Change Log

Important notice

v15.4 fixes a security related issue and it’s strongly recommended that all installations are updated immediately.

Latest changes

3rd December 2021 / v16.1

  • Fix Audiences no longer generates a warning for users that not signed in with Microsoft. [ROLES + ACCESS, PREMIUM, INTRANET]

30th November 2021 / v16.0

  • Feature Audiences Create virtual groups of users and restrict access to WordPress posts and pages to members of these groups. An Audience is a group of users that is dynamically populated based on rules (or better: one or more of Azure AD group ID’s) that define who is a member of that Audience. See the online documentation for details. [ROLES + ACCESS, PREMIUM, INTRANET]
  • Feature Secured by Azure Active Directory Two new authentication scenarios have been added that require visitors to sign in with Azure AD / Microsoft without attempting to sign them in as WordPress users. See the updated online documentation for details. [LOGIN+, PREMIUM, INTRANET]
  • Change Your users can now benefit from true Single Sign-on support for Microsoft Teams Tabs and Apps that embed a WordPress website (without additional popups if the user is from the own organization). See the updated online documentation for instructions how to update the App registration in Azure AD. [ALL]
  • Change The loading bars (when redirecting to Microsoft) have been replaced with a circular spinner. Administrators can choose to re-activate the old loading bars when they navigate to WP Admin > WPO365 > … > Miscellaneous. [ALL]
  • Improvement Administrators can now choose to use WP-Config(.php) for AAD secrets when they navigate to WP Admin > WPO365 > Single Sign-on, click to show the advanced configuration options and check the corresponding option. See online documentation for details.[LOGIN+, PREMIUM, INTRANET]
  • Improvement Administrators can now define the length of WordPress passwords created by the plugin when they go to WP Admin > WPO365 > … > Miscellaneous. See online documentation for details. [ALL]
  • Fix When switching between configurations the plugin now resets the settings before switching, preventing newer settings to be added automatically to an older configuration. [PREMIUM, INTRANET]
  • Fix The page on which a Documents apps(s) has been embedded will no longer jump to the top of the app. [ALL]
  • Fix Uncaught error: Class DateTime not found [ALL].
  • Fix The plugin will now recognize correctly – when WordPress Multisite has been enabled – the subsite’s ID when the Azure AD Redirect URI points to WP-Admin. [ALL]
  • Fix The plugin will now delete an itthinx Groups assignment for a user if that user has been removed from the mapped Azure AD group. [GROUPS, INTRANET]
  • Fix Anonymous users no longer are asked to sign in when they attempt to download a document from SharePoint. [DOCUMENTS, INTRANET]
  • Fix Version bump for all plugins, extensions and bundles. [ALL].

29th September 2021 / v15.4

  • Fix This version patches two XSS (cross-site) security flaws (thanks to  Gary O’Leary-Steele from AppCheck and Sailesh Parmar) [ALL].
  • Fix Password reset is no longer blocked for users that are administrators for the WordPress site [ALL].
  • Improvement If the user clicks the Sign in with Microsoft button on the (default) login form in Teams the user will now be redirected to the home page (or to the page the user intended to navigate to) [ALL].

27th September 2021 / v15.3

  • Fix Overall stability of user synchronization when starting, re-starting and stopping manually [SYNC, INTRANET].

23nd September 2021 / v15.2

  • Change Administrators can now choose to grant application type permissions to the existing App registration and creating a 2nd App registration is (still supported but) no longer necessary or recommended [ALL].
  • Fix The domain hint variable was undefined for one of the plugin’s self-tests [ALL].
  • Fix The avatar self-test will no longer fail if the request is successful but no image was found [AVATAR, SYNC, INTRANET].

22nd September 2021 / v15.1

  • Improvement Administrators can now configure a reply-to address when sending WordPress mail using Microsoft Graph [MAIL, SYNC, INTRANET].
  • Fix A cross-site scripting issue with the redirect JavaScript has been resolved [ALL].
  • Fix The User synchronization processor will now skip Azure AD (directory) objects that are not users (e.g. but groups instead) [SYNC, INTRANET].
  • Fix The plugin will now determine correctly whether or not a request is for the WordPress REST API or not [ALL].
  • Fix Instant help pages will now only be loaded on-demand [ALL].

