WordPress + Microsoft Office 365 / Azure AD | LOGIN


With WPO365 | LOGIN users can sign in with their corporate or school (Azure AD / Microsoft Office 365) account to access your WordPress website: No username or password required (OIDC or SAML 2.0 based SSO). Plus you can send email using Microsoft Graph instead of SMTP from your WordPress website.


  • Supported Identity Providers (IdPs): Azure Active Directory and Azure AD B2C more
  • Supported SSO protocols: OpenID Connect and SAML 2.0 more
  • Supported OpenID Connect User Flows: Authorization Code User Flow (recommended) and Hybrid User Flow more


  • New users that sign in with Microsoft automatically become WordPress users more


  • Configure the intranet authentication mode to restrict access to all front-end posts and pages more
  • Hide the WordPress Admin Bar for specific roles more


  • Support for (seamless) integration of your WordPress website into a Microsoft Teams Tabs and Apps more


  • Send emails using Microsoft Graph instead of SMTP from your WordPress website more
  • Send as HTML
  • Save to the Sent Items folder
  • Support for file attachments


  • Support for WordPress Multisite more


  • Embed Microsoft Power BI content (user owns data) more


  • Embed a SharePoint Online library using a Gutenberg Block or as simple shortcode
  • Embed a SharePoint Online search experience into a front-end post or page using simple to generate shortcode more


  • Embed an intuitve Azure AD / Microsoft Graph based Employee Directory into a front-end post or page more


  • Protect your WordPress REST API endpoints with a combination of a WordPress cookie and a nonce for delegated access more


  • Developers can now connect to a RESTful API for Microsoft Graph in their favorite programming language and without the hassle of authentication and authorization more
  • PHP hooks for developers to build custom Microsoft Graph / Office 365 integrations more



  • Update a WordPress user profile with (first, last, full) name, email and UPN from Azure AD more


  • Visitors are required to sign in with Azure AD / Microsoft but will not be automatically logged in to WordPress more


  • Azure AD group based access restriction for individual front-end posts and pages more


  • On-demand / scheduled user synchronization from Azure AD to WordPress more


  • Replace the default WordPress / BuddyPress avatar with a Microsoft 365 profile picture more


  • WordPress roles assignments / access restrictions based on Azure AD groups / user attributes more


  • Map Microsoft Graph user resource properties to custom WordPress / BuddyPress user profile fields more
  • Map custom claims in an Azure AD B2C ID token to custom WordPress / BuddyPress user profile fields more
  • Map custom claims from SAML 2.0 response to custom WordPress / BuddyPress user profile fields more
  • Support for so-called Multi-Tenancy more
  • Require Proof Key for Code Exchange (PKCE) for increased protection when requesting oauth tokens from Azure AD more
  • Other features: Enable SSO for the login page, Dual login and Private Pages


  • Send large attachments (> 3 Mb)
  • Send from Microsoft 365 Shared Mailbox
  • Send as / Send on behalf / Support for distribution lists
  • Log every email sent from your WordPress website, review errors and try to send unsuccessfully sent mails again. more
  • Mail Staging Mode is useful for debugging and staging environments. WordPress emails will be logged and saved in the database instead of being sent.
  • Allow forms / plugins / themes to dynamically set the From address
  • Send all emails by default as BCC


  • Deep integration with the (itthinx) Groups plugin for group membership and access control more


  • Advanced versions of the apps to embed content of Microsoft 365 services such as Power BI (with support for application owns data scenarios) and SharePoint Online (with support for anonymous users)


  • (SCIM based) Azure AD User Provisioning to WordPress more


  • Enable Azure AD based protection for your WordPress REST API endpoints more


  • Save multiple configurations
  • Directly edit (the JSON representation of) a configuration


  • Make sure that you have disabled caching for your Website in case your website is an intranet and access to WP Admin and all pubished pages and posts requires authentication. With caching enabled, the plugin may not work as expected
  • We have tested our plugin with WordPress >= 4.8.1 and PHP >= 5.6.40
  • You need to be (Office 365) Tenant Administrator to configure both Azure Active Directory and the plugin
  • You may want to consider restricting access to the otherwise publicly available wp-content directory


We will go to great length trying to support you if the plugin doesn’t work as expected. Go to our Support Page to get in touch with us. We haven’t been able to test our plugin in all endless possible WordPress configurations and versions so we are keen to hear from you and happy to learn!


