2. Before you start
• You are a Global Administrator for your company’s Office 365 tenant / Azure AD directory (or
have at least the ability to register new applications).
• You are an Administrator for your WordPress website.
• Your WordPress Administrator login name does not equal your Office 365 (Azure AD) login name
or email address*.
• Your WordPress Administrator email address does equal your Office 365 (Exchange) email
address.
• Your WordPress website uses SSL and the website address starts with https.
* When your WordPress login name does not equal your Office 365 (Azure AD) login name or email you can still log into your
WordPress website when you navigate to https://www.example.com/wp-login.php. However, because your email address
does match with a valid Office 365 email address, the plugin can also sign you in with Microsoft.
WordPress + Office 365 | wpo365-login | Quick Installation Guide January 2020
3. Plugin installation
• Navigate to your website’s WP Admin > Plugins > Add new.
• Search the WordPress Plugins Directory for WPO365.
• Click Install ‘WordPress + Office 365 login’.
• Click Activate.
• Click WPO365 or Configuration to launch the plugin’s configuration wizard.
• Open the Single Sign-on tab.
• In a second browser tab open https://portal.azure.com.
WordPress + Office 365 | wpo365-login | Quick Installation Guide January 2020
4. Portal Azure – App registration
• On https://portal.azure.com click the ‘hamburger’ to show the menu.
• Navigate to Azure Active Directory > App registrations.
• Click + New registration.
• Enter any name that helps you remember what application you are currently registering e.g.
WordPress Intranet | Production.
• Choose the ‘Supported account types’ e.g. Accounts in this organizational directory only.
Organizational directory only basically prevents users from other Office 365 accounts to sign into your WordPress website
using this registration. To allow this see https://www.wpo365.com/wordpress-extranet/.
• Choose the ‘Platform configuration’ Client Application (Web, iOS, Desktop+Devices).
• Click Register.
WordPress + Office 365 | wpo365-login | Quick Installation Guide January 2020
5. Portal Azure – Authentication
• Click Authentication from the App registration menu on the left (if not already loaded).
• Click + Add platform to add a new ‘Platform configuration’.
• Click Web to add a new ‘Web application’.
• Enter the Redirect URI of the application.
At this point you can switch back to the browser tab with the plugin’s wizard open and copy the automatically proposed
Redirect URI from the the ‘Single Sign-on’ tab of the plugin’s wizard. If your intention is to use the WPO365 plugin for your
internet website (in other words, when you do not want to restrict access to all pages and posts of your WordPress website to
users that signed in with Microsoft) then you should change the proposed Redirect URI before you copy it and add wp-
admin/ e.g. https://www.your-website.com/wp-admin/ (include the trailing slash).
• Scroll down to ‘Implicit grant’ and check ID tokens for the plugin to request this token from
Microsoft.
Optionally also check Access tokens when your intention is to
• Enable the integration with SharePoint Online and / or Microsoft Graph
• And / or enable features of the PROFESSIONAL, PREMIUM or INTRANET edition of the plugin e.g. Avatar, Office 365 User
Fields and User Synchronization
WordPress + Office 365 | wpo365-login | Quick Installation Guide January 2020
6. Portal Azure – Token configuration
• Click Token configuration from the App registration menu on the left.
• Click + Add optional claim.
• Select ID.
• From the list below check
• email
• family name
• given name
• upn
Optionally click + Add group claims if you want enable features of the PROFESSIONAL / PREMIUM / INTRANET edition of the
plugin e.g.
• Azure AD + WordPress role mapping when users sign in with Microsoft or when synchronizing users as an administrator
• Denying access to users based on Azure AD / Office 365 group membership(s).
WordPress + Office 365 | wpo365-login | Quick Installation Guide January 2020
7. Portal Azure – API permissions 1/2
• Click API permissions from the App registration menu on the left
• Click + Add permission.
• Select Microsoft Graph > Delegated permissions and check
• email
• openid
• profile
Scroll down to Group and check
• Group.Read.All (if your intention is to enable Azure AD + WordPress role mapping when synchronizing users)
Scroll down to Sites and check
• Sites.Read.All (if your intention is to use the Documents app)
Scroll down to User and check
• User.Read.All (if your intention is to enable retrieving additional Office 365 User Fields when synchronizing users and
/ or your intention is to use the Employee Directory app)
• Select SharePoint > Delegated permissions and check
• Sites.Search.All (if your intention is to use the Content by Search app)
• Click Add permissions.
WordPress + Office 365 | wpo365-login | Quick Installation Guide January 2020
8. Portal Azure – API permissions optionally - 2/2
• Wait until Grant admin consent for … has become available, then click to grant consent for all
users in your tenant to use this ‘App registration’.
Please note that it can take up to several minutes before the consent button becomes available and can be clicked. And even
after that you may see a red warning that consent could not be granted. If you see this warning, please repeat the sequence
and click to gran consent for all users in your tenant again.
After you clicked to grant consent please wait until any spinner has disappeared to ensure that consent has been granted.
Last but not least: Even after waiting for several minutes and all indicators showing you that consent has been granted, it
may take a few more minutes before the App registration becomes fully functional and the ID token contains the upn, email,
given and family name. If the Plugin self-test fails but you are convinced that you did everything right, then wait a few more
minutes and repeat the self-test.