9th September 2021 / v15.0

  • Feature User synchronization V2 (see this article for details) [SYNC, INTRANET].
  • Change Emails sent will respect the Content-Type header and if no header is defined emails will be sent as text by default (only applies to emails sent using Microsoft Graph) [ALL].
  • Improvement Administrators can now configure the plugin to update attributes of users that are administrators (incl. dynamically assigned roles, see this article for details) [ROLES + ACCESS, SYNC, INTRANET]
  • Improvement When the author of a post is deleted through Azure AD User provisioning (SCIM) that post can now be re-assigned to another WordPress user [SCIM, INTRANET].
  • Improvement When a user’s manager is already provisioned to WordPress through Azure AD User provisioning (SCIM) the manager’s details will be collected if a custom field mapping for the ‘manager’ field has been configured [SCIM, INTRANET].
  • Improvement An administrators of a WordPress Multisite can now configure Azure AD group based mappings to dynamically assign the Super Administrator role (see this article for details) [ROLES + ACCESS, SYNC, INTRANET].
  • Improvement An administrator can now configure an external URL as custom error page where a user will be sent when authentication fails [LOGIN+, SYNC, INTRANET].
  • Improvement Support for Report control filters when embedding Power BI reports in WordPress [M365 APPS, INTRANET]
  • Improvement A new configuration will prevent the Content by Search app to scroll the page to the top of the search results [M365 APPS, INTRANET].
  • Improvement Additional translations for the Employee Directory app [ALL].
  • Improvement An administrator can configure the plugin so that a deactivated user can be re-activated when he / she successfully signs in with Microsoft (see this article for details) [SCIM, PREMIUM, INTRANET].
  • Improvement The Plugin self-test results can now be downloaded as a JSON file [ALL].
  • Improvement Additional tests have been added to the Plugin self-test to improve the configuration of user synchonization [SYNC, INTRANET].
  • Improvement Some issues identified by the Plugin self-test can now be fixed by a simple button click [ALL].
  • Improvement The Plugin’s Debug Log can now be downloaded as a JSON file [ALL].
  • Improvement More custom hooks were added for when a user is created, authenticated and added to a blog (see this article for details) [ALL].
  • Fix A de-activated users can now be re-activated when that user is added again by Azure AD User provisioning SCIM [SCIM, INTRANET].
  • Fix When a user is de-activated by Azure AD User provisioning (SCIM) all roles will be removed [SCIM, INTRANET].
  • Fix A deactivated user can no longer sign in with WordPress credentials [SCIM, SYNC, INTRANET].
  • Fix Administrators can fix an issue when sending emails using Microsoft Graph from localhost by checking the corresponding option on the plugin’s Mail configuration page [ALL].

12th July 2021 / v14.1

  • Fix Added URL decoding for base64 encoded ID tokens that contain special characters [ALL].
  • Fix The plugin will no longer try to get tenant specific JSON Web Key sets when verifying the ID token’s signature if support for multi-tenancy is enabled but instead download the common keys from [ALL].

5th July 2021 / v14.0

  • Feature Full support for Azure AD B2C incl. the configuration of a custom domain and an Azure AD B2C policy to redirect users to corresponding custom Azure AD B2C endpoints to login and obtain ID and access tokens [LOGIN+, SYNC, INTRANET].
  • Change Now the plugin uses the phpseclib (see to verify the signature of the ID token received from Microsoft. The previously used Firebase/JWT library is still included for fallback purposes and administrators can navigate to WP Admin > WPO365 > … > Miscellaneous to enable the use of the older ID token parser in case of any issues.
  • Fix All WP AJAX endpoints have been renamed and include a namespace to avoid conflicts with other plugins after some users reported that they were not able to save the configuration [ALL].
  • Fix Improved HTML encoding for the Employee Directory app’s query expression [ALL].
  • Fix When retrieving data from Microsoft Graph the plugin will now (in most cases) try to do so by a user’s Object ID and only use the user principal name (UPN) for fallback [ALL].
  • Fix When the Documents Gutenberg Block tests its configuration it now does so independent of the configured Microsoft Graph Version (recommended version – however – remains Beta) [ALL].
  • Fix Version bump for all plugins, extensions and bundles [ALL].