We are keen to hear from you so share your feedback with us on Twitter and help us get better!

Open Source

When you’re a developer and interested in the code you should have a look at our repo over at WordPress.


  • Microsoft / Azure AD based Single Sign-on
  • Embedded Power BI for WordPress
  • Embedded SharePoint Online Documents for WordPress
  • Embedded SharePoint Online Search for WordPress
  • Employee Directory
  • Support for Azure AD B2B and Azure AD B2C
  • Sending WordPress email using Microsoft Graph
  • Synchronizing users from Azure AD to WordPress
  • Embed WordPress in a Teams Tab or App
  • Assign WordPress roles / Deny access based on Azure AD groups


Please refer to these Getting started articles for detailed installation and configuration instructions.


22 March 2023 1 reply
As an IT professional for over 30 years, I must commend Marco van Wieren on his technical support and customer service.
27 January 2023 1 reply
This plugin does exactly what it says it's supposed to do, in a user-friendly manner with a fulll documentation. We used the free version for one of our customers and the setup was super easy, thanks for this nice plugin 😀
18 January 2023 1 reply
I've used both the paid and free versions for different sites, both great and the support is ace too. Highly reccomend 🙂
10 January 2023 1 reply
I needed a solution which allows Enterprise clients to log into our training solution seamlessly. Our system is used by government and corporate clients, so we had 3 key requirements: It has to be secure It should be WCAG 2.1 AA accessible compliant It should only allow whitelisted Microsoft 365 tenants to access our system. I vetted a lot of different options that didn't quite hit the mark, but this one easily meets all the requirements, and more. I cannot express to you how happy I am with this plugin. I had some setup and security questions, which Marco answered quickly and thoughtfully, and we're now up and running. The documentation and setup videos are also extremely helpful for someone who is new to Single Sign-on with Azure AD (which I was when I started my project). The free version of this plugin is awesome, but we needed some of the more advanced features in the premium version and the value of this plugin far exceeds the cost. I highly recommend this plugin to anyone looking for Azure AD integration!
Read all 98 reviews

Contributors & Developers

“WordPress + Microsoft Office 365 / Azure AD | LOGIN” is open source software. The following people have contributed to this plugin.


“WordPress + Microsoft Office 365 / Azure AD | LOGIN” has been translated into 3 locales. Thank you to the translators for their contributions.

Translate “WordPress + Microsoft Office 365 / Azure AD | LOGIN” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.



  • Feature: Administrators can now enable Mail Staging Mode. This is useful for debugging and staging environments. WordPress emails will be logged and saved in the database instead of being sent. [MAIL]
  • Improvement: The WPO365 plugin will now handle forms (e.g. Contact Form 7) that propose to send emails from a different account than the “default from” mail account, after it handles any other option (e.g Shared Mailbox or Send as / Send on behalf of). The proposed “alternative from” therefore always prevail. It can also be any type of mailbox e.g. User Mailbox, Shared Mailbox or Distributionlist. But it’s up to the adminstrator to ensure that the “default from” mail account is a either a member (e.g. of the Shared Mailbox) or has sufficient permissions to send emails as / on behalf of an alternative account (e.g. the Distributionlist). [MAIL]
  • Fix: The initial OpenID Connect authorization request will now always include https://graph.microsoft.com/User.Read. [LOGIN]
  • Fix: A public property $ErrorInfo has been added to the PHPMailer object to support integration with Gravity Forms. [LOGIN, MICROSOFT GRAPH MAILER]
  • Fix: The plugin now better understands – in the context of WordPress Multisite installations – whether the configuration must be retrieved / stored at site or at network level. [LOGIN]
  • Fix: Some Azure AD information that the plugin collects during the plugin self-test is no longer assigned to the user executing the self-test. [LOGIN]


