WordPress + Microsoft Office 365 / Azure AD | LOGIN


Enable users to sign in with their corporate or school account (Azure AD (B2C) / Entra (Ext.) ID) to access your WordPress website: No username or password required. But there is more:


  • Enable Microsoft based Single Sign-on more
  • Supported Identity Providers (IdPs): Azure Active Directory, Azure AD B2C, Entra External ID (Azure AD for Customers) more
  • Supported SSO protocols: OpenID Connect and SAML 2.0 more
  • Supported OpenID Connect User Flows: Authorization Code User Flow (recommended) and Hybrid User Flow more


  • New users that sign in with Microsoft automatically become WordPress users more


  • Configure the intranet authentication mode to restrict access to all front-end posts and pages more
  • Hide the WordPress Admin Bar for specific roles more


  • Support for (seamless) integration of your WordPress website into a Microsoft Teams Tabs and Apps more


  • Send emails using Microsoft Graph instead of SMTP from your WordPress website more
  • Send as HTML
  • Save to the Sent Items folder
  • Support for file attachments


  • Support for WordPress Multisite more


  • Embed Microsoft Power BI content (user owns data) more


  • Embed a SharePoint Online library more
  • Embed a SharePoint Online list more
  • Embed an Outlook / Exchange calendar more
  • Embed a SharePoint Online search more


  • Embed an intuitve Azure AD / Microsoft Graph based Employee Directory into a front-end post or page more


  • Protect your WordPress REST API endpoints with a combination of a WordPress cookie and a nonce for delegated access more


  • Developers can now connect to a RESTful API for Microsoft Graph in their favorite programming language and without the hassle of authentication and authorization more
  • PHP hooks for developers to build custom Microsoft Graph / Office 365 integrations more



  • Update a WordPress user profile with (first, last, full) name, email and UPN from Azure AD



  • Create users in Azure AD B2C / Entra External ID (Azure AD for Customers) from WordPress



  • Visitors are required to sign in with Azure AD / Microsoft but will not be automatically logged in to WordPress



  • Azure AD group based access restriction for individual front-end posts and pages and post types
  • Require a user to log on (and determine the response e.g. redirect to 404, the login page or for Microsoft based SSO)



  • On-demand / scheduled user synchronization from Azure AD (B2C) to WordPress
  • On-demand / scheduled user synchronization from WordPress to Azure AD B2C / Entra External ID (Azure AD for Customers)



  • WordPress roles assignments / access restrictions based on Azure AD groups / user attributes / login-domains



  • Replace the default WordPress / BuddyPress avatar with a Microsoft 365 profile picture



  • Map Microsoft Graph user resource properties to custom WordPress / BuddyPress user profile fields
  • Map custom claims in an Azure AD B2C ID token to custom WordPress / BuddyPress user profile fields
  • Map custom claims from SAML 2.0 response to custom WordPress / BuddyPress user profile fields
  • Support for so-called Multi-Tenancy
  • Require Proof Key for Code Exchange (PKCE)
  • Force Single Sign-on for the login page
  • Dual login



  • Auto-enroll users into LearnDash Courses e.g. based on their Azure AD groups memberships.
  • Support for LearnDash User Groups.



  • Send large attachments (> 3 Mb)
  • Send from Microsoft 365 Shared Mailbox
  • Send as / Send on behalf / Support for distribution lists
  • Log every email sent from your WordPress website, review errors and (automatically) try to send unsuccessfully sent mails again.
  • Throttle emails send from your website.
  • Mail Staging Mode is useful for debugging and staging environments. WordPress emails will be logged and saved in the database instead of being sent.
  • Allow forms / plugins / themes to dynamically set the From address
  • Send all emails by default as BCC



  • Deep integration with the (itthinx) Groups plugin for group membership and access control



  • Advanced versions of the apps to embed content of Microsoft 365 services such as Power BI (with support for application owns data scenarios) and SharePoint Online (with support for anonymous users)



