Latest changes

18th April 2025 / v36.2

• FIX Functionality for forcing SSO for the (default / custom) login page has been restored. [ESSENTIALS, PROFESSIONAL, INTEGRATE, CUSTOMERS (LOGIN+, SYNC, INTRANET)]

17th April 2025 / v36.1

• IMPROVEMENT Confirms support for WordPress 6.8. [ALL]
• IMPROVEMENT An administrator can define a (list of) referrer(s) that are allowed to send credentials to the login page when SSO is forced for the login page. [ESSENTIALS, PROFESSIONAL, INTEGRATE, CUSTOMERS (LOGIN+, SYNC, INTRANET)]
• IMPROVEMENT Configuring a “GCC (High)” tenant using wp-config.php is now supported for both single and multiple IdP scenarios. [ESSENTIALS, PROFESSIONAL, INTEGRATE, CUSTOMERS (LOGIN+, SYNC, INTRANET)]
• FIX The function of the “Public Homepage” setting has been restored. [ESSENTIALS, PROFESSIONAL, INTEGRATE, CUSTOMERS (LOGIN+, SYNC, INTRANET)]
• FIX Support for the plugin User Switching has been restored when SSO is forced for the login page. [ESSENTIALS, PROFESSIONAL, INTEGRATE, CUSTOMERS (LOGIN+, SYNC, INTRANET)]
• FIX When an administrator configures WPO365 for WPMU to allow partial independence for each subsite, WPO365 will now always require users to re-authenticate when navigating between subsites. [ALL]
• FIX When “WPO365 User Synchronization” fails because its next-link has expired, it will now correctly send a “failure” notification. [INTEGRATE (SYNC, INTRANET)]

11th March 2025 / v36.0

• BREAKING CHANGE A previous update that redirected users without privileges for the site they requested to their dashboard URL or primary site in a WordPress Multisite Network has been rolled back. Now, WPO365 will display an access-denied splash screen instead, notifying the user of the denied access. If the user has already authenticated successfully, the screen will also show a list of sites where they have do privileges. [LOGIN]
• BREAKING CHANGE WPO365 will no longer redirect a user back to the login page of the site they requested in a WordPress Multisite Network when they do not have privileges to access that site. Instead WPO365 will display an access-denied splash screen, notifying the user of the denied access. If the user has already authenticated successfully, the screen will also show a list of sites where they do have privileges. [LOGIN]
• IMPROVEMENT The Calendar app (to embed an Exchange / Outlook Calendar in WordPress) can now be configured to show the personal calendar of the logged-in user. The tutorial has been updated accordingly. [APPS, INTEGRATE (INTRANET)]
• IMPROVEMENT The plugin can now also secure the WordPress REST API using App Roles / application-level access tokens (obtained using the client-credentials flow). The documentation has been updated support for this scenario. [ESSENTIALS, PROFESSIONAL, INTEGRATE (LOGIN+, SYNC, INTRANET)]
• IMPROVEMENT Users that are able to bypass SSO for the login page – by adding the secret key to the URL – are now also able to request a password-reset link and reset their password accordingly. [ESSENTIALS, PROFESSIONAL, CUSTOMERS, INTEGRATE (LOGIN+, SYNC, INTRANET)]
• IMPROVEMENT Administrators can now configure WPO365 to use a user’s email username as the domain for a new (WordPress Multisite) network subsite (instead of the user’s stringified WP User ID). [ESSENTIALS, PROFESSIONAL, CUSTOMERS, INTEGRATE (LOGIN+, SYNC, INTEGRATE)]
• FIX The favicon.ico file will now automatically be added to the list of pages freed from authentication, since – on WordPress Multisite – a user may request this file from the main site where the user does not have any privileges. [LOGIN]
• FIX The plugin will now also redirect users attempting to access the login page when the administrator has enabled SSO for the login page and the user is already logged in. [ESSENTIALS, PROFESSIONAL, CUSTOMERS, INTEGRATE (LOGIN+, SYNC, INTRANET)]
• FIX WPO365 now will remove any duplicate slashes from the current request URI, to prevent attackers to bypass – for example – SSO when it’s forced for the login page. [LOGIN]
• FIX The powerbi-client package has been updated to its latest version. [LOGIN, APPS, INTEGRATE (INTRANET)]
• FIX Fixed a string-format error that caused a critical error when the option to “Create new users in WordPress” would have been unchecked. [ALL PREMIUM]
• FIX The TLD “lan” has been added to the license-checker list of exceptions. [LOGIN, MSGRAPHMAILER]
• FIX “WPO365 Audiences” checkboxes on the Users, Posts and Pages screens in WP Admin now again are being displayed correctly. [ROLES + ACCESS, PROFESSIONAL, INTEGRATE (SYNC, INTRANET)]
• FIX An issue causing – under specific circumstances – an “array-to-string conversion” warning in the Url_Helpers class has been resolved. [LOGIN, MSGRAPHMAILER]

