Feature description
Sign in with Microsoft for WordPress is a single sign-on authentication flow that allows Microsoft Office 365 / Azure AD users to sign into your WordPress website using their corporate work or school account: no username or password required!
OpenID Connect
The WordPress + Azure AD / Microsoft Office 365 plugin implements the OpenID Connect protocol which is a identity layer built on top of the OAuth 2.0 protocol […] It provides information about the end user in the form of an ID token that verifies the identity of the user and provides basic profile information about the user […] continue reading on the Microsoft website.
SAML 2.0
Alternatively (to choosing OpenID Connect) administrators can opt to implement the SAML 2.0 based Single Sign-On experience.
read this article https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-vs-authorization to understand the differences between OpenID Connect and SAML 2.0.
Security
Sensitive information such as a user’s Azure AD / Microsoft Office 365 password is never shared with the WordPress website. Instead users that sign in with Microsoft do so in the context of Microsoft’s central authentication portal https://login.microsoftonline.com/. Once Microsoft has established the user’s identity it provides information about the end user in the form of the aforementioned ID token.
In case of SAML 2.0 the authentication response does not comes in the form of an ID token but instead of a SAML response message. This message has been encrypted using a private certificate which provides an increased level of security.
Multifactor Authentication MFA
Enterprises that have activate Multifactor Authentication (MFA) or Conditional Access will notice that such policies / restrictions are fully supported by the Open Connect ID and thus by the plugin.
WordPress login
The plugin leaves WordPress’ own login capability intact. Therefore both WordPress-only users can sign in when they navigate to the default WordPress login page e.g. /wp-login.php whilst Microsoft Office 365 / Azure AD users are authenticated by the plugin when they request a page or post (depending on the selected authentication scenario).
The LOGIN+ extension, however, allows an administrator to optionally enable Single Sign-On for the (default / custom) WordPress login page.
New user registration
Whenever a user tries to sign into your WordPress website with Microsoft, the plugin receives an ID token. It then tries to find a matching WordPress user by comparing user name (and if no match is found email address). When no matching user can be found, a new WordPress must be created.
All editions of the plugin automatically create new WordPress users to match (new) users that have successfully signed in with Microsoft. However, the basic WPO365 | LOGIN will not synchronize a user’s email address, first, last and display name.
Be sure to check out the Getting started documentation https://docs.wpo365.com/article/22-sso .