  • (SCIM based) Azure AD User Provisioning to WordPress



  • Enable Azure AD based protection for your WordPress REST API endpoints



  • Save multiple configurations
  • Directly edit (the JSON representation of) a configuration


  • Make sure that you have disabled caching for your Website in case your website is an intranet and access to WP Admin and all pubished pages and posts requires authentication. With caching enabled, the plugin may not work as expected
  • We have tested our plugin with WordPress >= 4.8.1 and PHP >= 5.6.40
  • You need to be (Office 365) Tenant Administrator to configure both Azure Active Directory and the plugin
  • You may want to consider restricting access to the otherwise publicly available wp-content directory


We will go to great length trying to support you if the plugin doesn’t work as expected. Go to our Support Page to get in touch with us. We haven’t been able to test our plugin in all endless possible WordPress configurations and versions so we are keen to hear from you and happy to learn!


We are keen to hear from you so share your feedback with us on LinkedIn and help us get better!

Open Source

When you’re a developer and interested in the code you should have a look at our repo over at WordPress.


  • Microsoft / Azure AD based Single Sign-on
  • Embedded Power BI for WordPress
  • Embedded SharePoint Online Documents for WordPress
  • Embedded SharePoint Online Search for WordPress
  • Employee Directory
  • Support for Azure AD B2B and Azure AD B2C
  • Sending WordPress email using Microsoft Graph
  • Synchronizing users from Azure AD to WordPress
  • Embed WordPress in a Teams Tab or App
  • Assign WordPress roles / Deny access based on Azure AD groups


This plugin provides 1 block.

  • Documents | BASIC


Please refer to these Getting started articles for detailed installation and configuration instructions.


30 de Mayo, 2024 1 reply
Great plugin that does the job really well. If I could suggest a couple of improvements it would be to get rid of the pop up that jumps in your face while configuring mail, and to make is easier to configure either through wp-cli or by poking config options into the database. I have 200 sites to set up and really don’t want to have to do them all via the GUI.
29 de Mayo, 2024 1 reply
A great plugin with lots of features and which just works. Documentation is very detailed and also up-to-date.The support we have received so far has been outstanding. We get prompt replies and detailed information. I have to deal with a lot of plugin developers and this one is by far the most helpful. Thanks!
9 de Mayo, 2024 1 reply
For both login and email integration with Microsoft 365.
8 de Mayo, 2024 1 reply
I installed this plugin, followed the excellent online tutorial, and it worked the very first time. Not only that, it works like a dream. If the visitor is already logged in to MS365, they simply have to click the “Sign In With Microsoft” button and does not have to re-enter MS365 credentials. Our organization uses MS365 2FA, and it works well with that. It also works great to log in with WordPress Username/PW. SSO at its best. I’m thrilled with this plugin. Thank you!!!
8 de Mayo, 2024 1 reply
WPO365 has been a game-changer for my platform which connects Wordpress users utilizing the MS365 suite of products. Of all the plugins I’ve purchased, WPO365 has been the most mission-critical for my company, and the most advanced. Despite how technically capable the plugin is (using secret keys / API’s / etc. to authenticate / communicate between Microsoft Azure and my wordpress ecosystem), the plugin handles these connections seamlessly. I can’t say enough good things about WPO365, as there really aren’t many options on the market that offer the ability for wordpress to communicate with the ultra-secure MS365 suite of products, but even when more competition exists, from my experience, I’m confident that WPO365 will be considered best-in-class. The seamless connections experience between Wordpress & Microsoft that WPO365 creates is smooth for both my admins and my users. It has opened up a world of possibilities, allowing us to offer a more integrated and efficient experience for everyone. I’m over the moon ecstatic with how WPO365 has enabled us to enhance our platform’s capabilities and provide a much more evolved and feature-rich experience for our users. Highly recommended for anyone looking to integrate WordPress with Microsoft 365! Re-reading this review, I acknowledge that it sounds almost like a “planted review,” but I assure you, it’s not: I just really think WPO365 does a good job at what it does, and it’s been very important for my company’s growth, so I felt compelled to write a review commensurate with the impact it’s had on my business.
Read all 131 reviews

Contributors & Developers

“WordPress + Microsoft Office 365 / Azure AD | LOGIN” is open source software. The following people have contributed to this plugin.