24th May 2021 / v13.0

  • Feature A brand new Gutenberg Block to display a SharePoint or OneDrive Document Library (or recently used documents) with an advanced column / field configuration editor and the exciting new option to grant anonymous users (that didn’t sign in with Microsoft) access to those files (see online documentation for details) [LOGIN, (premium features: DOCUMENTS, INTRANET)].
  • Feature A new RESTful API that transparently gives developers access to selected Microsoft Graph API endpoints so they can build client-side Microsoft 365 integrated apps for WordPress in their favorite programming language and without the hassle and complexity of implementing authentication and authorization because the WPO365 | LOGIN plugin takes care of all that (see online documentation for details) [LOGIN].
  • Improvement The Contacts (Employee Directory) App now “remembers” its search results when an employee is selected from the result list [APPS, INTRANET].
  • Improvement The (premium version) Content by Search App now checks if the default search parameter “s” is present in the current page’s URL when the auto-search option has been enabled, allowing for a deep integration of the app on a WordPress search result page [APPS, INTRANET].
  • Improvement The plugin now detects a Microsoft Graph $count query and automatically adds the ConsistencyLevel = True header and thus allowing for advanced queries with $filter that use endsWith and $search. For example you can write a User sync query that includes all users from a specific organization now as follows: myorganization/users?$count=true&$filter=endsWith(userPrincipalName,$top=10 [LOGIN].
  • Fix When a user attribute in Azure AD has been deleted the plugin will delete the corresponding custom user field in WordPress [CUSTOM USER FIELDS, SYNC, INTRANET].
  • Fix The Content by Search App no longer will fail if it’s fetched data before the page has finished loading [APPS, INTRANET].
  • Fix When sending an email from WordPress using Microsoft Graph fails, only the error (instead of the message as a whole) will be logged [LOGIN].
  • Fix The plugin’s configuration pages (wizard) is now loaded using WordPress’ own script enqueueing mechanism [LOGIN].
  • Fix Version bump for all plugins, extensions and bundles [ALL].

16th April 2021 / ALL / v12.14

  • Fix The Plugin self-test would encounter an error when the administrator configured SAML 2.0 [ALL].
  • Fix When using the SAML 2.0 the plugin will now also read the user’s AAD object ID (which is needed for integration scenarios such as retrieval of a user’s profile, Azure AD group memberships etc.) [ALL].

7th April 2021 / ALL / v12.12

  • Feature Administrators can save multiple WPO365 configurations and select one of the saved configurations as the current one [SYNC, INTRANET]
  • Feature Administrators can edit and save / import and export a configuration‘s JSON representation [SYNC, INTRANET].
  • Improvement The Plugin self-test has been greatly improved and now tests various scenarios in an attempt to provide better support and guidance when configuring the plugin [ALL].
  • Fix The option to de-activate instead of delete users when synchronizing was working in the opposite way and this has been corrected [SYNC, INTRANET].
  • Fix An administrator can now update passwords for users that sign in with Microsoft even if he / she configured the plugin to block password updates [ALL].
  • Fix When determining whether a user has properties that match with (one of the) the tenant’s domain(s) the plugin now tries to do so in a case-insensitive way [ALL].
  • Fix When scheduling daily user synchronization the first event will be scheduled for this week and no longer jump the first week [SYNC].

12th March 2021 / LOGIN, APPS, AVATAR, SYNC, INTRANET / v12.11

  • Improvement Tested up to 5.7.
  • Fix The plugin will now save a user’s Azure AD object ID and use it when retrieving a user’s profile image, which otherwise fails for guest users when using the Azure AD user principal name [LOGIN, AVATAR, SYNC, INTRANET].
  • Fix The Microsoft 365 Documents App ability to restrict content to a specific folder (and its sub folders) stopped working and the error causing it has been fixed [APPS, INTRANET].

7th March 2021 / LOGIN / v12.10

  • Fix The Microsoft Teams integration now will honor the login hint (if you add ?login_hint={loginHint} to your WordPress URL that for your Tab or App) [ALL].
  • Fix The plugin now tries to recognize SSL and will update the WordPress (Site) Address (URL) whenever it retrieves the WordPress home option from WordPress [ALL].