12th February 2025 / v35.0

• FEATURE Create a new (WordPress Network / Multisite) blog for a user when they sign in with Microsoft for the first time. Consult the online documentation for details. [ESSENTIALS, PRO, INTEGRATE, CUSTOMERS (LOGIN+, SYNC, INTRANET)]
• IMPROVEMENT A WordPress Network Multisite super admin can now switch between “shared” and “dedicated” mode when they go to My Sites > Network Admin > WPO365 > User Registration. The entry in wp-config.php will also still be honoured. See the updated documentation [LOGIN]
• IMPROVEMENT All source-code is now constantly reviewed for violations of coding standards (using phpcs) and if possible corrected to adhere to the WordPress Coding Standards.
• IMPROVEMENT An administrator of a blog that is a subsite of a WordPress Network / Multisite can now also administer the WPO365 configuration. [LOGIN]
• IMPROVEMENT Support for the (Entra ID) App Roles SAML 2.0 claim “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” has been added. [ROLES + ACCESS, PRO, INTEGRATE (SYNC, INTRANET)]
• FIX Functionality to save the state before the user is sent to Microsoft to authenticate and to read that state when the user returns has been refactored, to ensure redirection back to the “intended” location before WPO365 sent the user to Microsoft is working as expected. [LOGIN]
• FIX Improved matching algorithm so that WPO365 correctly identifies Entra ID users with an apostrophe in their username. [LOGIN]
• FIX Show a warning on the “Login / Logout” configuration pages, when the “Custom login URL” and the “Logged out / Error page” are the same. [ESSENTIALS, PRO, INTEGRATE, CUSTOMERS (LOGIN+, SYNC, INTRANET)]
• FIX Recycle SAML certificate cache when WPO365 | LOGIN plugin is deactivated. [LOGIN]
• FIX WPO365 will no longer show a “doing_it_wrong” warning when installed for the very first time. [LOGIN]
• FIX License keys (for premium plugins) as now included in the JSON export (when you navigate to WP Admin > WPO365 > … > Import / Export). [ESSENTIALS, PRO, INTEGRATE, CUSTOMERS (LOGIN+, SYNC, INTRANET)]
• FIX WPO365 tries to prevent updating an email address when the only difference is in capitalization. [ESSENTIALS, PRO, INTEGRATE, CUSTOMERS (LOGIN+, SYNC, INTRANET)]
• FIX During the previous release, premium plugins were not zipped correctly, causing issues with folder-naming when installing. [ALL PREMIUM]

14th January 2024 / v34.2

• FIX (Composer) Dependencies have been updated to remove the requirement for PHP >= 8.0.0.

13th January 2024 / v34.1

• IMPROVEMENT You can now choose between a Microsoft 365 account or a personal Microsoft account, like Hotmail.com or Outlook.com, to send WordPress emails. See the updated tutorial for details. [LOGIN, MICROSOFT GRAPH MAILER]
• FIX Plugin no longer (falsely) reports an error when enabling the auto-retry mail-send functionality fails. Instead, it generates a warning with a more verbose description. [MAIL, PROFESSIONAL, INTEGRATE (SYNC, INTRANET)]
• FIX Allowlisting domains does now correctly denies access to domains not in the list. [ROLES + ACCESS, PROFESSIONAL, INTEGRATE (SYNC, INTRANET)]
• FIX Detection of the redirect_to parameter – for example added to the (default) login URL by other solutions – has been improved. [LOGIN]
• FIX The plugin now properly URL encodes a user’s UPN when checking for existing users in AAD B2C / Entra Ext. ID. [CUSTOMERS]
• FIX The plugin now properly URL encodes a user’s UPN when trying to submit email messages to Microsoft Graph. [LOGIN, MICROSOFT GRAPH MAILER]

18th December 2024 / v34.0

• BREAKING CHANGE Excluding a WP role from “WPO365 Audiences” (e.g. to ensure that the role in question sees all content without “WPO365 Audiences”-based restrictions) now takes the post type as an extra configuration parameter (so that – for example – a user with custom WP role “Wiki-Editor” can see all posts of custom post type “Wiki” but for all other post types configured restrictions will apply). The setting can only be changed if the version of the premium plugin providing the “WPO365 Audiences” logic is equal or higher than 34.0. Without updating the configuration, WPO365 will assume that the role-exclusion applies to all post types. Consult the new tutorial for further details. [ROLES + ACCESS, PRO, INTEGRATE (SYNC, INTRANET)]
• CHANGE The PHPSECLIB v3 library has been updated to the latest version 3.0.43 and any customizations have been abandonned. [LOGIN, MICROSOFT GRAPH MAILER]
• CHANGE The “WPO365 Audiences” Block Editor has been withdrawn and the only option to configure “WPO365 Audiences” at page-level is the Metabox, which is now always enabled. See updated documentation for guidance. [ROLES + ACCESS, PRO, INTEGRATE (SYNC, INTRANET)]
• IMPROVEMENT You can now define a splash screen image URL as part of your Power BI Embed configuration and if defined, the app will show the image when Power BI is loading, effectively providing a white label experience. See the updated documentation for details. [M365 APPS, INTEGRATE (INTRANET)]
• IMPROVEMENT A user’s primary blog is set (to the contextual subsite) when WPO365 creates a new user when WordPress Multisite is enabled. [LOGIN]
• IMPROVEMENT Developers can now use the hook ‘wpo365/oidc/params’ to filter the parameters used to build the authorization URL. See the updated documentation for details. [LOGIN, MICROSOFT GRAPH MAILER]
• FIX The auto-retry functionality has been reworked to prevent emails from being sent twice. [MAIL, PRO, INTEGRATE (SYNC, INTEGRATE)]
• FIX WPO365 will no longer send an out-of-the-box “new user email notification” if a new user is created by WPO365 during WPO365 User Synchronization. [INTEGRATE (SYNC, INTRANET)]
• FIX Sending a test email from the “Mail” configuration page will no longer delete all cached (user) access tokens. [LOGIN, MICROSOFT GRAPH MAILER]
• FIX The “Default role” setting is now also unlocked when the WPO365 | MAIL premium plugin is detected. [MAIL]
• FIX Various issues when using SharePoint Online Search to search for employees have been fixed. [M365 APPS, INTEGRATE (INTRANET)]
• FIX WPO365 now requires Microsoft Graph > Delegated Permissions > Calendar.Read permissions to test the configuration to embed an Exchange / Outlook calendar in WordPress (instead of Users.Read.All). [LOGIN, M365 APPS, INTEGRATE (INTRANET)]
• FIX When using a complex query to retrieve – for example – a user’s manager’s Display Name from Microsoft Graph as follows “::graph:manager.displayName”, WPO365 no longer incorrectly populates it with the current user’s display name if the current user does not have a manager defined. [INTEGRATE (SYNC, INTRANET)]

