Sign in with Microsoft for WordPress is a single sign-on authentication flow that allows Microsoft Office 365 / Azure AD users to sign into your WordPress website using their corporate work or school account: no username or password required!
Open Connect ID
The WordPress + Azure AD / Microsoft Office 365 plugin implements the Open Connect ID protocol which is a simple identity layer built on top of the OAuth 2.0 protocol […] It provides information about the end user in the form of an ID token that verifies the identity of the user and provides basic profile information about the user […] continue reading on the Microsoft website.
Sensitive information such as a user’s Azure AD / Microsoft Office 365 password is never shared with the WordPress website. Instead users that sign in with Microsoft do so in the context of Microsoft’s central authentication portal https://login.microsoftonline.com/. Once Microsoft has established the user’s identity it provides information about the end user in the form of the aforementioned ID token.
Multifactor Authentication MFA
Enterprises that have activate Multifactor Authentication (MFA) or Conditional Access will notice that such policies / restrictions are fully supported by the Open Connect ID and thus by the plugin.
The plugin leaves WordPress’ own login capability intact. Therefore both WordPress-only users can sign in when they navigate to the default WordPress login page e.g. /wp-login.php whilst Microsoft Office 365 / Azure AD users are authenticated by the plugin when they request a page or post (depending on the selected authentication scenario).
Whenever a user tries to sign into your WordPress website with Microsoft, the plugin receives an ID token. It then tries to find a matching WordPress user by comparing user name (and if no match is found email address). When no matching user can be found, a new WordPress must be created.
All editions of the plugin automatically create new WordPress users to match (new) users that have successfully signed in with Microsoft. However, the basic WPO365 | LOGIN will not synchronize a user’s email address, first, last and display name.
Be sure to check out the Getting started documentation https://docs.wpo365.com/article/22-sso .