25th February 2021 / LOGIN | AVATAR | LOGIN+ | SYNC | INTRANET / v12.9

  • Improvement Administrators who configured SAML 2.0 based Single Sign-On can now request that users re-authenticate by including a forceAuthn=true flag in the SAML request [LOGIN+, SYNC, INTRANET].
  • Fix The error reason for failed SAML sign-in requests is now included in the error message [ALL].
  • Fix The full email message (JSON) is now logged in case of an error when sending WordPress emails using Microsoft Graph [ALL].
  • Fix The plugin no longer tries to create a folder for downloaded Microsoft 365 profile images when it already exists [AVATAR, SYNC, INTRANET].

7th February 2021 / WPO365 | LOGIN / v12.8

4th February 2021 / WPO365 | LOGIN / v12.7

  • Fix The plugin no longer requires an authorization code / refresh code to retrieve an access token when configuring a Power BI embed for your customers (also known as Application owns data) [LOGIN, M365 APPS, INTRANET].

1st February 2021 / WPO365 | LOGIN / v12.6

  • Fix Earlier saving of the user information retrieved from the ID token / SAML response resolves an issue for multi-tenanted apps to request an access token from another tenant than the home tenant [WPO365 | LOGIN].

25th January 2021 / WPO365 | ALL extensions and bundles / v12.5

  • Feature Administrators can now enable Single Sign-On for the (default / custom) login page (see online documentation for details) [ROLES + ACCESS, LOGIN+, SYNC, INTRANET].
  • Feature [preview] Administrators can now enable Single Sign-On for pages / posts that have limited (private) visibility (see online documentation for details) [ROLES + ACCESS, LOGIN+, SYNC, INTRANET].
  • Improvement Administrators can now navigate to WP Admin > WPO365 > … > Translations and update the caption for the Sign in with Microsoft button as well as several other error message.
  • Improvement Administrators of WordPress Multisite networks can now prevent the plugin from adding users to a subsite (see online documentation for details) [LOGIN+, SYNC, INTRANET].
  • Improvement Administrators can now disable the WPO365 session expiration when they navigate to WP Admin > WPO365 > Single Sign-On and reconfigure the Session Duration option and set it to 0 (see online documentation for details) [LOGIN].
  • Improvement The WPO365 configuration pages have been optimized and streamlined with the new recently added extensions [LOGIN].

14th January 2021 / WPO365 | ALL extensions and bundles / v12.4

  • Fix Administrators can now choose a default avatar when they navigate to WP Admin > Settings > Discussion and scroll to the Default Avatar section [AVATAR, SYNC, INTRANET].
  • Fix User synchronization now will recognize Azure AD Guests by their UPN instead of their preferred user name and thus no longer ignore Azure AD Guests when processing batches of users retrieved from Microsoft Graph [SYNC, INTRANET].
  • Fix The /me context will only be used if the plugin believes it can acquire an access token on behalf of that user [ALL extensions / bundles].

4th January 2021 / wp365-login[LOGIN, SYNC, INTRANET] / v12.3

  • Fix Active extension (SYNC and / or INTRANET) was not correctly detected, causing (manual) user synchronization not to reload as expected but instead showing a white screen.

2nd January 2021 / wp365-login[LOGIN] / v12.2

  • Fix License management page for WordPress Multisite now showing as expected (network admin only).

31th December 2020 / wp365-login[LOGIN] / v12.1

  • Fix Item ID search algorithm not finding item to activate the license for and failing without a notification showing.

30th December 2020 / wp365-login[ALL] / v12.0

  • (Breaking) Change Licenses are now administered on a separate configuration page. The new License (administration) page can be accessed via WP Admin > WPO365 > Licenses. Existing licenses must be re-entered for the automatic update function to work as expected.
  • Change Introduction of new Extensions for MAIL, AVATAR, CUSTOM USER FIELDS, GROUPS, APPS, ROLES + ACCESS and SCIM.
  • Improvement In an attempt to unclutter the WordPress Admin Dashboard, the plugin will no longer show the last (three) error(s). Instead a notification that errors have been encountered will be shown with a link to the main WPO365 configuration page where the full error message(s) are shown.