  • Fix: ID Token validation now also validates audiences that are defined using an Application ID URI instead of the Application ID (e.g. this is the case for Microsoft Teams). [LOGIN, MICROSOFT GRAPH MAILER]
  • Fix: The plugin does no longer rely on the HTTP_HOST key of the global $_SERVER variable, which – if not initialized – may cause a critical error on the website. [LOGIN, MICROSOFT GRAPH MAILER]
  • Fix: The link to launch the Mail Log Viewer would return “false” for FireFox users. [MAIL]


  • Improvement: The (premium extension for the) Microsoft Graph Mailer for WordPress now also supports sending mail as / on behalf of another user or distribution list. [MAIL]
  • Improvement: The user interface for the Mail Log Viewer has been significantly updated with improved scrolling and selection and overall a clearer arrangement of the available information. [MAIL]
  • Improvement: The Microsoft Graph Mailer for WordPress will notify the administrator in the form of a WPO365 Health Message when another plugin with mail-sending capabilities is detected. [LOGIN, MICROSOFT GRAPH MAILER]
  • Fix: An alternative system for WordPress Nonces has been introduced to work around the fact that some browsers refuse to send the WordPress auth cookie along with HTTP 302 redirect requests, causing default WordPress nonce verification to fail unexpectedly, in which case the plugin would then log the warning “Could not successfully validate oidc nonce with value xyz”. [LOGIN, MICROSOFT GRAPH MAILER]


  • Fix: The recently added ID token verification did not take the mail-authorization flow into account. [LOGIN]
  • Improvement: Administrators can now re-configure the WPO365 | LOGIN plugin to skip the ID token verification altogether, on the plugin’s Miscellaneous configuration page (but this is not recommended for production environments). [LOGIN]


  • Fix: The built-in update checker for premium extensions might incorrectly indicate that an update for some extensions would be available. [LOGIN]


  • Fix: The plugin would cause a fatal crash when using PHP 7.2 or lower. [ALL]


  • Change: The WPO365 | LOGIN plugin will now verify the tenant that issued the ID token and the audience for which the ID token was issued. [LOGIN]
  • Fix: Various issues with the built-in license and update checker for premium extensions and bundles.
  • Fix: The Employee Directory app now will only take the host portion of the SharePoint home URL when dynamically constructing the permissions scope. [M365 APPS, INTRANET]
  • Fix: The User Sync test case will skip the check for custom domains when Azure AD B2C has been selected. [SYNC, INTRANET]


  • Fix: License check for premium extensions and bundles would show “unknown error occurred” for valid licenses.
  • Fix: Update check for premium extensions and bundles now better aligned with the recently updated license management service.