“WordPress + Microsoft Office 365 / Azure AD | LOGIN” has been translated into 4 locales. Thank you to the translators for their contributions.

Translate “WordPress + Microsoft Office 365 / Azure AD | LOGIN” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.



  • Patched vulnerability (CVE-2024-4706): Validation of the script URL – used to embed Microsoft 365 services in WordPress – is now validated to ensure it points to a resource on the local WordPress server. [ALL]
  • Breaking Change (Microsoft Graph Mailer): WPO365 retains mail log entries that are less than approximately 90 days old and deletes entries that exceed the configured number of days. [MAIL]
  • Breaking Change (WordPress Multisite): Profile pictures for WordPress Avatars and downloaded from Microsoft Graph will always be saved in /wp-content/uploads/wpo365/profile-images instead of /wp-content/uploads/sites/[blog_id]/wpo365/profile-images. [AVATAR, SYNC, INTRANET]
  • Improvement: In an attempt to better understand errors that involve cURL, administrators can now enable verbose logging for cURL. [ALL]
  • Improvement: The Allowed (login) domains list can now be changed into a list of domains that are not allowed to sign in. This is especially useful for administrators that allow users from any Microsoft Entra ID / AAD tenant to sign into their WordPress website. [LOGIN+, SYNC, INTRANET]
  • Improvement: Administrators can now configure WPO365 to add new or existing users to all subsites in a WordPress Multisite Network when they sign in with Microsoft or when their data is synchronized. Additionally, all existing users can be added a new subsite, when it is first initialized. [LOGIN+, SYNC, INTRANET]
  • Improvement: A monitor (in the form of a WP Cron Job) for WPO365 User Synchronization will be started automatically (each time a new user synchronization starts) and will check every 5 minutes for unfinished synchronization jobs for which no WP Cron Job (to process the next batch of users) exists and re-create this job if needed. [SYNC, INTRANET]
  • Improvement: If WPO365 is used to integrate WordPress with Azure AD B2C and the administrator has configured WPO365 to create users in Azure AD B2C from WordPress, the status of this upstream-synchronization will now also show on a user’s profile page. [CUSTOMERS, SYNC, INTRANET]
  • Improvement: If enabled, WPO365 Audiences will now be shown for each post and / or page on WordPress pages, listing all posts and pages. [ROLES + ACCESS, SYNC, INTRANET]
  • Improvement: The response – when a non-logged-in user requests a post or a page that is restricted by a WPO365 Audience – is now streamlined with the option Response for visitors requesting a page that requires a logged-in user. [ROLES + ACCESS, SYNC, INTRANET]
  • Improvement: The Admin Credential > Secret Token that is used for Entra ID (AAD) User provisioning (SCIM) for WordPress can now be administered on the plugin’s User Sync configuration page. [SCIM, INTRANET]
  • Improvement: WPO365 now supports Custom URL Domains for Microsoft Entra (Ext.) ID. [LOGIN+, SYNC, INTRANET]
  • Improvement: If activated, WPO365 will terminate the loading of WordPress, whenever it identifies a login attempt (with local WordPress credentials) by a user whose username is not included in the WPO_ADMINS list. See the online documentation for details. [ALL]
  • Improvement: The title for the Office 365 Profile Information section on a user’s profile (only visible if the administrator enabled the option to Show Azure AD user attributes in a WordPress user profile) can now be translated (go to WP Admin > WPO365 > … > Translations). [CUSTOM USER FIELDS, LOGIN+, SYNC, PREMIUM]
  • Improvement: Administrators of a WordPress Multisite installation with dedicated mode enabled (so that subsites can be configured independently of each other) can now go to the plugins Import / Export configuration for a subsite to replace the (empty) configuration of the subsite with a copy of the central WPO365 configuration template. See the updated documentation for details. [ALL]
  • Preview: Administrators of GCCH tenants can now select this type of tenant from the list of Identity Providers, in order to change the TLD for all relevant Microsoft endpoints to “.us” (instead of “.com”). [ALL]
  • Fix: Translations for the Employee Directory app now correctly handle special characters (however, it may be necessary to recreate the shortcode). [ALL]
  • Fix: The premium WPO365 | MAIL option to resend failed emails automatically can now be started when the premium addon is used in combination with WPO365 | MICROSOFT GRAPH MAILER. [MICROSOFT GRAPH MAILER]