18th December 2020 / wp365-login[LOGIN] / v11.20

  • Improvement Users who have configured SAML 2.0 can create a custom button to include a domain hint that translates to an additional whr parameter. See the updated documentation for recommended configuration.
  • Improvement The request for a plugin-review now only shows on the WPO365 configuration pages and can be turned off permanently.
  • Fix Avatar filter priority lowered to 99999 to have precedence over other plugins e.g. Ultimate Member.

14th December 2020 / wp365-login[LOGIN, SYNC, INTRANET] / v11.19

  • Fix User synchronization no longer deactivates / deletes users that cannot be linked to an existing Microsoft 365 / Azure AD account (administrators must make sure the update the Custom domains list on the plugin’s User registration page).
  • Fix (Array to string conversion) Error when ever an email could not be sent successfully through Microsoft Graph.

25th November 2020 / wp365-login[ALL] / v11.18

  • (Breaking) Change Improved support for WordPress Multisite with mapped domains and subsite specific WPO365 configuration. See updated online documentation for recommended configuration scenarios of WordPress Multisite installations.
  • Feature Administrators (of the LOGIN+, SYNC and INTRANET extensions) can navigate to WP Admin > WPO365 > User registration and configure the plugin to create shorter WordPress names e.g. john.doe instead of See online documentation for details.
  • Improvement: Prevention of users getting stuck in infinite loops through smart detection. See updated online documentation for additional considerations.
  • Improvement: Administrators can now navigate to WP Admin > WPO365 > … > Miscellaneous and delete the current WPO365 configuration.
  • Improvement: When administrators (of the LOGIN+, SYNC and INTRANET extensions) have configured the Post sign-out URL option, the plugin will now also redirect users that did not sign in with Microsoft.

11th November 2020 / wp365-login[WPO365 | LOGIN] / v11.17

  • Fix When using the optimized internet authentication mode (preventing the plugin from interfering with requests for pages and posts) the Sign in with Microsoft button now redirects the user correctly to the WordPress Administration instead of to the homepage.

10th November 2020 / wp365-login[WPO365 | LOGIN] / v11.16

  • Fix After a recent change the global constant WPO_AUTH_SCENARIO had been erroneously rename to WPO_AUTH_MODE.

10th November 2020 / wp365-login[ALL] / v11.15

  • (Breaking) change The out-of-the-Box algorithm for trying to find a WordPress user for the user currently signing in with Microsoft has changed. The rule to match a user by his / her Login Name (= Azure AD preferred login name without domain suffix) has been removed. Administrators can still add this option back. See the online documentation).
  • Improvement Administrators (of the SYNC and INTRANET extensions) can now specify nested user profile properties when synchronizing WordPress user profiles with Microsoft Graph e.g. businessPhones.0 (to retrieve the first business phone of an array of possible entries) or onPremisesExtensionAttributes.extensionAttribute1 (to retrieve a custom attribute synced from Active Directory).
  • Improvement Administrators (of the LOGIN+, SYNC and INTRANET extensions) can now choose to show (new) users the option to sign up and create a new account in Azure AD B2B when the sign in with Microsoft. See the online documentation for additional considerations and prerequisites.
  • Fix When the plugin fails to create a new user during scheduled user synchronization, the schedule will continue to run and finish as expected.
  • Fix The double ‘/’ when loading the (pintra-)redirect.js file has been removed.

27th October 2020 / wp365-login[WPO365 | LOGIN] / v11.14

  • Improvment Administrators that have configured SAML 2.0 and have received error reports such as “Authentication method ‘WindowsIntegrated’ by which the user authenticated with the service doesn’t match requested authentication method ‘Password, ProtectedTransport'” can now try to configure advanced settings. See the online documentation for details.
  • Fix The option to Skip the NONCE verification – on the plugin’s Miscellaneous configuration page – has been restored.
  • Fix Due to the NONCE verification causing many false-positives, it now generates a warning instead of an error and will no longer prevent users from being able to log in. Administrators are advised to regularly check their debug logs (or configure logging to Application Insights).