  • Improvement: Various aspects of user synchronization have been improved / refactored in an attempt to make it easier to configure, track and start / stop jobs. [SYNC, INTRANET]
  • Improvement: The WPO365 plugin will now – by default – first try to look up an existing WordPress user by its Azure AD Object ID. This value uniquely identifies a user in Azure AD and is automatically configured when WPO365 creates a new user (or updates an existing one). [ALL]
  • Improvement: To support Azure AD B2C user synchronization, newly created user synchronization jobs will now – by default – skip the domain check (whereby the login domain of the username of users retrieved from Microsoft Graph is matched against a list of supported custom domains on the plugin’s User registration configuration page). Existing user synchronization jobs must be updated manually. [SYNC, INTRANET]
  • Improvement: If WPO365 User synchronization has been configured, the default WordPress User list will be enhanced automatically. A column is added to show the date and time a user was last updated by WPO365 User synchronization. A second column will show a button that allows administrators to reactivate a user in case that user has been de-activated / soft-deleted by WPO365 User synchronization. [SYNC, INTRANET]
  • Improvement: Support for Azure AD B2C custom login domains. See online documentation for details. [LOGIN+, SYNC, INTRANET]
  • Improvement: Administrators can now configure website buttons targetting a specific Azure AD B2C user flow or custom policy sign-up, sign-in or reset password. See online documentation for details. [LOGIN+, SYNC, INTRANET]
  • Improvement: It is now possible to configure an embedded login experience for Azure AD B2C. See online documentation for details. [LOGIN+, SYNC, INTRANET]
  • Fix: The Source for custom user fields (ID token, Microsoft Graph or SAML response) selector was not always visible on the plugin’s User sync configuration page. [LOGIN+, CUSTOMER USER FIELDS, SYNC, INTRANET]
  • Fix: The Allow forms to override “From” address was only enabled for application-level Mail.Send permissions. [MAIL, SYNC, INTRANET]
  • Fix: Overriding the “From” address was sometimes ignored. [MAIL, SYNC, INTRANET]
  • Fix: Sending from a Shared Mailbox was sometimes ignored. [MAIL, SYNC, INTRANET]
  • Fix: Version bump for all WPO365 plugins. [ALL]
  • Fix: License for premium extensions are now checked regularly and a notification will be shown if the license is expired. [ALL]
  • Fix: The “Authorized!” label on the plugin’s Mail configuration page is now green instead of red to indicate succes


  • Fix: The mail authorization may falsely indicate that the plugin is not authorized to send emails using Microsoft Graph due to how the plugin compared permissions. [ALL]


  • Feature: Websites that are using the Mail Integration for Office 365/Outlook are now urged to switch to WPO365 | MICROSOFT GRAPH MAILER or configure the builtin Microsoft Graph mail function of the WPO365 | LOGIN plugin. Consult the online migration guide for further details. [ALL]
  • Improvement: Administrators can check an option to Use alternative CDN (on the plugin’s Integration page). If checked, the plugin will download the react-js and react-dom.js packages from the CloudFlare CDN (instead of from the default UNPKG CND). However, administrators can also choose to self-host these dependencies. In this case they can override the CDN configuration using a constant that must defined in wp-config.php. See the online documentation for details. [ALL]
  • Fix: The avatar method updated in v20.0 now also overrides the get_avatar hook to avoid conflicts with other plugins such as Ultimate Member. [AVATAR, SYNC, INTRANET]


  • Improvement: Administrators can now define a constant in wp-config.php to override the default CDN used to download the react.js and react-dom.js packages. This constant must be defined immediately after the line “/* That’s all, stop editing! Happy publishing. */” as an array as follows: define(‘WPO_CDN’, array(‘react’ => ‘https://cdnjs.cloudflare.com/ajax/libs/react/16.14.0/umd/react.production.min.js’, ‘react_dom’ => ‘https://cdnjs.cloudflare.com/ajax/libs/react-dom/16.14.0/umd/react-dom.production.min.js’));


  • Fix: The renaming of an option (to allow retrieval of oauth tokens by client side apps) prevented existing configurations to update this value. [ALL]


