Change Log

Latest changes

22th July 2022 / v18.2

  • Fix Recent changes to the built-in notification service could cause a fatal error for older PHP versions that has now been fixed. [LOGIN]

18th July 2022 / v18.1

  • Fix If the plugin is configured to send WordPress emails using Microsoft Graph then it will now always replace the From email address if WordPress tries to sent emails from wordpress@[sitename]. WordPress will propose this email address is no email is set by the plugin sending the email (for example Contact Form 7). This email may pass checks as a valid email address but in reality this email address most likely does not exist. The option to fix the “localhost” issue has been removed since this fix improves the behavior for all hosts (incl. localhost). [LOGIN]
  • Improvement Various wp-admin banners as well as some translations have been updated. Also a teaching bubble is shown on the Single Sign-on page to help admins quickly find the WPO365 documentation center at https://docs.wpo365.com/. [LOGIN]

4th July 2022 / v18.0

  • Change Administrators who selected OpenID Connect based single sign-on, can now choose between the Hybrid Flow and the Authorization Code Flow. New installations will automatically be configured using Authorization Code Flow. Read more [LOGIN]
  • Change Support for Azure AD B2C custom policies (sign-up, sign-in and password reset) is no longer a premium feature. [LOGIN]
  • Change All features of WPO365 | CUSTOM USER FIELDS extension are from now on supported by the WPO365 | LOGIN+ extension. See our website for details and pricing. [CUSTOM USER FIELDS, LOGIN+]
  • Change A new WPO365 Features Dashboard has been added that allows administrators to toggle features such as e.g. SSO, MAIL and SYNC on or off. [LOGIN]
  • Feature Admins can now choose to hide the WordPress Admin Bar for specific roles. [LOGIN]
  • Feature Requesting access tokens from Azure AD can now be further secured using a Proof Key for Code Exchange (PKCE). [LOGIN+, SYNC, INTRANET]
  • Feature Protect and secure your WordPress REST API with Azure AD generated oauth access tokens (PREMIUM). [LOGIN+, SYNC, INTRANET]
  • Feature Protect and secure your WordPress REST API with WordPress REST cookies. [LOGIN]
  • Improvement Azure AD B2C custom claims sent in the ID token can now be mapped to custom WordPress user meta fields. [LOGIN+, SYNC, INTRANET]
  • Improvement When specified in – for example – an email form the “From” address will be used to send the email from (instead of the configured “From” address and if the address specified in the form appears to be valid). This behavior is a premium feature and not enabled by default. [MAIL, SYNC, INTRANET]
  • Improvement Admins can now set a different Azure AD tenant for sending WordPress emails using Microsoft Graph when the plugin is configured for Azure AD B2C based single sign-on. [ALL]
  • Improvement Admins can now update the priority for the get_avatar hook on the plugin’s User sync page (default 1). [AVATAR, SYNC, INTRANET]
  • Improvement The plugin is now able to work with the more appropriate GroupMember.Read.All permissions instead of Group.Read.All and admins who configured role based access restriction are advised to update the API permissions for the registered application in Azure AD. [ROLES+ACCESS, SYNC, INTRANET]
  • Fix The logic to detect the blog ID in a WordPress Multisite (WPMU) will always test with a trailing slash. [LOGIN]
  • Fix A (custom) login message – for example created with LoginPress – will now show as expected. [ALL]
  • Fix Non-dynamic roles in an identities configuration used to enable RLS when embedding Power BI content no longer causes a fatal error. [M365 APPS, INTRANET]
  • Fix It is now possible to save empty custom user profile fields when manually updating a user’s profile. [CUSTOM USER FIELDS, SYNC, INTRANET]

26th May 2022 / v17.5

  • Change Sending mail as HTML is no longer a premium feature. [LOGIN, MAIL, SYNC, INTRANET]
  • Change Saving sent emails in Sent Items is no longer a premium feature. [LOGIN, MAIL, SYNC, INTRANET]
  • Change The plugin will now always force the use of the WPO365 avatar feature if this enabled by removing other similar filters. [AVATAR, SYNC, INTRANET]
  • Improvement Administrators can now configure the WPO365 plugin to prevent WordPress sending a notification to admins when a user changes a password. [LOGIN+, SYNC, INTRANET]
  • Improvement The Graph Mailer components have been refactored for improved logging / auditing. [LOGIN, MAIL, SYNC, INTRANET]
  • Fix Login button label’s text will not be wrapped on a new line. [LOGIN]
  • Fix The premium mail function to log all emails sent did not properly return and when used in combination with another mail plugin – e.g. WP HTML Mail – emails were not sent as expected. [MAIL, SYNC, INTRANET]
  • Fix The mail-log table can now be scrolled horizontally. [MAIL, SYNC, INTRANET]
  • Fix Sending a test email with attachment is now supported by all versions. [LOGIN]
  • Fix The plugin will not try and send attachments larger than 3 Mb (the prevent the mail being refused by the Microsoft Graph API). [LOGIN]
  • Fix The Azure AD based Employee Directory app will now retrieve the user’s profile and cache them separately from the cache of employees as this sometimes would break the hierarchy. [M365 APPS, INTRANET]

1st May 2022 / v17.4

  • Improvement You can now create a shortcode based app to embed Power BI content that supports the App owns data scenario and configure it to use the 2nd (app-only) AAD App registration. This is especially useful when the administrator configured Microsoft Azure AD B2C or SAML 2.0 based single sign-on and the AAD App registration for SSO cannot be used. [M365 APPS, INTRANET]
  • Fix Several issues related to PHP 8.x – e.g. support for deep-links – have been fixed. [ALL]
  • Fix When an administrator has hidden the login button the artifacts required to initiate the WPO365 Sign in with Microsoft flow – e.g. needed for a custom login button or Dual Login – are now loading correctly. [LOGIN]

