Important notice

v11.7 fixes a security related issue and it’s strongly recommended that all installations are updated immediately.

Latest changes

16th April 2021 / ALL / v12.14

  • Fix The Plugin self-test would encounter an error when the administrator configured SAML 2.0 [ALL].
  • Fix When using the SAML 2.0 the plugin will now also read the user’s AAD object ID (which is needed for integration scenarios such as retrieval of a user’s profile, Azure AD group memberships etc.) [ALL].

7th April 2021 / ALL / v12.12

  • Feature Administrators can save multiple WPO365 configurations and select one of the saved configurations as the current one [SYNC, INTRANET]
  • Feature Administrators can edit and save / import and export a configuration‘s JSON representation [SYNC, INTRANET].
  • Improvement The Plugin self-test has been greatly improved and now tests various scenarios in an attempt to provide better support and guidance when configuring the plugin [ALL].
  • Fix The option to de-activate instead of delete users when synchronizing was working in the opposite way and this has been corrected [SYNC, INTRANET].
  • Fix An administrator can now update passwords for users that sign in with Microsoft even if he / she configured the plugin to block password updates [ALL].
  • Fix When determining whether a user has properties that match with (one of the) the tenant’s domain(s) the plugin now tries to do so in a case-insensitive way [ALL].
  • Fix When scheduling daily user synchronization the first event will be scheduled for this week and no longer jump the first week [SYNC].

12th March 2021 / LOGIN, APPS, AVATAR, SYNC, INTRANET / v12.11

  • Improvement Tested up to 5.7.
  • Fix The plugin will now save a user’s Azure AD object ID and use it when retrieving a user’s profile image, which otherwise fails for guest users when using the Azure AD user principal name [LOGIN, AVATAR, SYNC, INTRANET].
  • Fix The Microsoft 365 Documents App ability to restrict content to a specific folder (and its sub folders) stopped working and the error causing it has been fixed [APPS, INTRANET].

7th March 2021 / LOGIN / v12.10

  • Fix The Microsoft Teams integration now will honor the login hint (if you add ?login_hint={loginHint} to your WordPress URL that for your Tab or App) [ALL].
  • Fix The plugin now tries to recognize SSL and will update the WordPress (Site) Address (URL) whenever it retrieves the WordPress home option from WordPress [ALL].

25th February 2021 / LOGIN | AVATAR | LOGIN+ | SYNC | INTRANET / v12.9

  • Improvement Administrators who configured SAML 2.0 based Single Sign-On can now request that users re-authenticate by including a forceAuthn=true flag in the SAML request [LOGIN+, SYNC, INTRANET].
  • Fix The error reason for failed SAML sign-in requests is now included in the error message [ALL].
  • Fix The full email message (JSON) is now logged in case of an error when sending WordPress emails using Microsoft Graph [ALL].
  • Fix The plugin no longer tries to create a folder for downloaded Microsoft 365 profile images when it already exists [AVATAR, SYNC, INTRANET].

7th February 2021 / WPO365 | LOGIN / v12.8

4th February 2021 / WPO365 | LOGIN / v12.7

  • Fix The plugin no longer requires an authorization code / refresh code to retrieve an access token when configuring a Power BI embed for your customers (also known as Application owns data) [LOGIN, M365 APPS, INTRANET].

1st February 2021 / WPO365 | LOGIN / v12.6

  • Fix Earlier saving of the user information retrieved from the ID token / SAML response resolves an issue for multi-tenanted apps to request an access token from another tenant than the home tenant [WPO365 | LOGIN].

25th January 2021 / WPO365 | ALL extensions and bundles / v12.5

  • Feature Administrators can now enable Single Sign-On for the (default / custom) login page (see online documentation for details) [ROLES + ACCESS, LOGIN+, SYNC, INTRANET].
  • Feature [preview] Administrators can now enable Single Sign-On for pages / posts that have limited (private) visibility (see online documentation for details) [ROLES + ACCESS, LOGIN+, SYNC, INTRANET].
  • Improvement Administrators can now navigate to WP Admin > WPO365 > … > Translations and update the caption for the Sign in with Microsoft button as well as several other error message.
  • Improvement Administrators of WordPress Multisite networks can now prevent the plugin from adding users to a subsite (see online documentation for details) [LOGIN+, SYNC, INTRANET].
  • Improvement Administrators can now disable the WPO365 session expiration when they navigate to WP Admin > WPO365 > Single Sign-On and reconfigure the Session Duration option and set it to 0 (see online documentation for details) [LOGIN].
  • Improvement The WPO365 configuration pages have been optimized and streamlined with the new recently added extensions [LOGIN].