  • Feature: The (premium version of the) Microsoft Graph Mailer can now send attachments larger than 3 MB. [MAIL, SYNC, INTRANET]
  • Feature: The (premium version of the) Microsoft Graph Mailer can now send emails from a Shared Mailbox. [MAIL, SYNC, INTRANET]
  • Improvement: The LOGIN+ extension now also allows administrators to save multiple configurations (on the plugin’s Import / Export configuration page). [LOGIN+]
  • Improvement: Administrators can now define the name of the WordPress user meta for user attributes synchronized from Azure AD to WordPress. [LOGIN+, CUSTOM USER FIELDS, SYNC, INTRANET]
  • Improvement: The Avatar method now replaces the URL of the profile image instead (by filtering the pre_get_avatar_data function instead of the get_avatar function). [AVATAR, SYNC, INTRANET]
  • Improvement: Now supports reading custom claims in a SAML response and save them as WordPress user meta. [LOGIN+, CUSTOM USER FIELDS, SYNC, INTRANET]
  • Improvement: Administrators can now choose to skip updating a user WordPress user’s displayname. [LOGIN+, USER FIELDS, SYNC, INTRANET]
  • Improvement: Some parts of the source code have been updated to improve compatibility with PHP 8.1. [ALL]
  • Fix: The Audiences feature now also prevents access to posts and pages using a direct-edit link. [ROLES + ACCESS, SYNC, INTRANET]
  • Fix: Sign out of Microsoft now also works as expected for Azure AD B2C. [LOGIN+, SYNC, INTRANET]
  • Fix: Custom formatting of a WordPress user’s displayname now works as expected for SAML 2.0 based Single Sign-on. [LOGIN+, CUSTOM USER FIELDS SYNC, INTRANET]
  • Fix: The shortcode properties of a Micrsoft 365 App are now HTML-decoded to handle the case where WordPress updates shortcode properties when an author edits a page. [ALL]
  • Fix: The div that encapsulates a Microsoft 365 App can now be referenced by its unique classname “wpo365-app-root”. [ALL]
  • Fix: Some WPO365 options have been removed / renamed to avoid triggering ModSecurity OWASP CRS causing an 418 “I am not a teapot” HTTP errors, for example when hosting a site at DreamHost. [ALL]
  • Fix: The plugin now correctly tries again to get a user’s (Azure AD) group memberships with Group.Read.All permissions when the administrator has not (yet) granted permissions to do so using GroupMember.Read.All permissions. [ROLES + ACCESS, SYNC, INTRANET]


  • Fix: Mail authorization for delegated access would fail with the error “Could not retrieve a tenant and application specific JSON Web Key Set and thus the JWT token cannot be verified successfully”. [LOGIN, MICROSOFT GRAPH MAILER]
  • Fix: Embedded PowerBI reports will now try to refresh the acquired access token when the browser tab is left open. [LOGIN, INTRANET, M365 APPS]
  • Fix: Encoding of parameters for embedded SharePoint Online apps (Search and Documents) have been improved. [LOGIN, INTRANET, M365 APPS]
  • Fix: The Audiences custom meta box has been updated and produces valid HTML. [ROLES + ACCESS, SYNC, INTRANET]


  • Fix: The delegated mail authorization feature would – under circumstances – fail to get the mail specific tenant ID and as a result an attempt to refresh the access token may fail. [LOGIN, MICROSOFT GRAPH MAILER]


  • Fix: The Redirect URL field for the mail authorization is no longer greyed out and can be changed by administrators. [LOGIN]


  • Fix: A backward-compatibility issue with Audiences would cause a critical error when editing a page. Administrators with any of the following extensions installed must update as soon as possible: ROLES + ACCESS, SYNC, INTRANET.


  • Change: Sending WordPress emails using Microsoft Graph can now also be configured with delegated permissions. Administrators are urged to review the documentation and to update their configuration. [LOGIN, MICROSOFT GRAPH MAILER]
  • Feature: Audiences – used to target posts and pages to specific Azure AD groups – can now also be used on a post or page using a custom metabox in the sidebar. Consult the updated documentation for details. [ROLES + ACCESS, SYNC, INTRANET]
  • Feature: Azure Active Directory secrets can now be stored in the website’s WP-Config.php and removed from the database. [MAIL]
  • Improvement: A number of plugin self-tests have been improved to help administrators find loopholes in the configuration e.g. of User synchronization and the integration of various SharePoint Online services. [LOGIN]
  • Fix: The plugin no longer “hijacks” a state parameter when sent in the header of any request. This prevented – amongst other things – enabling / disabling of WordPress auto-updates. [LOGIN]
  • Fix: The Employee Directory app now shows profile information when users are searched for using SharePoint. [M365 APPS, INTRANET]
  • Fix: Version bump for all WPO365 plugins.