19th April 2022 / v17.3

  • Change The default login button’s accessibility has been improved and now uses a BUTTON element (previously a DIV) with an aria-label that corresponds to the button’s caption. [LOGIN]
  • Improvement For new installations of the plugin the default value of the session duration has been updated to 0 (was 3600) and a user will not be automatically forced to re-authenticate after 1 hour. [LOGIN]
  • Fix The (basic / free version of the) Microsoft 365 shortcode app to embed a SharePoint / OneDrive Documents Library now correctly recognizes when it should use the new WPO365 REST API for Microsoft Graph instead of the older token service. [LOGIN]
  • Fix The exception level for Serious attempt to try to bypass authentication has been changed from ERROR to WARN since many false/positives have been reported. [LOGIN]

8th April 2022 / v17.2

  • Improvement When the WPO365 plugin is used to send WordPress emails, it will now honor a reply-to email address defined externally e.g. when using Contact Form 7. [ALL]
  • Fix The Microsoft 365 shortcode app for SharePoint Online Search now properly encodes the query template / custom written query to enable the use of double quotes when defining values for a managed property e.g. Path:”https://wpo365demo.sharepoint.com/sites/contoso/Shared Documents”. To benefit from this you must re-create the shortcode for the app. [M365 APPS, INTRANET]
  • Fix When using the Dual Login Feature the plugin no longer adds an HTML DIV element with a duplicate ID. [LOGIN+, SYNC, INTRANET]

25th March 2022 / v17.1

  • Change The Microsoft 365 shortcode app for embedding Power BI has been thoroughly updated to work with the recently introduced WPO365 REST API for Microsoft Graph. Existing shortcodes will continue to work with the WordPress AJAX API but it is recommended to update those apps by creating new shortcodes using the Shortcode Generator. Please refer to the updated documentation for guidance. [M365 APPS, INTRANET]
  • Change The Microsoft 365 shortcode app for embedding Power BI now supports dynamic tokens used when defining Effective Identities when row-level-security (RLS) is configured for the dataset. Dynamic tokes can be replaced with direct attributes of a WordPress user or alternatively user meta. Please refer to the updated documentation for guidance how to use dynamic tokens. [M365 APPS, INTRANET]
  • Improvement Newly created Microsoft 365 shortcode app for embedding Power BI will cache access tokens in the browser’s session storage and this cache will be emptied when the user navigates away from the page. [APPS, INTRANET]
  • Fix The license checker will not show a warning for development, test and staging environments if those web addresses can be identified as such. It will also not show a warning for each subsite in a WordPress Network. [ALL PREMIUM]
  • Fix Use the home URL instead of the site URL (where WordPress application files are accessible) for the base URI when connecting to the WPO365 REST API for Microsoft Graph. [ALL]
  • Fix Administrators can activate Internet Explorer 11 compatibility mode (at the cost of loosing the integration capability with Microsoft Teams) when they go to WP Admin > WPO365 > … > Miscellaneous and toggle the corresponding option. [ALL]