14th January 2021 / WPO365 | ALL extensions and bundles / v12.4

  • Fix Administrators can now choose a default avatar when they navigate to WP Admin > Settings > Discussion and scroll to the Default Avatar section [AVATAR, SYNC, INTRANET].
  • Fix User synchronization now will recognize Azure AD Guests by their UPN instead of their preferred user name and thus no longer ignore Azure AD Guests when processing batches of users retrieved from Microsoft Graph [SYNC, INTRANET].
  • Fix The /me context will only be used if the plugin believes it can acquire an access token on behalf of that user [ALL extensions / bundles].

4th January 2021 / wp365-login[LOGIN, SYNC, INTRANET] / v12.3

  • Fix Active extension (SYNC and / or INTRANET) was not correctly detected, causing (manual) user synchronization not to reload as expected but instead showing a white screen.

2nd January 2021 / wp365-login[LOGIN] / v12.2

  • Fix License management page for WordPress Multisite now showing as expected (network admin only).

31th December 2020 / wp365-login[LOGIN] / v12.1

  • Fix Item ID search algorithm not finding item to activate the license for and failing without a notification showing.

30th December 2020 / wp365-login[ALL] / v12.0

  • (Breaking) Change Licenses are now administered on a separate configuration page. The new License (administration) page can be accessed via WP Admin > WPO365 > Licenses. Existing licenses must be re-entered for the automatic update function to work as expected.
  • Change Introduction of new Extensions for MAIL, AVATAR, CUSTOM USER FIELDS, GROUPS, APPS, ROLES + ACCESS and SCIM.
  • Improvement In an attempt to unclutter the WordPress Admin Dashboard, the plugin will no longer show the last (three) error(s). Instead a notification that errors have been encountered will be shown with a link to the main WPO365 configuration page where the full error message(s) are shown.

18th December 2020 / wp365-login[LOGIN] / v11.20

  • Improvement Users who have configured SAML 2.0 can create a custom button to include a domain hint that translates to an additional whr parameter. See the updated documentation for recommended configuration.
  • Improvement The request for a plugin-review now only shows on the WPO365 configuration pages and can be turned off permanently.
  • Fix Avatar filter priority lowered to 99999 to have precedence over other plugins e.g. Ultimate Member.

14th December 2020 / wp365-login[LOGIN, SYNC, INTRANET] / v11.19

  • Fix User synchronization no longer deactivates / deletes users that cannot be linked to an existing Microsoft 365 / Azure AD account (administrators must make sure the update the Custom domains list on the plugin’s User registration page).
  • Fix (Array to string conversion) Error when ever an email could not be sent successfully through Microsoft Graph.

25th November 2020 / wp365-login[ALL] / v11.18

  • (Breaking) Change Improved support for WordPress Multisite with mapped domains and subsite specific WPO365 configuration. See updated online documentation for recommended configuration scenarios of WordPress Multisite installations.
  • Feature Administrators (of the LOGIN+, SYNC and INTRANET extensions) can navigate to WP Admin > WPO365 > User registration and configure the plugin to create shorter WordPress names e.g. john.doe instead of john.doe@your-tenant.onmicrosoft.com. See online documentation for details.
  • Improvement: Prevention of users getting stuck in infinite loops through smart detection. See updated online documentation for additional considerations.
  • Improvement: Administrators can now navigate to WP Admin > WPO365 > … > Miscellaneous and delete the current WPO365 configuration.
  • Improvement: When administrators (of the LOGIN+, SYNC and INTRANET extensions) have configured the Post sign-out URL option, the plugin will now also redirect users that did not sign in with Microsoft.

11th November 2020 / wp365-login[WPO365 | LOGIN] / v11.17

  • Fix When using the optimized internet authentication mode (preventing the plugin from interfering with requests for pages and posts) the Sign in with Microsoft button now redirects the user correctly to the WordPress Administration instead of to the homepage.

10th November 2020 / wp365-login[WPO365 | LOGIN] / v11.16

  • Fix After a recent change the global constant WPO_AUTH_SCENARIO had been erroneously rename to WPO_AUTH_MODE.

10th November 2020 / wp365-login[ALL] / v11.15

  • (Breaking) change The out-of-the-Box algorithm for trying to find a WordPress user for the user currently signing in with Microsoft has changed. The rule to match a user by his / her Login Name (= Azure AD preferred login name without domain suffix) has been removed. Administrators can still add this option back. See the online documentation).
  • Improvement Administrators (of the SYNC and INTRANET extensions) can now specify nested user profile properties when synchronizing WordPress user profiles with Microsoft Graph e.g. businessPhones.0 (to retrieve the first business phone of an array of possible entries) or onPremisesExtensionAttributes.extensionAttribute1 (to retrieve a custom attribute synced from Active Directory).
  • Improvement Administrators (of the LOGIN+, SYNC and INTRANET extensions) can now choose to show (new) users the option to sign up and create a new account in Azure AD B2B when the sign in with Microsoft. See the online documentation for additional considerations and prerequisites.
  • Fix When the plugin fails to create a new user during scheduled user synchronization, the schedule will continue to run and finish as expected.
  • Fix The double ‘/’ when loading the (pintra-)redirect.js file has been removed.