21st November 2024 / v33.3

• FIX After updating to WordPress 6.7 an error “Notice: Function _load_textdomain_just_in_time was called incorrectly” would be thrown. [LOGIN, MICROSOFT GRAPH MAILER]
• FIX A CSS “button” selector affected the global styling of button elements. [LOGIN, APPS, INTEGRATE (INTRANET)]
• IMPROVEMENT Developers can now filter the parameters used to build the authorization URL / token URL. [LOGIN, MICROSOFT GRAPH MAILER]

3rd November 2024 / v33.2

• IMPROVEMENT A new filter “wpo365/user/user_login” to customize a user’s WP username has been added to allow developers to apply their custom logic. Consult the updated online documentation. [LOGIN]
• FIX Token expiration in Power BI has been improved and – among other things – in the instance of a “TokenExpired” client error, WPO365 will reload the window. [LOGIN]
• FIX WPO365 is now better able to handle a situation where multiple apps to embed various Microsoft 365 services – e.g. a SharePoint Library, a Viva Engage Feed and an Exchnage Calendar – have been placed on the same page. [APPS, INTEGRATE (INTRANET)]
• FIX When the calendar does not detect the start date column it will render an error message. [APPS, INTEGRATE (INTRANET)]
• FIX For new installations, WPO365 will audiences will automatically enable the use of metaboxes (as opposed to using a Gutenberg Block). [ROLES + ACCESS, PROFESSIONAL, INTEGRATE, CUSTOMERS (SYNC, INTRANET)]
• FIX The version number of the SCIM addon (plugin) has been fixed. [SCIM]
• FIX When a new user is created by any other solution than WPO365, the default WordPress email(s) to the user and the administrator will not be blocked. [LOGIN]
• FIX When a WPO365 User Synchronization Job has fisnished, it will show a green “stopped” badge to indicate success. [INTEGRATE (SYNC)]
• FIX Copying a shortcode to embed “Power BI” content in the free version WPO365 | LOGIN has been fixed. [LOGIN]
• FIX The WPO365 | DOCUMENTS Gutenberg block is now backward compatible with older configurations that do not specify the “Name” column as sortable. [DOCUMENTS, APPS, INTEGRATE (INTRANET)]

15th October 2024 / v33.1

• FIX WPO365 will now consistently redirect users (again) to their final destination URL, preventing them from being sent back to the login page. [LOGIN]
• FIX WPO365 now checks (again) whether the user’s final destination URL matches the scheme of the registered application’s Redirect URI in Entra and if needed corrects this. [LOGIN]

11th October 2024 / v33.0

• BREAKING CHANGE Previously users (of a WordPress Multisite / WPO365 “Shared” WPMU Mode) attempting to access a (sub) site that they are not a member of, would be denied access. Starting with this version, those users will either be sent to their “primary” site instead, or – if a primary site cannot be determined – to their global user dashboard URL. [LOGIN]
• BREAKING CHANGE Starting with version 33.0, WPO365 | LOGIN can redirect users to Microsoft faster (using a server-side redirect). This is generally recommended to avoid issues with server-side / external caching services. The JavaScript file “pintra-redirect.js” will therefore no longer be automatically enqueued on every page request. To mitigate the impact of this change on existing configurations, administators must manually update the WPO365 configuration and uncheck the option “Use client-side redirect” on the plugin’s “Login / Logout” configuration page, unless the WordPress site is integrated in Microsoft Teams, uses a custom “Sign in with Microsoft” login button or the administrator wishes to briefly display a “loading” icon when the user is redirected. See the online documentation for details. [LOGIN]
• NEW FEATURE The “Sign in with Microsoft” button that is displayed on the (default) WordPress login page can now be customized on the plugin’s “Login / Logout” configuration page. That same button can also be placed on any WordPress post or page using the new shortcode “wpo365-sso-button”. See the online documentation for instructions. [LOGIN, ESSENTIALS, PROFESSIONAL, INTEGRATE, CUSTOMERS (LOGIN+, SYNC, INTRANET)]
• IMPROVEMENT WPO365 now uses built-in WordPress logic to help ensure that the URL where users are being redirected to – after they successfully signed in with Microsoft – is safe. [LOGIN]
• FIX Fixed an issue whereby WPO365 would require a user to sign in with Microsoft when that user attempted to access a password-protected page when the administrator enforced SSO for the default / custom login page. [ESSENTIALS, PROFESSIONAL, INTEGRATE, CUSTOMERS (LOGIN+, SYNC, INTRANET)]