18th February 2022 / v17.0

  • Breaking The End User License Agreement will be updated from 1st April 2022 and a license for a premium extension will always be linked to the domain of the WordPress instance. Therefore you may need additional licenses for development, test and staging instances if those are set up under different domains. Starting with this version premium extensions / bundles will generate a warning that a license is required if no valid license was found for that particular instance. [ALL EXTENSIONS / BUNDLES]
  • Breaking Additional configuration is needed for the WPO365 REST API for Microsoft Graph that is currently used by the WPO365 | DOCUMENTS Gutenberg Block, WPO365 User synchronization and the updated versions of the M365 APPS (included in this release) to keep your data as safe and secure as possible. On the plugin’s Integration page in the section labelled Microsoft 365 Apps you must now specify whether user must be signed in (with Microsoft) when they connect to the API, which Microsoft Services endpoints are allowed, whether apps may request application-level tokens (instead of user-level tokens with delegated permissions) and whether proxy-type of requests are permitted. [ALL]
  • Breaking Because the direct use of PHP cURL has been removed in favor of WordPress’ builtin HTTP API the cURL Proxy Address setting has been removed. Please refer to the WordPress documentation for instructions how you can use WP_PROXY_HOST and WP_PROXY_PORT if you need to configure a proxy for outgoing network connections. [ALL]
  • Change The Microsoft 365 shortcode apps for embedding SharePoint Online Search, a SharePoint / OneDrive Online Document Library, a Microsoft Graph based Employee Directory and a Yammer Feed have been thoroughly updated to work with the recently introduced WPO365 REST API for Microsoft Graph. Existing apps will continue to work with the WordPress AJAX API but it is recommended to update those apps by creating new shortcodes using the Shortcode Generators. [M365 APPS, INTRANET]
  • Improvement The WPO365 SCIM Client for Azure AD User provisioning now can be configured to retrieve the user’s Azure AD object ID. This is needed if the plugin needs to retrieve additional user attributes, a user’s profile picture or Azure AD group memberships from Microsoft Graph. see the Troubleshooting paragraph of the SCIM online documentation for details. [SCIM, INTRANET]
  • Improvement The (Microsoft Graph) based Employee Directory shortcode app has been updated and can now be configured to use SharePoint People Search to search for users by skills, projects and other profile attributes. It will also include profile details on the user’s Info tab (when using the Contacts template and if the user has updated his / her profile). See the online documentation for details. [M365 APPS, INTRANET]
  • Improvement The (Microsoft Graph) based Employee Directory shortcode app also can now be used by users that did not sign in with Microsoft. See the online documentation for details. [M365 APPS, INTRANET]
  • Improvement The SharePoint / OneDrive Documents shortcode app (to embed a SharePoint library in WordPress) is no longer considered deprecated and has instead been updated and can now also be configured to allow access to anonymous users and to retrieve and render custom SharePoint columns / fields. See the online documentation for details. [M365 APPS, INTRANET]
  • Improvement The SharePoint / OneDrive Documents shortcode app also can now be configured to read its configuration (SharePoint site collection, title of the library and optionally a folder path) from a number of querystring parameters. See the online documentation for details. [M365 APPS, INTRANET]
  • Improvement Also the Documents Gutenberg Block has been updated and can now be configured to read its configuration (SharePoint site collection, title of the library and optionally a folder path) from a number of querystring parameters. See the online documentation for details. [M365 APPS, INTRANET]
  • Improvement: The Microsoft Graph mailer for WordPress feature can now log all outgoing WordPress transactional emails and allows you to try to re-send emails that previously failed to send. See the online documentation for details. [MAIL, SYNC, INTRANET]
  • Improvement The builtin Microsoft Graph mailer for WordPress now supports sending of attachments. See the online documentation for details. [ALL]
  • Improvement The Microsoft Graph mailer for WordPress can now be configured to send all outgoing transactional emails as BCC to help you prevent reply-to-all mail pollution. See the online documentation for details. [MAIL, SYNC, INTRANET]
  • Improvement On the plugin’s User sync configuration page in the section Custom user fields you can now select how you would like the WPO365 plugin to update a WordPress user’s display name. Possible choices are: Same as the display name according to Azure AD, given name and surname according to Azure AD or surname, given name according to Azure AD. [CUSTOM USER FIELDS, SYNC, INTRANET]
  • Improvement The plugin will now always apply the Azure AD user attribute to WordPress user meta mappings regardless of whether you have opted to show them on a WordPress user profile page. [CUSTOM USER FIELDS, SYNC, INTRANET]
  • Improvement A new endpoint have been added to the WPO365 REST API for Microsoft Graph where developers can send a preformatted Microsoft Graph request which will be transparently proxied to Microsoft Graph in the context of the current user. This endpoint must be separately enabled. [ALL]
  • Improvement Another endpoint have been added to the WPO365 REST API for Microsoft Graph where developers can request an oauth access token for Microsoft Graph in the context of the current user. This endpoint must be separately enabled. [ALL]
  • Improvement In accordance with the WordPress developer guidelines direct use of PHP cURL has been removed and instead the plugin now uses WordPress’s builtin HTTP API. [ALL]
  • Fix The OneLogin library (used for adding SAML support to the plugin) has been updated to the latest version. Small modifications have been made to further ensure compatibility with PHP 8. [ALL]
  • Fix In accordance with the WordPress developer guidelines all output has been secured / escaped. See the official WordPress documentation for details. [ALL]
  • Fix A bug has been fixed that prevent the Internet Auth.-only Authentication Scenario from working correctly. [LOGIN+, SYNC, INTRANET]
  • Fix A bug has been fixed that prevented the WordPress Users page from loading correctly when using WPO365 Audiences. [ROLES + ACCESS, SYNC, INTRANET]
  • Fix A bug has been fixed that prevented the WPO365 Wizard / Configuration pages to handle non-latin characters. [ALL]
  • Fix Version bump for all WPO365 plugins.

3rd December 2021 / v16.1

  • Fix Audiences no longer generates a warning for users that not signed in with Microsoft. [ROLES + ACCESS, PREMIUM, INTRANET]

30th November 2021 / v16.0

  • Feature Audiences Create virtual groups of users and restrict access to WordPress posts and pages to members of these groups. An Audience is a group of users that is dynamically populated based on rules (or better: one or more of Azure AD group ID’s) that define who is a member of that Audience. See the online documentation for details. [ROLES + ACCESS, PREMIUM, INTRANET]
  • Feature Secured by Azure Active Directory Two new authentication scenarios have been added that require visitors to sign in with Azure AD / Microsoft without attempting to sign them in as WordPress users. See the updated online documentation for details. [LOGIN+, PREMIUM, INTRANET]
  • Change Your users can now benefit from true Single Sign-on support for Microsoft Teams Tabs and Apps that embed a WordPress website (without additional popups if the user is from the own organization). See the updated online documentation for instructions how to update the App registration in Azure AD. [ALL]
  • Change The loading bars (when redirecting to Microsoft) have been replaced with a circular spinner. Administrators can choose to re-activate the old loading bars when they navigate to WP Admin > WPO365 > … > Miscellaneous. [ALL]
  • Improvement Administrators can now choose to use WP-Config(.php) for AAD secrets when they navigate to WP Admin > WPO365 > Single Sign-on, click to show the advanced configuration options and check the corresponding option. See online documentation for details.[LOGIN+, PREMIUM, INTRANET]
  • Improvement Administrators can now define the length of WordPress passwords created by the plugin when they go to WP Admin > WPO365 > … > Miscellaneous. See online documentation for details. [ALL]
  • Fix When switching between configurations the plugin now resets the settings before switching, preventing newer settings to be added automatically to an older configuration. [PREMIUM, INTRANET]
  • Fix The page on which a Documents apps(s) has been embedded will no longer jump to the top of the app. [ALL]
  • Fix Uncaught error: Class DateTime not found [ALL].
  • Fix The plugin will now recognize correctly – when WordPress Multisite has been enabled – the subsite’s ID when the Azure AD Redirect URI points to WP-Admin. [ALL]
  • Fix The plugin will now delete an itthinx Groups assignment for a user if that user has been removed from the mapped Azure AD group. [GROUPS, INTRANET]
  • Fix Anonymous users no longer are asked to sign in when they attempt to download a document from SharePoint. [DOCUMENTS, INTRANET]
  • Fix Version bump for all plugins, extensions and bundles. [ALL].

