{"id":121243,"date":"2020-05-12T05:54:45","date_gmt":"2020-05-12T05:54:45","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/sso-for-azure-ad\/"},"modified":"2025-08-13T08:36:25","modified_gmt":"2025-08-13T08:36:25","slug":"sso-for-azure-ad","status":"publish","type":"plugin","link":"https:\/\/ca-valencia.wordpress.org\/plugins\/sso-for-azure-ad\/","author":16472025,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"2.5.2","stable_tag":"trunk","tested":"6.8.5","requires":"4.7.0","requires_php":"7.0","requires_plugins":null,"header_name":"SSO for Azure AD","header_author":"Marco Benzoni","header_description":"Enable Single Sign On with Azure AD on your site.","assets_banners_color":"","last_updated":"2025-08-13 08:36:25","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/gitlab.com\/qlcvea\/wp-sso-for-azure-ad","header_author_uri":"https:\/\/qlcvea.com","rating":5,"author_block_rating":0,"active_installs":600,"downloads":12471,"num_ratings":4,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.0":{"tag":"1.0.0","author":"qlcvea","date":"2020-05-12 05:54:23"},"1.1.0":{"tag":"1.1.0","author":"qlcvea","date":"2021-07-02 08:06:42"},"2.0.0":{"tag":"2.0.0","author":"qlcvea","date":"2021-07-21 07:35:19"},"2.1.0":{"tag":"2.1.0","author":"qlcvea","date":"2022-08-29 15:54:00"},"2.2.0":{"tag":"2.2.0","author":"qlcvea","date":"2023-09-16 13:32:40"},"2.3.0":{"tag":"2.3.0","author":"qlcvea","date":"2023-09-24 11:44:32"},"2.4.0":{"tag":"2.4.0","author":"qlcvea","date":"2023-11-11 09:01:44"},"2.5.0":{"tag":"2.5.0","author":"qlcvea","date":"2023-12-02 10:01:37"},"2.5.1":{"tag":"2.5.1","author":"qlcvea","date":"2025-02-18 20:17:39"},"2.5.2":{"tag":"2.5.2","author":"qlcvea","date":"2025-08-13 08:36:25"}},"upgrade_notice":{"1.0.0":"

First release<\/p>","2.0.0":"

Breaking change<\/strong>: The plugin now matches users based on email address and not UPN<\/p>"},"ratings":{"1":0,"2":0,"3":0,"4":0,"5":4},"assets_icons":[],"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.0","1.1.0","2.0.0","2.1.0","2.2.0","2.3.0","2.4.0","2.5.0","2.5.1","2.5.2"],"block_files":[],"assets_screenshots":[],"screenshots":[],"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[138854,2061,2469],"plugin_category":[38],"plugin_contributors":[185638],"plugin_business_model":[],"class_list":["post-121243","plugin","type-plugin","status-publish","hentry","plugin_tags-azure-ad","plugin_tags-oauth","plugin_tags-sso","plugin_category-authentication","plugin_contributors-qlcvea","plugin_committers-qlcvea"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/s.w.org\/plugins\/geopattern-icon\/sso-for-azure-ad.svg","icon_2x":false,"generated":true},"screenshots":[],"raw_content":"\n

This plugin allows users to authenticate to a site with an Azure AD account using OAuth.<\/p>\n\n

This plugin requires an app registration in the Azure AD portal.<\/p>\n\n

Warning<\/strong>: guest users and users created with a linked Microsoft account may lead to strange behavior. See the \"How are AD users matched to site users?\" FAQ for more information.<\/p>\n\n

Not affiliated with or approved by Microsoft.<\/p>\n\n\n

After installing the plugin, an application must be created in Azure AD to allow for authentication.<\/p>\n\n