26th September 2024 / v32.0

• BREAKING CHANGE This version of WPO365 adds support for WordPress’ built-in “login_redirect” filter. This means that the URL where users are redirected after they successfully sign in to your WordPress website, can be set by a third-party plugin e.g. “LoginWP”. Please note that rules defined in WPO365 to redirect a user (e.g. “Welcome page for first-time users”, “Always send user to default / custom landing page” and “Azure AD group-based redirect after successful login”) will be applied after the “login_redirect” has been applied and therefore overrule the filtered result. [LOGIN]
• IMPROVEMENT If an administrator activated the option to Force SSO for the default / custom login page, WPO365 will now redirect all requests to Microsoft for authentication, unless a unique cookie is presented. This cookie will be set by WPO365 when a user requests the default / custom landing page with the correct “Secret key to bypass SSO” added to the URL. Brute-force password-guessing bots should now be blocked from submitting login attempts to your website’s login endpoint. [ESSENTIALS, PROFESSIONAL, INTEGRATE (LOGIN+, SYNC, INTRANET)]
• IMPROVEMENT The built-in license and update manager has been greatly simplified and algined with WordPress’ plugin managent. [ALL PREMIUM]
• FIX WPO365’s shutdown routine will now run at the very last possible moment to ensure that the built-in Microsoft Graph Mailer can still access its configuration and send emails, e.g. third-party plugins such as “WP Job Manager” sending out alerts. [MAIL, PROFESSIONAL, INTEGRATE (SYNC, INTRANET)]
• FIX Administrators can now still change a user’s local WordPress password, even if the option “User cannot change password” (on the plugin’s “User Registration” configuration page) has been activated. [ESSENTIALS, PROFESSIONAL, INTEGRATE (LOGIN+, SYNC INTRANET)]
• FIX The “Plugin self-test” no longer fails when an administrator has configured multiple SAML 2.0 Identity Providers. [ALL PREMIUM]
• FIX WPO365 has restored the ability to save user attributes from a user’s manager e.g. the manager’s email address as WordPress metadata for the user in question. [PROFESSIONAL, INTEGRATE (SYNC, INTRANET)]
• FIX The ability to define a default sorting of a column (ascending or descending) of an embedded SharePoint Library or List has been restored. [DOCUMENTS, APPS, INTEGRATE (INTRANET)]
• FIX Direct reports of users listed in the Employee Directory app are filtered to ensure that disabled users are not selected. [APPS, INTEGRATE (INTRANET)]

6th September 2024 / v31.1

• IMPROVEMENT The SCIM messages sent by Entra’s User Provisioning Service are now logged and can be viewed via WP Admin > WPO365 > Dashboard > Insights > Users. See the new tutorial step for details. [SCIM, INTEGRATE]
• FIX Undefined variable $custom_field_not_found [ALL PREMIUM]

4th September 2024 / v31.0

• BREAKING CHANGE WPO365 is now able to save user attributes from any source as WP user meta (claims in an ID token and SAML 2.0 response, properties received from Microsoft Graph and Entra Provisioning (SCIM)) but the administrator needs to update the corresponding mappings with a prefix, or else WPO365 will not update the WP user meta record when the attribute is updated with an empty value. Refer to the updated online documentation for details. [CUSTOM USER FIELDS, PROFESSIONAL, INTEGRATE (LOGIN+, SYNC, INTRANET)]
• IMPROVEMENT WPO365 is now able to process the SAML 2.0 groups claim and apply all ROLES + ACCESS functionality e.g. WPO365 Audiences, restrict access, dynamically assign WordPress roles based on Entra Group Memberships. [ROLES + ACCESS, PROFESSIONAL, INTEGRATE, CUSTOMERS (SYNC, INTRANET)]
• IMPROVEMENT WPO365 will now also check if it needs to update a user’s WP role(s) based on user attributes it receives from Entra’s SCIM based User Provisioning Service. [ROLES + ACCESS, PROFESSIONAL, INTEGRATE (SYNC, INTRANET)]
• IMPROVEMENT An administrator can now configure WPO365 to redirect the user the website’s backend when initiating the “Sign in with Microsoft” flow. See online documentation for details. [LOGIN]
• IMPROVEMENT Once Entra (User) Provisioning via SCIM is enabled, administrators can specify a SCIM attribute for WPO365 to use as the WordPress username for new users. [SCIM, INTEGRATE (INTRANET)]
• IMPROVEMENT An administrator can specify one or more IP addresses that WPO365 should bypass for authentication. [ROLES + ACCESS, SCIM, ESSENTIALS, PROFESSIONAL, CUSTOMERS, INTEGRATE (LOGIN+, SYNC, INTRANET)]
• FIX WPO365 will not try to retrieve a user’s Entra Group Memberships if this information has already been included in the ID token or SAML response. [ROLES + ACCESS, PROFESSIONAL, CUSTOMERS, INTEGRATE (SYNC, INTRANET)]
• FIX Added a “Close” button to the config-test apps when embedding a SharePoint list / library or Outlook / Exchange calendar in WordPress. [LOGIN]
• FIX The “Recent documents” view stopped working after column-sorting had been implemented for the apps that embed a SharePoint Library and List. [LOGIN, APPS, INTEGRATE (INTRANET)]
• FIX “Logout from Microsoft” is able to deal with multiple Identity Providers of different tenant types. [ALL PREMIUM]
• FIX Column definition for apps that embed a SharePoint Library and List now require “isSortable” (instead of “sortable”) set as true (following the documentation). [APPS, INTEGRATE (INTRANET)]
• FIX Features unlocked by the CUSTOMERS bundle now include ROLES + ACCESS and AVATAR. [CUSTOMERS]
• FIX Features unlocked by the PROFESSIONAL bundle now include AVATAR. [PROFESSIONAL]
• FIX Special characters – for example ö and é – in SAML claim values are no longer encoded as HTML entities (e.g. ö). [LOGIN]
• FIX The option to skip authentication for REST API requests when a BASIC auth header is present has been removed. Instead an administrator should add REST API’s endpoint to the “List of pages freed from authentication” on the plugin’s “Single Sign-on” page. [ESSENTIALS, LOGIN+, PROFESSIONAL, CUSTOMERS, INTEGRATE, (SYNC, INTRANET)]
• FIX A warning is shown when the secret key to bypass SSO contains non-alphanumeric characters. [ESSENTIALS, PROFESSIONAL, CUSTOMERS, INTEGRATE (LOGIN+, SYNC, INTRANET)]
• FIX WPO365 is now be able to handle a site relative URL for the redirect_to parameter upon login. [LOGIN]

14th August 2024 / v30.2

• FIX When the SAML 2.0 certificate is invalid or expired, the plugin will now attempt to read the X.509 certificate from the “IDPSSODescriptor” XML node (provided that the administrator has entered a valid “App Metadata Federation” URL). [LOGIN]