29th September 2021 / v15.4

  • Fix This version patches two XSS (cross-site) security flaws (thanks to  Gary O’Leary-Steele from AppCheck and Sailesh Parmar) [ALL].
  • Fix Password reset is no longer blocked for users that are administrators for the WordPress site [ALL].
  • Improvement If the user clicks the Sign in with Microsoft button on the (default) login form in Teams the user will now be redirected to the home page (or to the page the user intended to navigate to) [ALL].

27th September 2021 / v15.3

  • Fix Overall stability of user synchronization when starting, re-starting and stopping manually [SYNC, INTRANET].

23nd September 2021 / v15.2

  • Change Administrators can now choose to grant application type permissions to the existing App registration and creating a 2nd App registration is (still supported but) no longer necessary or recommended [ALL].
  • Fix The domain hint variable was undefined for one of the plugin’s self-tests [ALL].
  • Fix The avatar self-test will no longer fail if the request is successful but no image was found [AVATAR, SYNC, INTRANET].

22nd September 2021 / v15.1

  • Improvement Administrators can now configure a reply-to address when sending WordPress mail using Microsoft Graph [MAIL, SYNC, INTRANET].
  • Fix A cross-site scripting issue with the redirect JavaScript has been resolved [ALL].
  • Fix The User synchronization processor will now skip Azure AD (directory) objects that are not users (e.g. but groups instead) [SYNC, INTRANET].
  • Fix The plugin will now determine correctly whether or not a request is for the WordPress REST API or not [ALL].
  • Fix Instant help pages will now only be loaded on-demand [ALL].

9th September 2021 / v15.0

  • Feature User synchronization V2 (see this article for details) [SYNC, INTRANET].
  • Change Emails sent will respect the Content-Type header and if no header is defined emails will be sent as text by default (only applies to emails sent using Microsoft Graph) [ALL].
  • Improvement Administrators can now configure the plugin to update attributes of users that are administrators (incl. dynamically assigned roles, see this article for details) [ROLES + ACCESS, SYNC, INTRANET]
  • Improvement When the author of a post is deleted through Azure AD User provisioning (SCIM) that post can now be re-assigned to another WordPress user [SCIM, INTRANET].
  • Improvement When a user’s manager is already provisioned to WordPress through Azure AD User provisioning (SCIM) the manager’s details will be collected if a custom field mapping for the ‘manager’ field has been configured [SCIM, INTRANET].
  • Improvement An administrators of a WordPress Multisite can now configure Azure AD group based mappings to dynamically assign the Super Administrator role (see this article for details) [ROLES + ACCESS, SYNC, INTRANET].
  • Improvement An administrator can now configure an external URL as custom error page where a user will be sent when authentication fails [LOGIN+, SYNC, INTRANET].
  • Improvement Support for Report control filters when embedding Power BI reports in WordPress [M365 APPS, INTRANET]
  • Improvement A new configuration will prevent the Content by Search app to scroll the page to the top of the search results [M365 APPS, INTRANET].
  • Improvement Additional translations for the Employee Directory app [ALL].
  • Improvement An administrator can configure the plugin so that a deactivated user can be re-activated when he / she successfully signs in with Microsoft (see this article for details) [SCIM, PREMIUM, INTRANET].
  • Improvement The Plugin self-test results can now be downloaded as a JSON file [ALL].
  • Improvement Additional tests have been added to the Plugin self-test to improve the configuration of user synchonization [SYNC, INTRANET].
  • Improvement Some issues identified by the Plugin self-test can now be fixed by a simple button click [ALL].
  • Improvement The Plugin’s Debug Log can now be downloaded as a JSON file [ALL].
  • Improvement More custom hooks were added for when a user is created, authenticated and added to a blog (see this article for details) [ALL].
  • Fix A de-activated users can now be re-activated when that user is added again by Azure AD User provisioning SCIM [SCIM, INTRANET].
  • Fix When a user is de-activated by Azure AD User provisioning (SCIM) all roles will be removed [SCIM, INTRANET].
  • Fix A deactivated user can no longer sign in with WordPress credentials [SCIM, SYNC, INTRANET].
  • Fix Administrators can fix an issue when sending emails using Microsoft Graph from localhost by checking the corresponding option on the plugin’s Mail configuration page [ALL].

12th July 2021 / v14.1

  • Fix Added URL decoding for base64 encoded ID tokens that contain special characters [ALL].
  • Fix The plugin will no longer try to get tenant specific JSON Web Key sets when verifying the ID token’s signature if support for multi-tenancy is enabled but instead download the common keys from https://login.microsoftonline.com/common/discovery/v2.0/keys [ALL].