WordPress + Office 365 | wpo365-login | Quick Installation Guide January 2020
9. Portal Azure – Certificates & Secrets optionally
• Click Certificates & Secrets from the App registration menu on the left.
• For Single Sign-on SSO you don’t need to create any Client secrets.
Optionally create a Client Secret to enable the integration with SharePoint Online and Microsoft Graph and / or enable
features of the PROFESSIONAL / PREMIUM / INTRANET edition of the plugin e.g. Avatar, Office 365 User Fields and User
Synchronization.
• Click + New client secret
• Give the new secret a name that helps you remember it later e.g. App secret and choose an expiry date e.g. Never.
• Copy the secret - e.g. in a Notepad application - when you save it. You won’t be able to retrieve it later.
WordPress + Office 365 | wpo365-login | Quick Installation Guide January 2020
10. Integration optionally
• Navigate to the Integration page of the plugin’s wizard and copy the Client secret that you
optionally created for your App registration during the ‘Certificates & Secrets’ step.
• Select your preferred Microsoft Graph version (recommended is Beta).
• Enable the Token service if you’re planning on deploying any of the client-side apps that ship with
the plugin e.g.
• Content by Search (SharePoint Online)
• Documents (SharePoint Online / OneDrive)
• Employee Directory (Microsoft Graph)
• Enable the Check nonce for improved security.
• If you are updating an existing configuration then click Delete tokens to ensure that all existing
access tokens are deleted and any changes you made are reflected by new fresh tokens retrieved
from the Azure AD endpoint.
WordPress + Office 365 | wpo365-login | Quick Installation Guide January 2020
11. Single Sign-on
• In Azure Portal navigate to the application registration’s Overview page and copy the Application
ID and Directory ID and paste them into the corresponding fields on the plugin’s wizard Single
Sign-on tab.
• Navigate to the Authentication page and copy the Redirect URI and paste it into the
corresponding field on the plugin’s wizard Single Sign-on tab.
• Select your desired scenario Intranet or Internet (see next slide).
WordPress + Office 365 | wpo365-login | Quick Installation Guide January 2020
12. Authentication scenario
Internet Mode
User navigates to your website
• Plugin does nothing (anonymous access is by
default enabled in this mode).
User navigates to your website’s WP Admin
• Plugin detects an attempt to request a page
that requires authentication and sends user
to Microsoft to authenticate.
• Microsoft sends user plus an authentication
response back to the Redirect URI.
• Plugin detects the authentication response
and signs in the user.
• Plugin eventually sends the user to the page
that user initially navigated to.
Intranet Mode
User navigates to your website
User navigates to your website’s WP Admin
• Plugin detects an attempt to request a page
that requires authentication and sends user
to Microsoft to authenticate.
• Microsoft sends user plus an authentication
response back to the Redirect URI.
• Plugin detects the authentication response
and signs in the user.
• Plugin eventually sends the user to the page
that user initially navigated to.
WordPress + Office 365 | wpo365-login | Quick Installation Guide January 2020
13. Plugin self-test v9.6 – available from mid January 2020
• On the plugin’s wizard Single Sign-on tab click Test + Save configuration:
A popup window will open and you’re reminded to optionally clear server-side cache (if you didn’t do so at the start).
• Click Confirm and you’ll be automatically taken to the ‘Plugin self-test’ page.
• Click Start self-test to check the current configuration and the plugin’s ability to retrieve an ID
token and optionally an access token.
As soon as the self-test is starting, the ‘Test mode’ will be activated. During this time the plugin is not protecting your website.
The plugin will now try and sign in using Microsoft and you may be prompted by Microsoft to sign in. Please be aware that at
no time your authentication input will be shared with your website: All information is only shared with Microsoft at all times!
The PROFESSIONAL, PREMIUM and INTRANET edition will create new WordPress users with user names and email address
set to match their Office 365 details automatically. For the BASIC edition you must do so manually by creating a user with
• A WordPress username that matches your (test user’s) Azure AD / Office 365 username
• And / or a WordPress email address matches your (test user’s) Azure AD / Office 3565 email
• Once the self-test is finished (during the self-test the page may be reloaded) you will see the test results. You
can click on each entry in the list to view the full details incl. category, severity and possibly a solution to fix
the issue.
WordPress + Office 365 | wpo365-login | Quick Installation Guide January 2020
14. What’s next
• You can further integrate your WordPress website with Office 365 e.g.
• Integrate with Office 365 e.g. Employee Directory, Content by Search and Documents
• Automatically register new users from your tenant, other tenants or with MSAL accounts
• Dual login (let users choose to login with Office 365 or with WordPress)
• Require authentication only for a few pages
• Require authentication for all pages but not for the homepage
• Redirect manual login attempts to Microsoft
• Sign out from Office 365
• [Sign in with Microsoft] button (shortcode)
• Extra (BuddyPress) profile fields from Azure AD
• Office 365 profile picture as WordPress Avatar
• Assign WordPress role(s) based on Azure AD group membership(s)
• Deny / allow access based on Azure AD group membership(s)
• Enroll / Update (new) users to WordPress from Azure AD
WordPress + Office 365 | wpo365-login | Quick Installation Guide January 2020