27th October 2020 / wp365-login[WPO365 | LOGIN] / v11.14

  • Improvment Administrators that have configured SAML 2.0 and have received error reports such as “Authentication method ‘WindowsIntegrated’ by which the user authenticated with the service doesn’t match requested authentication method ‘Password, ProtectedTransport'” can now try to configure advanced settings. See the online documentation for details.
  • Fix The option to Skip the NONCE verification – on the plugin’s Miscellaneous configuration page – has been restored.
  • Fix Due to the NONCE verification causing many false-positives, it now generates a warning instead of an error and will no longer prevent users from being able to log in. Administrators are advised to regularly check their debug logs (or configure logging to Application Insights).

21st October 2020 / wp365-login[WPO365 | LOGIN] / v11.13

  • Fix The plugin will now use WordPress nonces instead.
  • Fix For WordPress Multisite installations the plugin will now try to delete the top level auth cookies to prevent an infinite loop.
  • Fix When the license activation receives a 403 Forbidden it will transparently show this to customers who try to activate their license.

14th October 2020 / wp365-login[ALL VERSIONS] / v11.12

  • Fix Now the plugin – when requesting data from Microsoft Graph’s /me endpoint – will enforce using delegated (instead of application) permissions.
  • Fix When activation of a license of a premium extension fails the plugin will now log the raw response as an error.

13th October 2020 / wp365-login[WPO365 | LOGIN, WPO365 | INTRANET] / v11.11

  • Fix The (WPO365 | INTRANET edition’s version of the) Employee Directory app now allows for configuring a separate initial query when auto-search has been enabled.
  • Fix Functionality to activate the license of the WPO365 | PROFILE+ extension has been restored after it was broken after an earlier change.

12th October 2020 / wp365-login[WPO365 | LOGIN] / v11.10

  • Fix The user look-up algorithm did not search for preferred_username and as a result would not find users with no UPN and email address in their ID token. However, when it then tried to create a new user, an error was thrown in case that user already existed.
  • Fix If the SAML 2.0 response is deemed not valid the plugin will now log the reason as a warning in the debug log.

8th October 2020 / wp365-login[ALL VERSIONS] / v11.9

  • Improvement Administrators of all premium extensions can now choose to disable the default WordPress behavior of sending an email to a user when his / her email has changed. See the online documentation for details.
  • Improvement The plugin will not intercept requests if initiated from WP CLI.
  • Fix Functionality to activate the license of a premium extension has been restored after it was broken after an earlier change.
  • Fix Functionality to retrieve (partial) templates has been restored after it was broken after an earlier change.
  • Fix Arguments now passed to the developer hooks (as documented here) updated.

4th October 2020 / wp365-login[ALL VERSIONS] / v11.8

  • Feature An Administrator (of the WPO365 | LOGIN+, WPO365 | SYNC and WPO365 | INTRANET extension) can now upload a custom HTML template and replace the default loading bars. See the online documentation for details.
  • Improvement An administrator can now configure the plugin to tell Microsoft to show the Select Account prompt, when it redirects a user to sign in with Microsoft. See the online documentation for details.
  • Improvement An administrator (of the WPO365 | INTRANET extension) can now configure the full Microsoft Graph query for the Employee Directory / Contacts app when searching for employees and colleagues. This allows for more advanced queries for example using $count, $filter, $search. This improvement now also allows to search in (transitive) members of a group. See the online documentation for details.
  • Improvement An administrator (of the WPO365 | SYNC and WPO365 | INTRANET extension) that configured the synchronization of Microsoft 365 profile images (to replace the user’s default WordPress Avatar) now has an extra option to instruct the plugin only to refresh an expired profile image of the logged-in user. The plugin will, however, bypass this restriction whenever the administrator synchronizes users on-demand, users are synchronized based on a schedule or a user is being updated through Azure AD’s User provisioning (SCIM). See the online documentation for details.
  • Improvement An administrator (of the WPO365 | LOGIN+, WPO365 | SYNC and WPO365 | INTRANET extension) can now configure the order in which the plugin tries to find a matching WordPress user for the user that signs in with Microsoft (choices are upn, preferred_username, email and login). See the online documentation for details.
  • Improvement An administrator (of the WPO365 | LOGIN+, WPO365 | SYNC and WPO365 | INTRANET extension) can now configure the plugin to bypass updating a WordPress user role. This is especially useful for WordPress installations where the users are created manually or WordPress roles are not managed by a WPO365 plugin extension.
  • Improvement An administrator of the WPO365 | LOGIN (free) edition can now choose to disable the automatic registration of new users.
  • Fix Customers reported seeing the ID token not found in posted data error which may be a result of the plugin’s test mode not being disabled. The plugin will now immediately toggle the test mode and only start the Plugin self-test when an ID token is found (in case SAML 2.0 is not configured).
  • Fix The Documents (Microsoft 365) App now support library titles with special characters.
  • Fix The plugin now checks for existing (WordPress) roles when analyzing whether it should add the default role as fallback or not.