  • Improvement: The lis of “Optional SCIM attribute mappings” on the plugin’s “User Sync” configuration page has been deprecated. Administrators that have support for SCIM based Azure AD User provisioning enabled, are urged to migrate these mappings to the list “SCIM attribute to WordPress user meta mappings” in the section “Custom User Fields” using the corresponding “Migrate optional SCIM attribute mappings” button. [SCIM, INTRANET]
  • Fix: Some “SCIM attribute to WordPress user meta mappings” e.g. “emails[type eq “work”].value” were only processed by WPO365 internally e.g. to update a user’s WordPress profile. With this change, these attributes can now also be mapped to WordPress user meta. [SCIM, INTRANET]
  • Fix: An administrator now can (and should) – besides the ID token claim – also specify the corresponding AAD user property (and SCIM claim, if support for SCIM based Azure AD User provisioning has been enabled) that WPO365 should use for a new WordPress user’s username. This only concerns those administrators, who configured a custom claim as the username of a new WordPress user (on the plugin’s “User registraton” configuration page). [(LOGIN+), CUSTOMERS, SCIM, SYNC, SCIM]
  • Fix: By fixing a caching issue, WPO365 should – after this update – no longer show a notification that “There is a new version of […] available […]” for WPO365 premium addons and bundles, after those were updated to the lastest version. [ALL PREMIUM ADDONS / BUNDLES]


  • Fix: “Strict Mode” for the Redirect URI can now also be enabled for the WPO365 | MICROSOFT GRAPH MAILER plugin (so it will only try process an Oauth response / payload detected at the exact URL which must be a path below the site’s home address e.g. /oidc-auth/). [MICROSOFT GRAPH MAILER]
  • Fix: The plugin will not try and process an Oauth response / payload if both features SSO and MICROSOFT GRAPH MAILER are disabled or if SSO is disabled but MICROSOFT GRAPH MAILER is enabled and but the administrator did not start an attempt to authorize an account to send emails from. [LOGIN, MICROSOFT GRAPH MAILER]
  • Fix: WPO365 Health Messages are now correctly displayed on the corresponding panel for the MICROSOFT GRAPH MAILER plugin.
  • Fix: A cached Authorization Code will now be correctly removed from cache after it has been redeemed. [LOGIN]
  • Fix: A user’s UPN is now correctly escaped before inserting it into the WPO365 User Synchronization database table (to support UPNs with single quotes). [SYNC, INTRANET]