  • Fix: Recent changes to the built-in notification service could cause a fatal error for older PHP versions that has now been fixed. [LOGIN]


  • Fix: If the plugin is configured to send WordPress emails using Microsoft Graph then it will now always replace the “from” email address if WordPress tries to sent emails from “wordpress@[sitename]”. WordPress will propose this email address is no email is set by the plugin sending the email (e.g. Contact Form 7). This email may pass checks as a valid email address but in reality this email address most likely does not exist. The option to fix the “localhost” issue has been removed since this fix improves the behavior for all hosts (incl. localhost). [ALL]
  • Improvement: Various wp-admin banners as well as some translations have been updated. Also a teaching bubble is shown on the Single Sign-on page to help admins quickly find the WPO365 documentation center at https://docs.wpo365.com/. [ALL]


  • Change: Administrators who selected OpenID Connect based single sign-on, can now choose between the Hybrid Flow and the Authorization Code Flow. New installations will automatically be configured using Authorization Code Flow. Read more [LOGIN]
  • Change: Support for Azure AD B2C custom policies (sign-up, sign-in and password reset) is no longer a premium feature. [LOGIN]
  • Change: All features of WPO365 | CUSTOM USER FIELDS extension are from now on supported by the WPO365 | LOGIN+ extension. See our website for details and pricing. [CUSTOM USER FIELDS, LOGIN+]
  • Change: A new WPO365 Features Dashboard has been added that allows administrators to toggle features such as e.g. SSO, MAIL and SYNC on or off. [LOGIN]
  • Feature: Admins can now choose to hide the WordPress Admin Bar for specific roles. [LOGIN]
  • Feature: Requesting access tokens from Azure AD can now be further secured using a Proof Key for Code Exchange (PKCE). [LOGIN+, SYNC, INTRANET]
  • Feature: Protect and secure your WordPress REST API with Azure AD generated oauth access tokens (PREMIUM). [LOGIN+, SYNC, INTRANET]
  • Feature: Protect and secure your WordPress REST API with WordPress REST cookies. [LOGIN]
  • Improvement: Azure AD B2C custom claims sent in the ID token can now be mapped to custom WordPress user meta fields. [LOGIN+, SYNC, INTRANET]
  • Improvement: When specified in – for example – an email form the “From” address will be used to send the email from (instead of the configured “From” address and if the address specified in the form appears to be valid). This behavior is a premium feature and not enabled by default. [MAIL, SYNC, INTRANET]
  • Improvement: Admins can now set a different Azure AD tenant for sending WordPress emails using Microsoft Graph when the plugin is configured for Azure AD B2C based single sign-on. [ALL]
  • Improvement: Admins can now update the priority for the get_avatar hook on the plugin’s User sync page (default 1). [AVATAR, SYNC, INTRANET]
  • Improvement: The plugin is now able to work with the more appropriate GroupMember.Read.All permissions instead of Group.Read.All and admins who configured role based access restriction are advised to update the API permissions for the registered application in Azure AD. [ROLES+ACCESS, SYNC, INTRANET]
  • Fix: The logic to detect the blog ID in a WordPress Multisite (WPMU) will always test with a trailing slash. [LOGIN]
  • Fix: A (custom) login message – for example created with LoginPress – will now show as expected. [ALL]
  • Fix: Non-dynamic roles in an identities configuration used to enable RLS when embedding Power BI content no longer causes a fatal error. [M365 APPS, INTRANET]
  • Fix: It is now possible to save empty custom user profile fields when manually updating a user’s profile. [CUSTOM USER FIELDS, SYNC, INTRANET]

Older versions

Please check the online change log for previous changelogs.