5th July 2021 / v14.0

  • Feature Full support for Azure AD B2C incl. the configuration of a custom domain and an Azure AD B2C policy to redirect users to corresponding custom Azure AD B2C endpoints to login and obtain ID and access tokens [LOGIN+, SYNC, INTRANET].
  • Change Now the plugin uses the phpseclib (see https://phpseclib.com/) to verify the signature of the ID token received from Microsoft. The previously used Firebase/JWT library is still included for fallback purposes and administrators can navigate to WP Admin > WPO365 > … > Miscellaneous to enable the use of the older ID token parser in case of any issues.
  • Fix All WP AJAX endpoints have been renamed and include a namespace to avoid conflicts with other plugins after some users reported that they were not able to save the configuration [ALL].
  • Fix Improved HTML encoding for the Employee Directory app’s query expression [ALL].
  • Fix When retrieving data from Microsoft Graph the plugin will now (in most cases) try to do so by a user’s Object ID and only use the user principal name (UPN) for fallback [ALL].
  • Fix When the Documents Gutenberg Block tests its configuration it now does so independent of the configured Microsoft Graph Version (recommended version – however – remains Beta) [ALL].
  • Fix Version bump for all plugins, extensions and bundles [ALL].

24th May 2021 / v13.0

  • Feature A brand new Gutenberg Block to display a SharePoint or OneDrive Document Library (or recently used documents) with an advanced column / field configuration editor and the exciting new option to grant anonymous users (that didn’t sign in with Microsoft) access to those files (see online documentation for details) [LOGIN, (premium features: DOCUMENTS, INTRANET)].
  • Feature A new RESTful API that transparently gives developers access to selected Microsoft Graph API endpoints so they can build client-side Microsoft 365 integrated apps for WordPress in their favorite programming language and without the hassle and complexity of implementing authentication and authorization because the WPO365 | LOGIN plugin takes care of all that (see online documentation for details) [LOGIN].
  • Improvement The Contacts (Employee Directory) App now “remembers” its search results when an employee is selected from the result list [APPS, INTRANET].
  • Improvement The (premium version) Content by Search App now checks if the default search parameter “s” is present in the current page’s URL when the auto-search option has been enabled, allowing for a deep integration of the app on a WordPress search result page [APPS, INTRANET].
  • Improvement The plugin now detects a Microsoft Graph $count query and automatically adds the ConsistencyLevel = True header and thus allowing for advanced queries with $filter that use endsWith and $search. For example you can write a User sync query that includes all users from a specific organization now as follows: myorganization/users?$count=true&$filter=endsWith(userPrincipalName,%27@example.com%27)&$top=10 [LOGIN].
  • Fix When a user attribute in Azure AD has been deleted the plugin will delete the corresponding custom user field in WordPress [CUSTOM USER FIELDS, SYNC, INTRANET].
  • Fix The Content by Search App no longer will fail if it’s fetched data before the page has finished loading [APPS, INTRANET].
  • Fix When sending an email from WordPress using Microsoft Graph fails, only the error (instead of the message as a whole) will be logged [LOGIN].
  • Fix The plugin’s configuration pages (wizard) is now loaded using WordPress’ own script enqueueing mechanism [LOGIN].
  • Fix Version bump for all plugins, extensions and bundles [ALL].

16th April 2021 / ALL / v12.14

  • Fix The Plugin self-test would encounter an error when the administrator configured SAML 2.0 [ALL].
  • Fix When using the SAML 2.0 the plugin will now also read the user’s AAD object ID (which is needed for integration scenarios such as retrieval of a user’s profile, Azure AD group memberships etc.) [ALL].

7th April 2021 / ALL / v12.12

  • Feature Administrators can save multiple WPO365 configurations and select one of the saved configurations as the current one [SYNC, INTRANET]
  • Feature Administrators can edit and save / import and export a configuration‘s JSON representation [SYNC, INTRANET].
  • Improvement The Plugin self-test has been greatly improved and now tests various scenarios in an attempt to provide better support and guidance when configuring the plugin [ALL].
  • Fix The option to de-activate instead of delete users when synchronizing was working in the opposite way and this has been corrected [SYNC, INTRANET].
  • Fix An administrator can now update passwords for users that sign in with Microsoft even if he / she configured the plugin to block password updates [ALL].
  • Fix When determining whether a user has properties that match with (one of the) the tenant’s domain(s) the plugin now tries to do so in a case-insensitive way [ALL].
  • Fix When scheduling daily user synchronization the first event will be scheduled for this week and no longer jump the first week [SYNC].

12th March 2021 / LOGIN, APPS, AVATAR, SYNC, INTRANET / v12.11

  • Improvement Tested up to 5.7.
  • Fix The plugin will now save a user’s Azure AD object ID and use it when retrieving a user’s profile image, which otherwise fails for guest users when using the Azure AD user principal name [LOGIN, AVATAR, SYNC, INTRANET].
  • Fix The Microsoft 365 Documents App ability to restrict content to a specific folder (and its sub folders) stopped working and the error causing it has been fixed [APPS, INTRANET].

7th March 2021 / LOGIN / v12.10

  • Fix The Microsoft Teams integration now will honor the login hint (if you add ?login_hint={loginHint} to your WordPress URL that for your Tab or App) [ALL].
  • Fix The plugin now tries to recognize SSL and will update the WordPress (Site) Address (URL) whenever it retrieves the WordPress home option from WordPress [ALL].

