has characters from all four possible categories (lower and upper case, numbers and symbols). [LOGIN]
  • IMPROVEMENT When deleting a WPO365 configuration, several caches e.g. for access tokens and certificates, are cleaned as well. [LOGIN]
  • IMPROVEMENT WPO365 will now update BuddyPress profile fields (provided that this option is enabled) whenever Azure AD Provisioning (SCIM) sends new / updated user attributes. [SCIM, INTRANET]
  • FIX Audiences now work correctly if a user is a member of one Audience but not of all when more than one Audience has been added to a page. [ROLES + ACCESS, SYNC, INTRANET]
  • FIX User synchronization of users with an apostrophe in their username now no longer generates an error when being logged into the database table. [SYNC, INTRANET]
  • FIX Auth.-Only scenarios are now compatible with the Audiences feature to make a page private (restricting access exclusively to users who are authenticated). [ROLES + ACCESS, SYNC, INTRANET]
  • FIX WPO365 will not send the user into an infinite loop anymore, if the administrator has enabled “strict mode” for the Redirect URI plus checked the option to use wp-config.php for AAD secrets. [ALL PREMIUM]
  • FIX WPO365 now checks for before “Trying to create a duplicate log entry” during user synchronization and will update the existing log record instead. [SYNC, INTRANET]

17th January 2024 / v26.0

  • Feature Embed an Outlook / Exchange Calendar in WordPress. See online documentation for details. [LOGIN, APPS, INTRANET]
  • Feature Embed a SharePoint Online List in WordPress. See online documentation for details. [LOGIN, APPS, INTRANET]
  • Fix The plugin attempted to process any POST request with parameter “error”, mistakenly assuming that it would be an authentication-error sent by Microsoft. [LOGIN, MICROSOFT GRAPH MAILER]
  • Version bumped. [ALL]

18th December 2023 / v25.4

  • Improvement WPO365 can now also auto-assign WordPress roles to users based on claims found in the SAML 2.0 response. [ROLES + ACCESS, SYNC, INTRANET]
  • Fix The plugin will always choose the form_post OIDC Response mode if the administrator has configured the Hybrid User Flow for OpenID Connect. [LOGIN]

15th December 2023 / v25.3

  • Fix Updated parts of the PHP Security Library v3 to improve compatibility with older PHP versions. [LOGIN, MICROSOFT GRAPH MAILER]
  • Fix Reverted default OIDC response mode back to form_post, to support the Hybrid Flow. Administrators can instead manually select “query”. [LOGIN]

13th December 2023 / v25.2

  • Fix Fixed “Fatal error: Cannot use ::class with dynamic class name” for 2 files in PHP Security Library v3. [LOGIN, MICROSOFT GRAPH MAILER]

13th December 2023 / v25.1

  • Improvement The default response mode – for new installations – when requesting an (OIDC) authorization code has been updated to query. This will help preserve the code, especially if the administrator has configured a 3rd party multi-factor authentication provider such as Duo. Existing installations are not affected, however, and the response mode remains “form_post”. See the updated documentation for details. [LOGIN]
  • Improvement Admins configuring the Microsoft Graph Mailer portion of WPO365 can now select an option to skip all checks. Checking this option instructs the Microsoft Graph Mailer to skip the check whether the default “from” email address is registered for the corresponding account and whether the “from” email address specified by a plugin has a different email-domain compared to the default “from” email address used to submit email message to Microsoft Graph. [LOGIN, MAIL, SYNC, INTRANET]
  • Fix When enrolling users onto LearnDash courses, WPO365 now first checks if the user is already enrolled. [ROLES + ACCESS, SYNC, INTRANET]
  • Fix When clicking the clear-button in the search box – for the embedded SharePoint Online Search experience for WordPress – the search results will be cleared. [LOGIN, M365 APPS, INTRANET]
  • Fix The option to replace the default WordPress “register” link with a link that redirects to the Azure AD B2C sign-up experience is now always available (but remains a premium option). [LOGIN+, CUSTOMERS, SYNC, INTRANET]
  • Fix WPO365 User synchronization no longer produces warnings if a user is not an Azure AD user (based on a domain-check that has become optional since v21.0). [SYNC, INTRANET]
  • Fix The plugin self-test now detects the recently introduced new INTRANET | 5Y and SYNC | 5Y plugins and will test all possible premium scenarios. [INTRANET | 5Y, SYNC | 5Y]
  • Fix The PHP Secure Communications library has been updated and the plugin now uses version 3.0 (to verify an ID token’s signature). [LOGIN, MICROSOFT GRAPH MAILER]
  • Version bumped. [ALL]

10th November 2023 / v25.0

  • Breaking Change Sending WordPress email using Microsoft Graph now always will use the Azure AD configuration from the plugin’s Mail configuration page. [LOGIN]
  • Feature SAML 2.0 based single sign-on can now be configured by generating / exporting Service Provider metadata that can be imported in Azure Active Directory whilst importing the Identity Provider metadata from Azure Active Directory in WPO365. See the updated documentation for details. [LOGIN]
  • Improvement Administrators that have enabled support for multi-tenancy, can now allow-list tenants, effectively restricting access to users of tenants that are not allow-listed. See the updated documentation for details. [LOGIN+, CUSTOMERS, SYNC, INTRANET]
  • Improvement SAML 2.0 will now always – by default – set the requestedAuthnContext to false and it’s no longer necessary to define a global variable in the WordPress site’s wp-config.php. Administrators who did add this variable can now safely remove it. On the other hand, administrators can still explicitely request that the authentication context is checked by enabling the corresponding option on the plugin’s Single Sign-on configuration page. [LOGIN]
  • Improvement Administrators can now configure “strict” mode for OpenID Connect. Doing so, will force WPO365 to only “listen” for users returning from Microsoft at the configured Redirect URI. See the online docuemntation for details. [LOGIN]
  • Tested up to 6.4. [ALL]

Click here for older entries.