28th July 2024 / v30.1

• FIX The login_hint parameter for the URL created by WPO365 to send a user to Microsoft to authenticate in case of (Entra) External ID and Azure AD B2C will now be correctly set. [LOGIN]
• FIX A regression that caused WPO365 to send a user always to the custom error page (instead of the default one) – even if that option was not configuration – has now been fixed. [ESSENTIALS, ALL BUNDLES]

22nd July 2024 / v30.0

• BREAKING CHANGE It is now possible to configure support for multiple Identity Providers for different tenant types (regular Entra ID, Azure AD B2C and Entra External ID). (read more) and (more) [ALL PREMIUM]
• IMPROVEMENT A SharePoint Library or List that is embedded in WordPress can now be sorted beforehand or when the user clicks on the column header. [DOCUMENTS, M365 APPS, INTEGRATE (INTRANET)]
• IMPROVEMENT The HelpScout beacon on the plugin’s configuration pages would be blocked from loading – for example when using Microsoft Edge – and has therefore been replaced with a new help button that opens the WPO365 Contact Form instead. [LOGIN, MICROSOFT GRAPH MAILER]
• FIX The new bundles PROFESSIONAL and INTEGRATE no longer cause a critical error if WPO365 | LOGIN has not been installed / activated prior to activation. [PROFESSIONAL, INTEGRATE]
• FIX The default value for the Redirect URL now again corresponds to the site’s home URL. [LOGIN, MICROSOFT GRAPH MAILER]
• FIX Some WP Cron Jobs that rely on a custom cron schedule “wpo-every-minute” e.g. Auto-Retry for sending emails and User Sync Monitor to ensure user synchronization keeps running, should no longer be removed when the custom schedule is not found. [MAIL, PROFESSIONAL, INTEGRATE (SYNC, INTRANET)]
• FIX The Mail Log Viewer will show no results if a filter e.g. Errors returns no results. [MAIL, PROFESSIONAL, CUSTOMERS, INTEGRATE (SYNC, INTRANET)]
• FIX Changed the log level of a number of avatar related issues e.g. when a profile picture for a user was not found from warning to debug. [PROFESSIONAL, INTEGRATE (SYNC, INTRANET)]
• FIX The login-message shortcode and the login-button shortcode are now correctly initialized for the new PROFESSIONAL and INTEGRATE bundles. [PROFESSIONAL, INTEGRATE]
• FIX If the administrator has configured a custom error / logged-out page then WPO365 will also ensure user is redirected to that page when they sign out of WordPress using the default sign-out option(s). [PROFESSIONAL, INTEGRATE (LOGIN+, SYNC, INTRANET)]

28th June 2024 / v29.0

• Support for 3 new WPO365 feature bundles [LOGIN+, INTRANET, SYNC].

21th June 2024 / v28.2

• FIX WPO365 will now correctly “ignore” a SAML response when the Relay State is not a properly formatted URL. [LOGIN]

20th June 2024 / v28.1

• IMPROVEMENT The Mail Audit Log Viewer has been updated to show nr. of attempts and time of last attempt for a better general understanding of the send-status of the email in question. [MAIL, CUSTOMERS, SYNC, INTRANET]
• IMPROVEMENT The Debug Log entries now display timestamps in the WordPress timezone (see WP Admin > Settings > General > Timezone). [LOGIN, MICROSOFT GRAPH MAILER]
• IMPROVEMENT The Mail Audit Log entries now display timestamps in the WordPress timezone (see WP Admin > Settings > General > Timezone). [LOGIN, MICROSOFT GRAPH MAILER]
• IMPROVEMENT The WPO365 Insights entries now display timestamps in the WordPress timezone (see WP Admin > Settings > General > Timezone). [LOGIN, MICROSOFT GRAPH MAILER]
• IMPROVEMENT A small icon on the plugin’s Mail configuration page will show the status of the “Resending failed emails automatically” feature. [MAIL, CUSTOMERS, SYNC, INTRANET]
• IMPROVEMENT The default WP role update scenario has been updated from “Add” to “Skip” and the plugin’s “User Registration” configuration has been update accordingly. [LOGIN]
• IMPROVEMENT The Microsoft Graph Mailer for WordPress will not be instantiated if no authorization information can be found. [LOGIN, MICROSOFT GRAPH MAILER]
• IMPROVEMENT The Mail Authorization Status Popup will now appear only after 4 seconds and will no longer show if authorization is under way. [LOGIN, MICROSOFT GRAPH MAILER]
• IMPROVEMENT Administrators can now also auto-enroll users into LearnDash courses and auto-assign users to LearnDash Groups based on (login) domains. [ROLES + ACCESS, SYNC, INTRANET]
• IMPROVEMENT Administrators can now disable SSO for WP Admin. A warning will show if this new option conflicts with other options such as “Dual Login” and “Force SSO for the login page”. [LOGIN+, CUSTOMERS, SYNC, INTRANET]
• FIX WordPress no longer shows that an update for a premium addon or bundle is available when the latest version is already installed. [ALL PREMIUM]
• FIX WPO365 now correctly replaces the WP Avatar with the user’s Entra / Microsoft 365 Profile Picture when BuddyBoss has been installed / enabled. [AVATAR, SYNC, INTRANET]
• FIX The self-test would fail if the administrator had enabled the Proof Key for Code Exchange. [LOGIN+, CUSTOMERS, SYNC, INTRANET]
• FIX The recently added Mail Audit Log Retention Policy (to clean up entries older than 90 days) no longer fails if an older version of WPO365 | MICROSOFT GRAPH MAILER or WPO365 | LOGIN would be installed in combination with the latest version of the WPO365 | MAIL addon. [MAIL, CUSTOMERS, SYNC, INTRANET]
• FIX WPO365 no longer tries to process an OpenID Connect response if SAML 2.0 based SSO is configured. [LOGIN]
• FIX The shortcode configurator to embed a SharePoint List or Library now warns if the wrong Microsoft Graph version is selected on the plugin’s “Integration” configuration page. [LOGIN, M365 APPS]
• FIX WPO365 User Sync will now include the low-level DB error message if an error occurs when logging the results to the database. [CUSTOMERS, SYNC, INTRANET]
• FIX The WPO365 configuration pages will now show the correct values for Entra ID / AAD related options retrieved from wp-config.php (instead of from the database). [ALL PREMIUM]
• FIX The Mail Audit Log will now create a new table at the correct “level” in case WordPress Multisite would be activated and WPO365’s default support mode for WPMU (= Shared) is configured. [MAIL, CUSTOMERS, SYNC, INTRANET]
• FIX WPO365 will now only attempt to retrieve a User Resource from Microsoft Graph when the administrator explicitly configured “Microsoft Graph” as the desired “Source for custom user fields” on the plugin’s “User Sync” configuration page. [LOGIN+, CUSTOMERS, SYNC, INTRANET]
• FIX The Redirect URI for the WPO365 Microsoft Graph Mailer no longer indicates an error for the Redirect URI migrated from “Mail Integration for Office 365 / Outlook” plugin. [LOGIN, MICROSOFT GRAPH MAILER]
• FIX The WP Avatar no longer shows a broken picture link when the Avatar feature is enabled but WPO365 fails to retrieve the user’s profile photo from Microsoft Graph. [AVATAR, SYNC, INTRANET]