25th February 2021 / LOGIN | AVATAR | LOGIN+ | SYNC | INTRANET / v12.9

  • Improvement Administrators who configured SAML 2.0 based Single Sign-On can now request that users re-authenticate by including a forceAuthn=true flag in the SAML request [LOGIN+, SYNC, INTRANET].
  • Fix The error reason for failed SAML sign-in requests is now included in the error message [ALL].
  • Fix The full email message (JSON) is now logged in case of an error when sending WordPress emails using Microsoft Graph [ALL].
  • Fix The plugin no longer tries to create a folder for downloaded Microsoft 365 profile images when it already exists [AVATAR, SYNC, INTRANET].

7th February 2021 / WPO365 | LOGIN / v12.8

4th February 2021 / WPO365 | LOGIN / v12.7

  • Fix The plugin no longer requires an authorization code / refresh code to retrieve an access token when configuring a Power BI embed for your customers (also known as Application owns data) [LOGIN, M365 APPS, INTRANET].

1st February 2021 / WPO365 | LOGIN / v12.6

  • Fix Earlier saving of the user information retrieved from the ID token / SAML response resolves an issue for multi-tenanted apps to request an access token from another tenant than the home tenant [WPO365 | LOGIN].

25th January 2021 / WPO365 | ALL extensions and bundles / v12.5

  • Feature Administrators can now enable Single Sign-On for the (default / custom) login page (see online documentation for details) [ROLES + ACCESS, LOGIN+, SYNC, INTRANET].
  • Feature [preview] Administrators can now enable Single Sign-On for pages / posts that have limited (private) visibility (see online documentation for details) [ROLES + ACCESS, LOGIN+, SYNC, INTRANET].
  • Improvement Administrators can now navigate to WP Admin > WPO365 > … > Translations and update the caption for the Sign in with Microsoft button as well as several other error message.
  • Improvement Administrators of WordPress Multisite networks can now prevent the plugin from adding users to a subsite (see online documentation for details) [LOGIN+, SYNC, INTRANET].
  • Improvement Administrators can now disable the WPO365 session expiration when they navigate to WP Admin > WPO365 > Single Sign-On and reconfigure the Session Duration option and set it to 0 (see online documentation for details) [LOGIN].
  • Improvement The WPO365 configuration pages have been optimized and streamlined with the new recently added extensions [LOGIN].

14th January 2021 / WPO365 | ALL extensions and bundles / v12.4

  • Fix Administrators can now choose a default avatar when they navigate to WP Admin > Settings > Discussion and scroll to the Default Avatar section [AVATAR, SYNC, INTRANET].
  • Fix User synchronization now will recognize Azure AD Guests by their UPN instead of their preferred user name and thus no longer ignore Azure AD Guests when processing batches of users retrieved from Microsoft Graph [SYNC, INTRANET].
  • Fix The /me context will only be used if the plugin believes it can acquire an access token on behalf of that user [ALL extensions / bundles].

4th January 2021 / wp365-login[LOGIN, SYNC, INTRANET] / v12.3

  • Fix Active extension (SYNC and / or INTRANET) was not correctly detected, causing (manual) user synchronization not to reload as expected but instead showing a white screen.

2nd January 2021 / wp365-login[LOGIN] / v12.2

  • Fix License management page for WordPress Multisite now showing as expected (network admin only).

31th December 2020 / wp365-login[LOGIN] / v12.1

  • Fix Item ID search algorithm not finding item to activate the license for and failing without a notification showing.

30th December 2020 / wp365-login[ALL] / v12.0

  • (Breaking) Change Licenses are now administered on a separate configuration page. The new License (administration) page can be accessed via WP Admin > WPO365 > Licenses. Existing licenses must be re-entered for the automatic update function to work as expected.
  • Change Introduction of new Extensions for MAIL, AVATAR, CUSTOM USER FIELDS, GROUPS, APPS, ROLES + ACCESS and SCIM.
  • Improvement In an attempt to unclutter the WordPress Admin Dashboard, the plugin will no longer show the last (three) error(s). Instead a notification that errors have been encountered will be shown with a link to the main WPO365 configuration page where the full error message(s) are shown.

18th December 2020 / wp365-login[LOGIN] / v11.20

  • Improvement Users who have configured SAML 2.0 can create a custom button to include a domain hint that translates to an additional whr parameter. See the updated documentation for recommended configuration.
  • Improvement The request for a plugin-review now only shows on the WPO365 configuration pages and can be turned off permanently.
  • Fix Avatar filter priority lowered to 99999 to have precedence over other plugins e.g. Ultimate Member.

14th December 2020 / wp365-login[LOGIN, SYNC, INTRANET] / v11.19

  • Fix User synchronization no longer deactivates / deletes users that cannot be linked to an existing Microsoft 365 / Azure AD account (administrators must make sure the update the Custom domains list on the plugin’s User registration page).
  • Fix (Array to string conversion) Error when ever an email could not be sent successfully through Microsoft Graph.

25th November 2020 / wp365-login[ALL] / v11.18

  • (Breaking) Change Improved support for WordPress Multisite with mapped domains and subsite specific WPO365 configuration. See updated online documentation for recommended configuration scenarios of WordPress Multisite installations.
  • Feature Administrators (of the LOGIN+, SYNC and INTRANET extensions) can navigate to WP Admin > WPO365 > User registration and configure the plugin to create shorter WordPress names e.g. john.doe instead of john.doe@your-tenant.onmicrosoft.com. See online documentation for details.
  • Improvement: Prevention of users getting stuck in infinite loops through smart detection. See updated online documentation for additional considerations.
  • Improvement: Administrators can now navigate to WP Admin > WPO365 > … > Miscellaneous and delete the current WPO365 configuration.
  • Improvement: When administrators (of the LOGIN+, SYNC and INTRANET extensions) have configured the Post sign-out URL option, the plugin will now also redirect users that did not sign in with Microsoft.