  • Breaking Change: HTML and CSS for the default login-button has changed slightly and the wrapper is now a flex-box, to allow for an additional drop-down list in case the administrator configured multiple Identity Providers. An administrator, however, can revert this change and configure WPO365 to use the old login-button template (see the corresponding option on the plugin’s Miscellaneous configuration page). [LOGIN]
  • Breaking Change: To support devOps workflows and site replication scenarios, WPO365 now automatically detects named constants in your website’s wp-config.php file that either configure an single Identity Provider (IdP) or any of the WPO365 settings that are not directly related to an IdP. As a result, the option Use WP-Config.php for AAD secrets has been renamed to Obfuscate AAD options and the option Use WP-Config.php to override (some) config options has been removed. [ANY PREMIUM ADDON / BUNDLE]
  • Breaking Change: LearnDash enrollment rules are now also applied to existing users (when they sign in or when users are synchronized). [ROLES + ACCESS, SYNC, INTRANET]
  • Feature (preview): Administrators can now configure WPO365 to support multiple Identity Providers (IdP). If multiple IdPs have been configured, WPO365 will – by default – render a dropdown list enumerating IdPs by their “friendly name”. A user simply picks an IdP from the list before clicking “Sign in with Microsoft”. Refer to the new tutorial for further details. [ANY PREMIUM ADDON / BUNDLE]
  • Feature (preview): Now administrators can enable WPO365 Insights and aggregate various events into straightforward management dashboards. These dashboards are designed to offer valuable insights, such as tracking the count of users who have authenticated successfully or unsuccessfully, monitoring emails that have been sent successfully or unsuccessfully, and overseeing the synchronization status of users, whether through SCIM, WPO365 User synchronization, or during their initial sign-in. See the new online guide for further details. [ALL]
  • Feature (preview): Administrators can now add app roles to an App registration in Microsoft Entra Admin Center and use them to dynamically assign WordPress roles to users. See the online documentation for further details. [ROLES + ACCESS, SYNC, INTRANET]
  • Feature (preview): WPO365 now also supports the SAML 2.0 protocol for use with Azure AD’s multi-tenancy feature. See the online documentation for further details. [LOGIN+, SYNC, INTRANET]
  • Improvement: WPO365 can now be configured to skip saving the default WP avatar for a user without a profile picture. See the online documentation for further details. [AVATAR, SYNC, INTRANET]
  • Improvement: An administrator can now choose between the WordPress site URL or the WP Admin URL as the default landing page after a user successfully signed in with Microsoft. Alternatively, a custom URL can be defined when the LOGIN+ addon, or the SYNC or INTRANET is detected. [LOGIN, LOGIN+, SYNC, INTRANET]
  • Improvement: When a SAML 2.0 X509 certificate is missing from the configuration, is expired or has been withdrawn, WPO365 will try and read the tenant’s federation metadata to obtain (and cache) a new signing key. [LOGIN]
  • Improvement: WPO365 Health Messages will no longer be displayed on a default WordPress notification banner, but instead a dismissable panel will slide over the configuration app. [LOGIN]
  • Improvement: After running the Plugin self-test for SAML 2.0 based SSO, the raw SAML response can now be viewed by clicking the corresponding link for the “SAML response has been processed and no errors occurred” test case. [LOGIN]
  • Improvement: Generated passwords are checked to ensure that the generated password has characters from all four possible categories (lower and upper case, numbers and symbols). [LOGIN]
  • Improvement: When deleting a WPO365 configuration, several caches e.g. for access tokens and certificates, are cleaned as well. [LOGIN]
  • Improvement: WPO365 will now update BuddyPress profile fields (provided that this option is enabled) whenever Azure AD Provisioning (SCIM) sends new / updated user attributes. [SCIM, INTRANET]
  • Fix: Audiences now work correctly if a user is a member of one Audience but not of all when more than one Audience has been added to a page. [ROLES + ACCESS, SYNC, INTRANET]
  • Fix: User synchronization of users with an apostrophe in their username now no longer generates an error when being logged into the database table. [SYNC, INTRANET]
  • Fix: Auth.-Only scenarios are now compatible with the Audiences feature to make a page private (restricting access exclusively to users who are authenticated). [ROLES + ACCESS, SYNC, INTRANET]
  • Fix: WPO365 will not send the user into an infinite loop anymore, if the administrator has enabled “strict mode” for the Redirect URI plus checked the option to use wp-config.php for AAD secrets. [ALL PREMIUM]
  • Fix: WPO365 now checks for before “Trying to create a duplicate log entry” during user synchronization and will update the existing log record instead. [SYNC, INTRANET]


  • Feature: Embed an Outlook / Exchange Calendar in WordPress. See online documentation for details. [LOGIN, APPS, INTRANET]
  • Feature: Embed a SharePoint Online List in WordPress. See online documentation for details. [LOGIN, APPS, INTRANET]
  • Fix: The plugin attempted to process any POST request with parameter “error”, mistakenly assuming that it would be an authentication-error sent by Microsoft. [LOGIN, MICROSOFT GRAPH MAILER]
  • Version bumped. [ALL]

Older versions

Please check the online change log for previous changelogs.