21st May 2024 / v28.0

• PATCHED (CVE-2024-4706) Validation of the script URL – used to embed Microsoft 365 services in WordPress – is now validated to ensure it points to a resource on the local WordPress server. [ALL]
• BREAKING CHANGE (Microsoft Graph Mailer): WPO365 retains mail log entries that are less than approximately 90 days old and deletes entries that exceed the configured number of days. [MAIL]
• BREAKING CHANGE (WordPress Multisite): Profile pictures for WordPress Avatars and downloaded from Microsoft Graph will always be saved in /wp-content/uploads/wpo365/profile-images instead of /wp-content/uploads/sites/[blog_id]/wpo365/profile-images. [AVATAR, SYNC, INTRANET]
• IMPROVEMENT In an attempt to better understand errors that involve cURL, administrators can now enable verbose logging for cURL. [ALL]
• IMPROVEMENT The Allowed (login) domains list can now be changed into a list of domains that are not allowed to sign in. This is especially useful for administrators that allow users from any Microsoft Entra ID / AAD tenant to sign into their WordPress website. [LOGIN+, SYNC, INTRANET]
• IMPROVEMENT Administrators can now configure WPO365 to add new or existing users to all subsites in a WordPress Multisite Network when they sign in with Microsoft or when their data is synchronized. Additionally, all existing users can be added a new subsite, when it is first initialized. [LOGIN+, SYNC, INTRANET]
• IMPROVEMENT A monitor (in the form of a WP Cron Job) for WPO365 User Synchronization will be started automatically (each time a new user synchronization starts) and will check every 5 minutes for unfinished synchronization jobs for which no WP Cron Job (to process the next batch of users) exists and re-create this job if needed. [SYNC, INTRANET]
• IMPROVEMENT If WPO365 is used to integrate WordPress with Azure AD B2C and the administrator has configured WPO365 to create users in Azure AD B2C from WordPress, the status of this upstream-synchronization will now also show on a user’s profile page. [CUSTOMERS, SYNC, INTRANET]
• IMPROVEMENT If enabled, WPO365 Audiences will now be shown for each post and / or page on WordPress pages, listing all posts and pages. [ROLES + ACCESS, SYNC, INTRANET]
• IMPROVEMENT The response – when a non-logged-in user requests a post or a page that is restricted by a WPO365 Audience – is now streamlined with the option Response for visitors requesting a page that requires a logged-in user. [ROLES + ACCESS, SYNC, INTRANET]
• IMPROVEMENT The Admin Credential > Secret Token that is used for Entra ID (AAD) User provisioning (SCIM) for WordPress can now be administered on the plugin’s User Sync configuration page. [SCIM, INTRANET]
• IMPROVEMENT WPO365 now supports Custom URL Domains for Microsoft Entra (Ext.) ID. [LOGIN+, SYNC, INTRANET]
• IMPROVEMENT If activated, WPO365 will terminate the loading of WordPress, whenever it identifies a login attempt (with local WordPress credentials) by a user whose username is not included in the WPO_ADMINS list. See the online documentation for details. [ALL]
• IMPROVEMENT The title for the Office 365 Profile Information section on a user’s profile (only visible if the administrator enabled the option to Show Azure AD user attributes in a WordPress user profile) can now be translated (go to WP Admin > WPO365 > … > Translations). [CUSTOM USER FIELDS, LOGIN+, SYNC, PREMIUM]
• IMPROVEMENT Administrators of a WordPress Multisite installation with dedicated mode enabled (so that subsites can be configured independently of each other) can now go to the plugins Import / Export configuration for a subsite to replace the (empty) configuration of the subsite with a copy of the central WPO365 configuration template. See the updated documentation for details. [ALL]
• PREVIEW Administrators of GCCH tenants can now select this type of tenant from the list of Identity Providers, in order to change the TLD for all relevant Microsoft endpoints to “.us” (instead of “.com”). [ALL]
• FIX Translations for the Employee Directory app now correctly handle special characters (however, it may be necessary to recreate the shortcode). [ALL]
• FIX The premium WPO365 | MAIL option to resend failed emails automatically can now be started when the premium addon is used in combination with WPO365 | MICROSOFT GRAPH MAILER. [MICROSOFT GRAPH MAILER]