11th November 2020 / wp365-login[WPO365 | LOGIN] / v11.17

  • Fix When using the optimized internet authentication mode (preventing the plugin from interfering with requests for pages and posts) the Sign in with Microsoft button now redirects the user correctly to the WordPress Administration instead of to the homepage.

10th November 2020 / wp365-login[WPO365 | LOGIN] / v11.16

  • Fix After a recent change the global constant WPO_AUTH_SCENARIO had been erroneously rename to WPO_AUTH_MODE.

10th November 2020 / wp365-login[ALL] / v11.15

  • (Breaking) change The out-of-the-Box algorithm for trying to find a WordPress user for the user currently signing in with Microsoft has changed. The rule to match a user by his / her Login Name (= Azure AD preferred login name without domain suffix) has been removed. Administrators can still add this option back. See the online documentation).
  • Improvement Administrators (of the SYNC and INTRANET extensions) can now specify nested user profile properties when synchronizing WordPress user profiles with Microsoft Graph e.g. businessPhones.0 (to retrieve the first business phone of an array of possible entries) or onPremisesExtensionAttributes.extensionAttribute1 (to retrieve a custom attribute synced from Active Directory).
  • Improvement Administrators (of the LOGIN+, SYNC and INTRANET extensions) can now choose to show (new) users the option to sign up and create a new account in Azure AD B2B when the sign in with Microsoft. See the online documentation for additional considerations and prerequisites.
  • Fix When the plugin fails to create a new user during scheduled user synchronization, the schedule will continue to run and finish as expected.
  • Fix The double ‘/’ when loading the (pintra-)redirect.js file has been removed.

27th October 2020 / wp365-login[WPO365 | LOGIN] / v11.14

  • Improvment Administrators that have configured SAML 2.0 and have received error reports such as “Authentication method ‘WindowsIntegrated’ by which the user authenticated with the service doesn’t match requested authentication method ‘Password, ProtectedTransport'” can now try to configure advanced settings. See the online documentation for details.
  • Fix The option to Skip the NONCE verification – on the plugin’s Miscellaneous configuration page – has been restored.
  • Fix Due to the NONCE verification causing many false-positives, it now generates a warning instead of an error and will no longer prevent users from being able to log in. Administrators are advised to regularly check their debug logs (or configure logging to Application Insights).

21st October 2020 / wp365-login[WPO365 | LOGIN] / v11.13

  • Fix The plugin will now use WordPress nonces instead.
  • Fix For WordPress Multisite installations the plugin will now try to delete the top level auth cookies to prevent an infinite loop.
  • Fix When the license activation receives a 403 Forbidden it will transparently show this to customers who try to activate their license.

14th October 2020 / wp365-login[ALL VERSIONS] / v11.12

  • Fix Now the plugin – when requesting data from Microsoft Graph’s /me endpoint – will enforce using delegated (instead of application) permissions.
  • Fix When activation of a license of a premium extension fails the plugin will now log the raw response as an error.

13th October 2020 / wp365-login[WPO365 | LOGIN, WPO365 | INTRANET] / v11.11

  • Fix The (WPO365 | INTRANET edition’s version of the) Employee Directory app now allows for configuring a separate initial query when auto-search has been enabled.
  • Fix Functionality to activate the license of the WPO365 | PROFILE+ extension has been restored after it was broken after an earlier change.

12th October 2020 / wp365-login[WPO365 | LOGIN] / v11.10

  • Fix The user look-up algorithm did not search for preferred_username and as a result would not find users with no UPN and email address in their ID token. However, when it then tried to create a new user, an error was thrown in case that user already existed.
  • Fix If the SAML 2.0 response is deemed not valid the plugin will now log the reason as a warning in the debug log.

8th October 2020 / wp365-login[ALL VERSIONS] / v11.9

  • Improvement Administrators of all premium extensions can now choose to disable the default WordPress behavior of sending an email to a user when his / her email has changed. See the online documentation for details.
  • Improvement The plugin will not intercept requests if initiated from WP CLI.
  • Fix Functionality to activate the license of a premium extension has been restored after it was broken after an earlier change.
  • Fix Functionality to retrieve (partial) templates has been restored after it was broken after an earlier change.
  • Fix Arguments now passed to the developer hooks (as documented here) updated.

