Change Log

Latest changes

22nd November 2022 / v20.4

  • Fix The mail authorization may falsely indicate that the plugin is not authorized to send emails using Microsoft Graph due to how the plugin compared permissions. [ALL]

14th November 2022 / v20.3

  • Feature Websites that are using the Mail Integration for Office 365/Outlook are now urged to switch to WPO365 | MICROSOFT GRAPH MAILER or configure the builtin Microsoft Graph mail function of the WPO365 | LOGIN plugin. Consult the online migration guide for further details. [ALL]
  • Improvement Administrators can check an option to Use alternative CDN (on the plugin’s Integration page). If checked, the plugin will download the react-js and react-dom.js packages from the CloudFlare CDN (instead of from the default UNPKG CND). However, administrators can also choose to self-host these dependencies. In this case they can override the CDN configuration using a constant that must defined in wp-config.php. See the online documentation for details. [ALL]
  • Fix The avatar method updated in v20.0 now also overrides the get_avatar hook to avoid conflicts with other plugins such as Ultimate Member. [AVATAR, SYNC, INTRANET]

28th October 2022 / v20.2

  • Improvement Administrators can now define a constant in wp-config.php to override the default CDN used to download the react.js and react-dom.js packages. This constant must be defined immediately after the line /* That’s all, stop editing! Happy publishing. */ as an array as follows URLs may be replaced by administrators as they see fit:
define('WPO_CDN', array('react' => 'https://cdnjs.cloudflare.com/ajax/libs/react/16.14.0/umd/react.production.min.js', 'react_dom' => 'https://cdnjs.cloudflare.com/ajax/libs/react-dom/16.14.0/umd/react-dom.production.min.js'));

21st October 2022 / v20.1

  • Fix The renaming of an option (to allow retrieval of oauth tokens by client side apps) prevented existing configurations to update this value. [ALL]

18th October 2022 / v20.0

  • Feature The (premium version of the) Microsoft Graph Mailer can now send attachments larger than 3 MB. [MAIL, SYNC, INTRANET]
  • Feature The (premium version of the) Microsoft Graph Mailer can now send emails from a Microsoft 365 Shared Mailbox. [MAIL, SYNC, INTRANET]
  • Improvement The LOGIN+ extension now also allows administrators to save multiple configurations (on the plugin’s Import / Export configuration page). [LOGIN+]
  • Improvement Administrators can now define the name of the WordPress user meta for user attributes synchronized from Azure AD to WordPress. [LOGIN+, CUSTOM USER FIELDS, SYNC, INTRANET]
  • Improvement The Avatar method now replaces the URL of the profile image instead (by filtering the pre_get_avatar_data function instead of the get_avatar function). [AVATAR, SYNC, INTRANET]
  • Improvement Now supports receiving custom claims in a SAML response and save them as WordPress user meta. [LOGIN+, CUSTOM USER FIELDS, SYNC, INTRANET]
  • Improvement Administrators can now choose to skip updating a user WordPress user’s displayname. [LOGIN+, USER FIELDS, SYNC, INTRANET]
  • Improvement Some parts of the source code have been updated to improve compatibility with PHP 8.1. [ALL]
  • Fix The Audiences feature now also prevents access to posts and pages using a direct-edit link. [ROLES + ACCESS, SYNC, INTRANET]
  • Fix Sign out of Microsoft now also works as expected for Azure AD B2C. [LOGIN+, SYNC, INTRANET]
  • Fix Custom formatting of a WordPress user’s displayname now works as expected for SAML 2.0 based Single Sign-on. [LOGIN+, CUSTOM USER FIELDS SYNC, INTRANET]
  • Fix The shortcode properties of a Micrsoft 365 App are now HTML-decoded to handle the case where WordPress updates shortcode properties when an author edits a page. [ALL]
  • Fix The div that encapsulates a Microsoft 365 App can now be referenced by its unique classname “wpo365-app-root”. [ALL]
  • Fix Some WPO365 options have been removed / renamed to avoid triggering ModSecurity OWASP CRS causing an 418 “I am not a teapot” HTTP errors, for example when hosting a site at DreamHost. [ALL]
  • Fix The plugin now correctly tries again to get a user’s (Azure AD) group memberships with Group.Read.All permissions when the administrator has not (yet) granted permissions to do so using GroupMember.Read.All permissions. [ROLES + ACCESS, SYNC, INTRANET]

14th September 2022 / v19.4

  • Fix Mail authorization for delegated access would fail with the error “Could not retrieve a tenant and application specific JSON Web Key Set and thus the JWT token cannot be verified successfully”. [LOGIN, MICROSOFT GRAPH MAILER]
  • Fix Embedded PowerBI reports will now try to refresh the acquired access token when the browser tab is left open. [LOGIN, INTRANET, M365 APPS]
  • Fix Encoding of parameters for embedded SharePoint Online apps (Search and Documents) have been improved. [LOGIN, INTRANET, M365 APPS]
  • Fix The Audiences custom meta box has been updated and produces valid HTML. [ROLES + ACCESS, SYNC, INTRANET]

2nd September 2022 / v19.3

  • Fix The delegated mail authorization feature would – under circumstances – fail to get the mail specific tenant ID and as a result an attempt to refresh the access token may fail. [LOGIN, MICROSOFT GRAPH MAILER]