19th April 2024 / v27.2

• IMPROVEMENT The lis of Optional SCIM attribute mappings on the plugin’s User Sync configuration page has been deprecated. Administrators that have support for SCIM based Azure AD User provisioning enabled, are urged to migrate these mappings to the list SCIM attribute to WordPress user meta mappings in the section Custom User Fields using the corresponding Migrate optional SCIM attribute mappings button. [SCIM, INTRANET]
• FIX Some SCIM attribute to WordPress user meta mappings e.g. “emails[type eq “work”].value” were only processed by WPO365 internally e.g. to update a user’s WordPress profile. With this change, these attributes can now also be mapped to WordPress user meta. [SCIM, INTRANET]
• FIX An administrator now can (and should) – besides the ID token claim – also specify the corresponding AAD user property (and SCIM claim, if support for SCIM based Azure AD User provisioning has been enabled) that WPO365 should use for a new WordPress user’s username. This only concerns those administrators, who configured a custom claim as the username of a new WordPress user (on the plugin’s User registration configuration page). [(LOGIN+), CUSTOMERS, SCIM, SYNC, SCIM]
• FIX By fixing a caching issue, WPO365 should – after this update – no longer show a notification that There is a new version of […] available […] for WPO365 premium addons and bundles, after those were updated to the lastest version. [ALL PREMIUM ADDONS / BUNDLES]

10th April 2024 / v27.1

• FIX “Strict Mode” for the Redirect URI can now also be enabled for the WPO365 | MICROSOFT GRAPH MAILER plugin (so it will only try process an Oauth response / payload detected at the exact URL which must be a path below the site’s home address e.g. /oidc-auth/). [MICROSOFT GRAPH MAILER]
• FIX WPO365 will not try and process an Oauth response / payload if both features SSO and MICROSOFT GRAPH MAILER are disabled or if SSO is disabled but MICROSOFT GRAPH MAILER is enabled and but the administrator did not start an attempt to authorize an account to send emails from. [LOGIN, MICROSOFT GRAPH MAILER]
• FIX WPO365 Health Messages are now correctly displayed on the corresponding panel for the MICROSOFT GRAPH MAILER plugin. [MICROSOFT GRAPH MAILER]
• FIX A cached Authorization Code will now be correctly removed from that cache once it has been redeemed. [LOGIN]
• FIX A user’s UPN is now correctly escaped before inserting it into the WPO365 User Synchronization database table (to support UPNs with single quotes). [SYNC, INTRANET]

26th March 2024 / v27.0

• BREAKING CHANGE HTML and CSS for the default login-button has changed slightly and the wrapper is now a flex-box, to allow for an additional drop-down list in case the administrator configured multiple Identity Providers. An administrator, however, can revert this change and configure WPO365 to use the old login-button template (see the corresponding option on the plugin’s Miscellaneous configuration page). [LOGIN]
• BREAKING CHANGE To support devOps workflows and site replication scenarios, WPO365 now automatically detects named constants in your website’s wp-config.php file that either configure an single Identity Provider (IdP) or any of the WPO365 settings that are not directly related to an IdP. As a result, the option Use WP-Config.php for AAD secrets has been renamed to Obfuscate AAD options and the option Use WP-Config.php to override (some) config options has been removed. [ANY PREMIUM ADDON / BUNDLE]
• BREAKING CHANGE LearnDash enrollment rules are now also applied to existing users (when they sign in or when users are synchronized). [ROLES + ACCESS, SYNC, INTRANET]

• FEATURE (PREVIEW) Administrators can now configure WPO365 to support multiple Identity Providers (IdP). If multiple IdPs have been configured, WPO365 will – by default – render a dropdown list enumerating IdPs by their “friendly name”. A user simply picks an IdP from the list before clicking “Sign in with Microsoft”. Refer to the new tutorial for further details. [ANY PREMIUM ADDON / BUNDLE]
• FEATURE (PREVIEW) Now administrators can enable WPO365 Insights and aggregate various events into straightforward management dashboards. These dashboards are designed to offer valuable insights, such as tracking the count of users who have authenticated successfully or unsuccessfully, monitoring emails that have been sent successfully or unsuccessfully, and overseeing the synchronization status of users, whether through SCIM, WPO365 User synchronization, or during their initial sign-in. See the new online guide for further details. [ALL]
• FEATURE (PREVIEW) Administrators can now add app roles to an App registration in Microsoft Entra Admin Center and use them to dynamically assign WordPress roles to users. See the online documentation for further details. [ROLES + ACCESS, SYNC, INTRANET]
• FEATURE (PREVIEW) WPO365 now also supports the SAML 2.0 protocol for use with Azure AD’s multi-tenancy feature. See the online documentation for further details. [LOGIN+, SYNC, INTRANET]

• IMPROVEMENT WPO365 can now be configured to skip saving the default WP avatar for a user without a profile picture. See the online documentation for further details. [AVATAR, SYNC, INTRANET]
• IMPROVEMENT An administrator can now choose between the WordPress site URL or the WP Admin URL as the default landing page after a user successfully signed in with Microsoft. Alternatively, a custom URL can be defined when the LOGIN+ addon, or the SYNC or INTRANET is detected. [LOGIN, LOGIN+, SYNC, INTRANET]
• IMPROVEMENT When a SAML 2.0 X509 certificate is missing from the configuration, is expired or has been withdrawn, WPO365 will try and read the tenant’s federation metadata to obtain (and cache) a new signing key. [LOGIN]
• IMPROVEMENT WPO365 Health Messages will no longer be displayed on a default WordPress notification banner, but instead a dismissable panel will slide over the configuration app. [LOGIN]
• IMPROVEMENT After running the Plugin self-test for SAML 2.0 based SSO, the raw SAML response can now be viewed by clicking the corresponding link for the “SAML response has been processed and no errors occurred” test case. [LOGIN]
• IMPROVEMENT Generated passwords are checked to ensure that the generated password has characters from all four possible categories (lower and upper case, numbers and symbols). [LOGIN]
• IMPROVEMENT When deleting a WPO365 configuration, several caches e.g. for access tokens and certificates, are cleaned as well. [LOGIN]
• IMPROVEMENT WPO365 will now update BuddyPress profile fields (provided that this option is enabled) whenever Azure AD Provisioning (SCIM) sends new / updated user attributes. [SCIM, INTRANET]