4th October 2020 / wp365-login[ALL VERSIONS] / v11.8

  • Feature An Administrator (of the WPO365 | LOGIN+, WPO365 | SYNC and WPO365 | INTRANET extension) can now upload a custom HTML template and replace the default loading bars. See the online documentation for details.
  • Improvement An administrator can now configure the plugin to tell Microsoft to show the Select Account prompt, when it redirects a user to sign in with Microsoft. See the online documentation for details.
  • Improvement An administrator (of the WPO365 | INTRANET extension) can now configure the full Microsoft Graph query for the Employee Directory / Contacts app when searching for employees and colleagues. This allows for more advanced queries for example using $count, $filter, $search. This improvement now also allows to search in (transitive) members of a group. See the online documentation for details.
  • Improvement An administrator (of the WPO365 | SYNC and WPO365 | INTRANET extension) that configured the synchronization of Microsoft 365 profile images (to replace the user’s default WordPress Avatar) now has an extra option to instruct the plugin only to refresh an expired profile image of the logged-in user. The plugin will, however, bypass this restriction whenever the administrator synchronizes users on-demand, users are synchronized based on a schedule or a user is being updated through Azure AD’s User provisioning (SCIM). See the online documentation for details.
  • Improvement An administrator (of the WPO365 | LOGIN+, WPO365 | SYNC and WPO365 | INTRANET extension) can now configure the order in which the plugin tries to find a matching WordPress user for the user that signs in with Microsoft (choices are upn, preferred_username, email and login). See the online documentation for details.
  • Improvement An administrator (of the WPO365 | LOGIN+, WPO365 | SYNC and WPO365 | INTRANET extension) can now configure the plugin to bypass updating a WordPress user role. This is especially useful for WordPress installations where the users are created manually or WordPress roles are not managed by a WPO365 plugin extension.
  • Improvement An administrator of the WPO365 | LOGIN (free) edition can now choose to disable the automatic registration of new users.
  • Fix Customers reported seeing the ID token not found in posted data error which may be a result of the plugin’s test mode not being disabled. The plugin will now immediately toggle the test mode and only start the Plugin self-test when an ID token is found (in case SAML 2.0 is not configured).
  • Fix The Documents (Microsoft 365) App now support library titles with special characters.
  • Fix The plugin now checks for existing (WordPress) roles when analyzing whether it should add the default role as fallback or not.

26th September 2020 / wp365-login[ALL VERSIONS] / v11.7

  • Feature The plugin can now be configured to send WordPress emails using Microsoft Graph as an attractive alternative to sending mail via SMTP.
  • Change Support for symmetric algorithms to decrypt the JWT tokens have been removed.
  • Change The user-look-up algorithm first tries to look up a WordPress user by its user principal name (UPN) when that user is not an external user / guest user before it retries using the preferred login name, the user’s email address and last the user’s account name.

21st September 2020 / wp365-login[ALL VERSIONS] / v11.6

  • Fix The automatic update functionality for WPO365 extensions is now better embedded in the overall WordPress update experience.

21st September 2020 / wp365-login[ALL VERSIONS] / v11.5

18th September 2020 / wp365-login[ALL VERSIONS] / v11.4

  • Fix Activation of (premium) licenses is now working as expected.
  • Fix Auto-update of (premium) extensions is now working as expected.

17th September 2020 / wp365-login[ALL VERSIONS] / v11.3

  • Improvement The nonce generator and validator have been updated in an effort to reduce the risk of nonce not being found.
  • Improvement The plugin won’t generate errors anymore when it cannot connect to Microsoft Graph to retrieve the current user’s profile in an attempt to improve the data quality when the administrator has not configured the integration portion of the plugin.
  • Fix For reasons of backward compatibility, the plugin now only tries and retrieve all groups that a user is a member of if the ID token doesn’t contain this information
  • Fix The plugin now generates a warning instead of an error when it cannot retrieve a user’s manager.

16th September 2020 / wp365-login[WPO365 | SYNC and WPO365 | INTRANET] / v11.2

  • Fix Added missing class method to parse manager details.

15th September 2020 / wp365-login[ALL VERSIONS] / v11.1

  • Fix Domain whitelist now looks both at the email and the login domain.
  • Fix The plugin now checks if the administrator has configured an application secret.
  • Fix The plugin now only tries to save a refresh token if one is present.
  • Fix The wizard now ensures that the INTRANET apps are loaded from the correct source folder.

13th September 2020 / wp365-login[ALL VERSIONS] / v11.0

  • Breaking Change The source code of the plugin has been completely restructured. Developers that extended the plugin with own functionality must carefully review the changes.
  • Breaking Change All premium editions of the plugin now require the latest BASIC edition of the plugin to be installed and activated. An notification will be shown to admins upon upgrade to update, install and / or activate it.
  • Breaking Change Support for legacy Azure AD App registrations has been removed. The plugin will now always try and connect to Azure AD v2 endpoints for authorization and optionally to obtain tokens.
  • Breaking Change Support for Avatars stored as WordPress user meta (in the WordPress database) has been removed. Avatars downloaded from Microsoft 365 / Azure AD will now always be stored in the /wp-content folder.
  • Breaking Change Support for the deprecated Dual Login feature is removed. Admins can instead toggle WP Admin > WPO365 > Login / Logout > Dual login V2.
  • Breaking Change Support for the deprecated Sign in with Microsoft shortcode [wpo365-sign-in-with-microsoft-sc] has been removed. Admins should configure the Sign in with Microsoft v2 shortcode instead.
  • Feature Administrators can now choose between SAML 2.0 based single sign-on and OpenID Connect single sign-on (which remains the default option).
  • Feature The BASIC edition of the plugin will automatically create a new user in WordPress (but not synchronize user profile fields such as first and last name). However, this feature can be disabled by admins.
  • Improvement User synchronization now supports WordPress Multisite (WPMU) installations and always synchronizes users to the subsite from which the synchronization was started.
  • Improvement The plugin now remembers the tenant ID of a user and uses that information when – in case of multi tenancy – it needs to retrieve data e.g. a user’s profile image from Microsoft Graph.
  • Fix The plugin no longer relies on the ID token to contain the (Azure AD / Microsoft 365 / distribution list) groups that a user is member of. Instead the plugin will always try to obtain this information from Microsoft Graph (but only if needed).
  • Fix The plugin no longer replaces stored avatars when it tries to refresh that avatar but it fails e.g. because of insufficient permissions.

Click here for older entries.