21st October 2020 / wp365-login[WPO365 | LOGIN] / v11.13

  • Fix The plugin will now use WordPress nonces instead.
  • Fix For WordPress Multisite installations the plugin will now try to delete the top level auth cookies to prevent an infinite loop.
  • Fix When the license activation receives a 403 Forbidden it will transparently show this to customers who try to activate their license.

14th October 2020 / wp365-login[ALL VERSIONS] / v11.12

  • Fix Now the plugin – when requesting data from Microsoft Graph’s /me endpoint – will enforce using delegated (instead of application) permissions.
  • Fix When activation of a license of a premium extension fails the plugin will now log the raw response as an error.

13th October 2020 / wp365-login[WPO365 | LOGIN, WPO365 | INTRANET] / v11.11

  • Fix The (WPO365 | INTRANET edition’s version of the) Employee Directory app now allows for configuring a separate initial query when auto-search has been enabled.
  • Fix Functionality to activate the license of the WPO365 | PROFILE+ extension has been restored after it was broken after an earlier change.

12th October 2020 / wp365-login[WPO365 | LOGIN] / v11.10

  • Fix The user look-up algorithm did not search for preferred_username and as a result would not find users with no UPN and email address in their ID token. However, when it then tried to create a new user, an error was thrown in case that user already existed.
  • Fix If the SAML 2.0 response is deemed not valid the plugin will now log the reason as a warning in the debug log.

8th October 2020 / wp365-login[ALL VERSIONS] / v11.9

  • Improvement Administrators of all premium extensions can now choose to disable the default WordPress behavior of sending an email to a user when his / her email has changed. See the online documentation for details.
  • Improvement The plugin will not intercept requests if initiated from WP CLI.
  • Fix Functionality to activate the license of a premium extension has been restored after it was broken after an earlier change.
  • Fix Functionality to retrieve (partial) templates has been restored after it was broken after an earlier change.
  • Fix Arguments now passed to the developer hooks (as documented here) updated.

4th October 2020 / wp365-login[ALL VERSIONS] / v11.8

  • Feature An Administrator (of the WPO365 | LOGIN+, WPO365 | SYNC and WPO365 | INTRANET extension) can now upload a custom HTML template and replace the default loading bars. See the online documentation for details.
  • Improvement An administrator can now configure the plugin to tell Microsoft to show the Select Account prompt, when it redirects a user to sign in with Microsoft. See the online documentation for details.
  • Improvement An administrator (of the WPO365 | INTRANET extension) can now configure the full Microsoft Graph query for the Employee Directory / Contacts app when searching for employees and colleagues. This allows for more advanced queries for example using $count, $filter, $search. This improvement now also allows to search in (transitive) members of a group. See the online documentation for details.
  • Improvement An administrator (of the WPO365 | SYNC and WPO365 | INTRANET extension) that configured the synchronization of Microsoft 365 profile images (to replace the user’s default WordPress Avatar) now has an extra option to instruct the plugin only to refresh an expired profile image of the logged-in user. The plugin will, however, bypass this restriction whenever the administrator synchronizes users on-demand, users are synchronized based on a schedule or a user is being updated through Azure AD’s User provisioning (SCIM). See the online documentation for details.
  • Improvement An administrator (of the WPO365 | LOGIN+, WPO365 | SYNC and WPO365 | INTRANET extension) can now configure the order in which the plugin tries to find a matching WordPress user for the user that signs in with Microsoft (choices are upn, preferred_username, email and login). See the online documentation for details.
  • Improvement An administrator (of the WPO365 | LOGIN+, WPO365 | SYNC and WPO365 | INTRANET extension) can now configure the plugin to bypass updating a WordPress user role. This is especially useful for WordPress installations where the users are created manually or WordPress roles are not managed by a WPO365 plugin extension.
  • Improvement An administrator of the WPO365 | LOGIN (free) edition can now choose to disable the automatic registration of new users.
  • Fix Customers reported seeing the ID token not found in posted data error which may be a result of the plugin’s test mode not being disabled. The plugin will now immediately toggle the test mode and only start the Plugin self-test when an ID token is found (in case SAML 2.0 is not configured).
  • Fix The Documents (Microsoft 365) App now support library titles with special characters.
  • Fix The plugin now checks for existing (WordPress) roles when analyzing whether it should add the default role as fallback or not.