• FIX Audiences now work correctly if a user is a member of one Audience but not of all when more than one Audience has been added to a page. [ROLES + ACCESS, SYNC, INTRANET]
• FIX User synchronization of users with an apostrophe in their username now no longer generates an error when being logged into the database table. [SYNC, INTRANET]
• FIX Auth.-Only scenarios are now compatible with the Audiences feature to make a page private (restricting access exclusively to users who are authenticated). [ROLES + ACCESS, SYNC, INTRANET]
• FIX WPO365 will not send the user into an infinite loop anymore, if the administrator has enabled “strict mode” for the Redirect URI plus checked the option to use wp-config.php for AAD secrets. [ALL PREMIUM]
• FIX WPO365 now checks for before “Trying to create a duplicate log entry” during user synchronization and will update the existing log record instead. [SYNC, INTRANET]

17th January 2024 / v26.0

• Feature Embed an Outlook / Exchange Calendar in WordPress. See online documentation for details. [LOGIN, APPS, INTRANET]
• Feature Embed a SharePoint Online List in WordPress. See online documentation for details. [LOGIN, APPS, INTRANET]
• Fix The plugin attempted to process any POST request with parameter “error”, mistakenly assuming that it would be an authentication-error sent by Microsoft. [LOGIN, MICROSOFT GRAPH MAILER]
• Version bumped. [ALL]

18th December 2023 / v25.4

• Improvement WPO365 can now also auto-assign WordPress roles to users based on claims found in the SAML 2.0 response. [ROLES + ACCESS, SYNC, INTRANET]
• Fix The plugin will always choose the form_post OIDC Response mode if the administrator has configured the Hybrid User Flow for OpenID Connect. [LOGIN]

15th December 2023 / v25.3

• Fix Updated parts of the PHP Security Library v3 to improve compatibility with older PHP versions. [LOGIN, MICROSOFT GRAPH MAILER]
• Fix Reverted default OIDC response mode back to form_post, to support the Hybrid Flow. Administrators can instead manually select “query”. [LOGIN]

13th December 2023 / v25.2

• Fix Fixed “Fatal error: Cannot use ::class with dynamic class name” for 2 files in PHP Security Library v3. [LOGIN, MICROSOFT GRAPH MAILER]

13th December 2023 / v25.1

• Improvement The default response mode – for new installations – when requesting an (OIDC) authorization code has been updated to query. This will help preserve the code, especially if the administrator has configured a 3rd party multi-factor authentication provider such as Duo. Existing installations are not affected, however, and the response mode remains “form_post”. See the updated documentation for details. [LOGIN]
• Improvement Admins configuring the Microsoft Graph Mailer portion of WPO365 can now select an option to skip all checks. Checking this option instructs the Microsoft Graph Mailer to skip the check whether the default “from” email address is registered for the corresponding account and whether the “from” email address specified by a plugin has a different email-domain compared to the default “from” email address used to submit email message to Microsoft Graph. [LOGIN, MAIL, SYNC, INTRANET]
• Fix When enrolling users onto LearnDash courses, WPO365 now first checks if the user is already enrolled. [ROLES + ACCESS, SYNC, INTRANET]
• Fix When clicking the clear-button in the search box – for the embedded SharePoint Online Search experience for WordPress – the search results will be cleared. [LOGIN, M365 APPS, INTRANET]
• Fix The option to replace the default WordPress “register” link with a link that redirects to the Azure AD B2C sign-up experience is now always available (but remains a premium option). [LOGIN+, CUSTOMERS, SYNC, INTRANET]
• Fix WPO365 User synchronization no longer produces warnings if a user is not an Azure AD user (based on a domain-check that has become optional since v21.0). [SYNC, INTRANET]
• Fix The plugin self-test now detects the recently introduced new INTRANET | 5Y and SYNC | 5Y plugins and will test all possible premium scenarios. [INTRANET | 5Y, SYNC | 5Y]
• Fix The PHP Secure Communications library has been updated and the plugin now uses version 3.0 (to verify an ID token’s signature). [LOGIN, MICROSOFT GRAPH MAILER]
• Version bumped. [ALL]

10th November 2023 / v25.0

• Breaking Change Sending WordPress email using Microsoft Graph now always will use the Azure AD configuration from the plugin’s Mail configuration page. [LOGIN]
• Feature SAML 2.0 based single sign-on can now be configured by generating / exporting Service Provider metadata that can be imported in Azure Active Directory whilst importing the Identity Provider metadata from Azure Active Directory in WPO365. See the updated documentation for details. [LOGIN]
• Improvement Administrators that have enabled support for multi-tenancy, can now allow-list tenants, effectively restricting access to users of tenants that are not allow-listed. See the updated documentation for details. [LOGIN+, CUSTOMERS, SYNC, INTRANET]
• Improvement SAML 2.0 will now always – by default – set the requestedAuthnContext to false and it’s no longer necessary to define a global variable in the WordPress site’s wp-config.php. Administrators who did add this variable can now safely remove it. On the other hand, administrators can still explicitely request that the authentication context is checked by enabling the corresponding option on the plugin’s Single Sign-on configuration page. [LOGIN]
• Improvement Administrators can now configure “strict” mode for OpenID Connect. Doing so, will force WPO365 to only “listen” for users returning from Microsoft at the configured Redirect URI. See the online docuemntation for details. [LOGIN]
• Tested up to 6.4. [ALL]

Click here for older entries.