29th August 2022 / v19.2

  • Fix The Redirect URL field for the mail authorization is no longer greyed out and can be changed by administrators. [LOGIN]

29th August 2022 / v19.1

  • Fix A backward-compatibility issue with Audiences would cause a critical error when editing a post or page. Administrators with any of the following extensions installed must update as soon as possible: ROLES + ACCESS, SYNC, INTRANET. [ROLES + ACCESS, SYNC, INTRANET]

28th August 2022 / v19.0

  • Change Sending WordPress emails using Microsoft Graph can now also be configured with delegated permissions. Administrators are urged to review the documentation and to update their configuration. [LOGIN, MICROSOFT GRAPH MAILER]
  • Feature Audiences – used to target posts and pages to specific Azure AD groups – can now also be used on a post or page using a custom metabox in the sidebar. Consult the updated documentation for details. [ROLES + ACCESS, SYNC, INTRANET]
  • Feature Azure Active Directory secrets can now be stored in the website’s WP-Config.php and removed from the database. [MAIL]
  • Improvement A number of plugin self-tests have been improved to help administrators find loopholes in the configuration e.g. of User synchronization and the integration of various SharePoint Online services. [LOGIN]
  • Fix The plugin no longer “hijacks” a state parameter when sent in the header of any request. This prevented – amongst other things – enabling / disabling of WordPress auto-updates. [LOGIN]
  • Fix The Employee Directory app now shows profile information when users are searched for using SharePoint. [M365 APPS, INTRANET]
  • Fix Version bump for all WPO365 plugins.

22th July 2022 / v18.2

  • Fix Recent changes to the built-in notification service could cause a fatal error for older PHP versions that has now been fixed. [LOGIN]

18th July 2022 / v18.1

  • Fix If the plugin is configured to send WordPress emails using Microsoft Graph then it will now always replace the From email address if WordPress tries to sent emails from wordpress@[sitename]. WordPress will propose this email address is no email is set by the plugin sending the email (for example Contact Form 7). This email may pass checks as a valid email address but in reality this email address most likely does not exist. The option to fix the “localhost” issue has been removed since this fix improves the behavior for all hosts (incl. localhost). [LOGIN]
  • Improvement Various wp-admin banners as well as some translations have been updated. Also a teaching bubble is shown on the Single Sign-on page to help admins quickly find the WPO365 documentation center at https://docs.wpo365.com/. [LOGIN]

4th July 2022 / v18.0

  • Change Administrators who selected OpenID Connect based single sign-on, can now choose between the Hybrid Flow and the Authorization Code Flow. New installations will automatically be configured using Authorization Code Flow. Read more [LOGIN]
  • Change Support for Azure AD B2C custom policies (sign-up, sign-in and password reset) is no longer a premium feature. [LOGIN]
  • Change All features of WPO365 | CUSTOM USER FIELDS extension are from now on supported by the WPO365 | LOGIN+ extension. See our website for details and pricing. [CUSTOM USER FIELDS, LOGIN+]
  • Change A new WPO365 Features Dashboard has been added that allows administrators to toggle features such as e.g. SSO, MAIL and SYNC on or off. [LOGIN]
  • Feature Admins can now choose to hide the WordPress Admin Bar for specific roles. [LOGIN]
  • Feature Requesting access tokens from Azure AD can now be further secured using a Proof Key for Code Exchange (PKCE). [LOGIN+, SYNC, INTRANET]
  • Feature Protect and secure your WordPress REST API with Azure AD generated oauth access tokens (PREMIUM). [LOGIN+, SYNC, INTRANET]
  • Feature Protect and secure your WordPress REST API with WordPress REST cookies. [LOGIN]
  • Improvement Azure AD B2C custom claims sent in the ID token can now be mapped to custom WordPress user meta fields. [LOGIN+, SYNC, INTRANET]
  • Improvement When specified in – for example – an email form the “From” address will be used to send the email from (instead of the configured “From” address and if the address specified in the form appears to be valid). This behavior is a premium feature and not enabled by default. [MAIL, SYNC, INTRANET]
  • Improvement Admins can now set a different Azure AD tenant for sending WordPress emails using Microsoft Graph when the plugin is configured for Azure AD B2C based single sign-on. [ALL]
  • Improvement Admins can now update the priority for the get_avatar hook on the plugin’s User sync page (default 1). [AVATAR, SYNC, INTRANET]
  • Improvement The plugin is now able to work with the more appropriate GroupMember.Read.All permissions instead of Group.Read.All and admins who configured role based access restriction are advised to update the API permissions for the registered application in Azure AD. [ROLES+ACCESS, SYNC, INTRANET]
  • Fix The logic to detect the blog ID in a WordPress Multisite (WPMU) will always test with a trailing slash. [LOGIN]
  • Fix A (custom) login message – for example created with LoginPress – will now show as expected. [ALL]
  • Fix Non-dynamic roles in an identities configuration used to enable RLS when embedding Power BI content no longer causes a fatal error. [M365 APPS, INTRANET]
  • Fix It is now possible to save empty custom user profile fields when manually updating a user’s profile. [CUSTOM USER FIELDS, SYNC, INTRANET]

Click here for older entries.