    \n
  1. In the plugin's settings (Settings -> SSO for Azure AD), make a note of the Redirect URL displayed in the \"Endpoints\" section.<\/li>\n
  2. In the Azure AD admin panel for your directory, select \"New registration\".<\/li>\n
  3. Enter a name. This will be visible to users.
    \nNote: unless you know you need to change this option, leave \"Supported account types\" set to \"Accounts in this organizational directory only\".<\/li>\n
  4. Under \"Redirect URI\", select \"Web\" and enter the Redirect URL that you copied earlier.
    \nIf the \"URL may not contain a query string\" error appears, please see the dedicated FAQ entry for that error.<\/li>\n
  5. Select \"Register\".<\/li>\n
  6. Make a note of the \"Application (client ID)\" and the \"Directory (tenant) ID\".<\/li>\n
  7. Select \"Certificates & secrets\".<\/li>\n
  8. Select \"New client secret\"<\/li>\n
  9. Enter a description and select an expiration, then select \"Add\".\nNote: if you select any option other than \"Never\", do not forget to create a new client secret and change it in the plugin settings before the current one expires!<\/li>\n
  10. Make a note of the client secret.<\/li>\n
  11. In the plugin's settings, enter the values noted down earlier in the corresponding fields and save your changes.<\/li>\n<\/ol>\n\n\n
    \n

    Why is the \"Login with Azure AD\" button not visible on my site's login page?<\/h3><\/dt>\n

    The login button will not be displayed until the plugin has been fully configured.<\/p>\n\n

    Make sure that the following options are configured and valid inside the plugin's settings (Settings -> SSO for Azure AD):\n1. Application (client) ID\n2. Client secret\n3. Directory (tenant) ID<\/p><\/dd>\n

    How are AD users matched to site users?<\/h3><\/dt>\n

    The plugin will look for a user whose email address is the same as their email address on Azure AD.<\/p>\n\n

    For example, when the user who logs in to Azure AD by entering user@example.com<\/code> logs in to the site, the plugin will look for a user with the email address user@example.com<\/code>.<\/p>\n\n

    Warning<\/strong>: guest users and users created with a linked Microsoft account may have a different format. For example, user@guestexample.com<\/code> may become user_guestexample.com#EXT#@example.onmicrosoft.com<\/code>. (In some situations, the #<\/code> characters may be removed.)<\/p><\/dd>\n

    What happens when an AD user who does not have an account on the site attempts to log in?<\/h3><\/dt>\n

    The behavior for this case is configurable.<\/p>\n\n

    In the \"Login options\" section of the plugin's settings (Settings -> SSO for Azure AD), there is an option named \"Create new users if they don't already exist\".<\/p>\n\n

    If it is enabled, when a user logs in and the plugin cannot find the corresponding site user, a new one will be created.
    \nBy default, the user will be created with the same role as new site signups. This can be changed in the \"Role for new profiles\".<\/p>\n\n

    The plugin can also automatically fill the user's name on the new account by enabling the \"Generate user profiles automatically\" option.<\/p>\n\n

    The plugin will set the user's username to be their email address.
    \nAlternatively, the email domain can be removed (user@example.com<\/code> -> user<\/code>) by enabling the \"Create usernames without domain name\" option.
    \nWarning<\/strong>: if multiple users have the same name but different domain names (user@1.example.com<\/code> and user@2.example.com<\/code>) enabling this option may cause conflicts.<\/p>\n\n

    If it is disabled, when a user logs in and the plugin cannot find the corresponding site user, the following error message will be displayed: \"Your account has not been registered on this site. Please contact your administrator.\"<\/p><\/dd>\n

    How can I add the site administration panel to the Azure application list?<\/h3><\/dt>\n

    To add the site administration panel to the Azure application list, copy the \"Homepage\/Login URL\" displayed in the \"Endpoints\" section of the plugin's settings (Settings -> SSO for Azure AD).<\/p>\n\n

    This URL must be pasted in the \"Home page URL\" field in the \"Branding\" section of your app registration on the Azure AD portal.<\/p><\/dd>\n

    Error while setting up on Azure AD: \"URL may not contain a query string\"<\/h3><\/dt>\n

    In some cases, Azure may reject the callback URL provided by the plugin with the error \"URL may not contain a query string\".<\/p>\n\n

    In this case, URL rewrites are required. In the plugin settings page, enable \"Use rewrites\" and save.<\/p>\n\n

    The callback and login\/homepage URLs listed in the plugin settings will change. These new URLs do not contain a query string and should therefore work.<\/p>\n\n

    Warning<\/strong>: if you had previously referenced the callback URL with a query string, those references must be changed to the new value displayed in the plugin settings.<\/p><\/dd>\n\n<\/dl>\n\n\n

    1.0.0<\/h4>\n\n

    First release<\/p>\n\n

    1.1.0<\/h4>\n\n