26th September 2020 / wp365-login[ALL VERSIONS] / v11.7

  • Feature The plugin can now be configured to send WordPress emails using Microsoft Graph as an attractive alternative to sending mail via SMTP.
  • Change Support for symmetric algorithms to decrypt the JWT tokens have been removed.
  • Change The user-look-up algorithm first tries to look up a WordPress user by its user principal name (UPN) when that user is not an external user / guest user before it retries using the preferred login name, the user’s email address and last the user’s account name.

21st September 2020 / wp365-login[ALL VERSIONS] / v11.6

  • Fix The automatic update functionality for WPO365 extensions is now better embedded in the overall WordPress update experience.

21st September 2020 / wp365-login[ALL VERSIONS] / v11.5

18th September 2020 / wp365-login[ALL VERSIONS] / v11.4

  • Fix Activation of (premium) licenses is now working as expected.
  • Fix Auto-update of (premium) extensions is now working as expected.

17th September 2020 / wp365-login[ALL VERSIONS] / v11.3

  • Improvement The nonce generator and validator have been updated in an effort to reduce the risk of nonce not being found.
  • Improvement The plugin won’t generate errors anymore when it cannot connect to Microsoft Graph to retrieve the current user’s profile in an attempt to improve the data quality when the administrator has not configured the integration portion of the plugin.
  • Fix For reasons of backward compatibility, the plugin now only tries and retrieve all groups that a user is a member of if the ID token doesn’t contain this information
  • Fix The plugin now generates a warning instead of an error when it cannot retrieve a user’s manager.

16th September 2020 / wp365-login[WPO365 | SYNC and WPO365 | INTRANET] / v11.2

  • Fix Added missing class method to parse manager details.

15th September 2020 / wp365-login[ALL VERSIONS] / v11.1

  • Fix Domain whitelist now looks both at the email and the login domain.
  • Fix The plugin now checks if the administrator has configured an application secret.
  • Fix The plugin now only tries to save a refresh token if one is present.
  • Fix The wizard now ensures that the INTRANET apps are loaded from the correct source folder.

13th September 2020 / wp365-login[ALL VERSIONS] / v11.0

  • Breaking Change The source code of the plugin has been completely restructured. Developers that extended the plugin with own functionality must carefully review the changes.
  • Breaking Change All premium editions of the plugin now require the latest BASIC edition of the plugin to be installed and activated. An notification will be shown to admins upon upgrade to update, install and / or activate it.
  • Breaking Change Support for legacy Azure AD App registrations has been removed. The plugin will now always try and connect to Azure AD v2 endpoints for authorization and optionally to obtain tokens.
  • Breaking Change Support for Avatars stored as WordPress user meta (in the WordPress database) has been removed. Avatars downloaded from Microsoft 365 / Azure AD will now always be stored in the /wp-content folder.
  • Breaking Change Support for the deprecated Dual Login feature is removed. Admins can instead toggle WP Admin > WPO365 > Login / Logout > Dual login V2.
  • Breaking Change Support for the deprecated Sign in with Microsoft shortcode [wpo365-sign-in-with-microsoft-sc] has been removed. Admins should configure the Sign in with Microsoft v2 shortcode instead.
  • Feature Administrators can now choose between SAML 2.0 based single sign-on and OpenID Connect single sign-on (which remains the default option).
  • Feature The BASIC edition of the plugin will automatically create a new user in WordPress (but not synchronize user profile fields such as first and last name). However, this feature can be disabled by admins.
  • Improvement User synchronization now supports WordPress Multisite (WPMU) installations and always synchronizes users to the subsite from which the synchronization was started.
  • Improvement The plugin now remembers the tenant ID of a user and uses that information when – in case of multi tenancy – it needs to retrieve data e.g. a user’s profile image from Microsoft Graph.
  • Fix The plugin no longer relies on the ID token to contain the (Azure AD / Microsoft 365 / distribution list) groups that a user is member of. Instead the plugin will always try to obtain this information from Microsoft Graph (but only if needed).
  • Fix The plugin no longer replaces stored avatars when it tries to refresh that avatar but it fails e.g. because of insufficient permissions.

Click here for older entries.