26th September 2020 / wp365-login[ALL VERSIONS] / v11.7

  • Feature The plugin can now be configured to send WordPress emails using Microsoft Graph as an attractive alternative to sending mail via SMTP.
  • Change Support for symmetric algorithms to decrypt the JWT tokens have been removed.
  • Change The user-look-up algorithm first tries to look up a WordPress user by its user principal name (UPN) when that user is not an external user / guest user before it retries using the preferred login name, the user’s email address and last the user’s account name.

21st September 2020 / wp365-login[ALL VERSIONS] / v11.6

  • Fix The automatic update functionality for WPO365 extensions is now better embedded in the overall WordPress update experience.

21st September 2020 / wp365-login[ALL VERSIONS] / v11.5

18th September 2020 / wp365-login[ALL VERSIONS] / v11.4

  • Fix Activation of (premium) licenses is now working as expected.
  • Fix Auto-update of (premium) extensions is now working as expected.

17th September 2020 / wp365-login[ALL VERSIONS] / v11.3

  • Improvement The nonce generator and validator have been updated in an effort to reduce the risk of nonce not being found.
  • Improvement The plugin won’t generate errors anymore when it cannot connect to Microsoft Graph to retrieve the current user’s profile in an attempt to improve the data quality when the administrator has not configured the integration portion of the plugin.
  • Fix For reasons of backward compatibility, the plugin now only tries and retrieve all groups that a user is a member of if the ID token doesn’t contain this information
  • Fix The plugin now generates a warning instead of an error when it cannot retrieve a user’s manager.

16th September 2020 / wp365-login[WPO365 | SYNC and WPO365 | INTRANET] / v11.2

  • Fix Added missing class method to parse manager details.

15th September 2020 / wp365-login[ALL VERSIONS] / v11.1

  • Fix Domain whitelist now looks both at the email and the login domain.
  • Fix The plugin now checks if the administrator has configured an application secret.
  • Fix The plugin now only tries to save a refresh token if one is present.
  • Fix The wizard now ensures that the INTRANET apps are loaded from the correct source folder.

13th September 2020 / wp365-login[ALL VERSIONS] / v11.0

  • Breaking Change The source code of the plugin has been completely restructured. Developers that extended the plugin with own functionality must carefully review the changes.
  • Breaking Change All premium editions of the plugin now require the latest BASIC edition of the plugin to be installed and activated. An notification will be shown to admins upon upgrade to update, install and / or activate it.
  • Breaking Change Support for legacy Azure AD App registrations has been removed. The plugin will now always try and connect to Azure AD v2 endpoints for authorization and optionally to obtain tokens.
  • Breaking Change Support for Avatars stored as WordPress user meta (in the WordPress database) has been removed. Avatars downloaded from Microsoft 365 / Azure AD will now always be stored in the /wp-content folder.
  • Breaking Change Support for the deprecated Dual Login feature is removed. Admins can instead toggle WP Admin > WPO365 > Login / Logout > Dual login V2.
  • Breaking Change Support for the deprecated Sign in with Microsoft shortcode [wpo365-sign-in-with-microsoft-sc] has been removed. Admins should configure the Sign in with Microsoft v2 shortcode instead.
  • Feature Administrators can now choose between SAML 2.0 based single sign-on and OpenID Connect single sign-on (which remains the default option).
  • Feature The BASIC edition of the plugin will automatically create a new user in WordPress (but not synchronize user profile fields such as first and last name). However, this feature can be disabled by admins.
  • Improvement User synchronization now supports WordPress Multisite (WPMU) installations and always synchronizes users to the subsite from which the synchronization was started.
  • Improvement The plugin now remembers the tenant ID of a user and uses that information when – in case of multi tenancy – it needs to retrieve data e.g. a user’s profile image from Microsoft Graph.
  • Fix The plugin no longer relies on the ID token to contain the (Azure AD / Microsoft 365 / distribution list) groups that a user is member of. Instead the plugin will always try to obtain this information from Microsoft Graph (but only if needed).
  • Fix The plugin no longer replaces stored avatars when it tries to refresh that avatar but it fails e.g. because of insufficient permissions.

Click here for older entries.