Entra External ID (Azure AD for Customers) based single sign-on for WordPress


Use this guide if you want to configure the Entra External ID (Azure AD for Customers) based single sign-on capability of WPO365.

Recently Microsoft has introduced their next generation Customer Identity Access Management platform  Microsoft Entra External ID, also known as Azure Active Directory (Azure AD) for Customers. Check out this article if you want to read more about this exciting new platform. Even though this platform is still in preview, it can already be created and configured. WPO365 has already added support for this new platform and implemented many of the features it supports e.g. Single Sign-on and User synchronization for Azure AD B2C for Azure AD for Customers. 

Please note If you are considering to implement Azure AD B2C at this point in time, then you should first review the features currently offered by Azure AD for Customers and make a fundamental decision whether or not to implement this new platform instead.. 

What you can expect

When you configure the WPO365 | LOGIN plugin to use Entra External ID (Azure AD for Customers) as your Identity Provider (IdP), the WPO365 | LOGIN plugin will redirect users to the corresponding endpoint for authorization and to obtain an ID token.


Please note The premium addon WPO365 | CUSTOMERS will allow you to map additional (custom) claims in the authentication result (the so-called OAuth ID token) to WordPress user profile fields. Consult this article for steps to accomplish this (scroll down to the paragraph Mapping (custom) claims to WordPress usermeta and vice versa).

Before you start

  • You have reviewed the installation prerequisites and have installed and activated the WPO365 | LOGIN plugin (see Getting started - Installation).
  • You are a Global Administrator for your Azure AD B2C tenant (or you have at least obtained approval for your plans from a Global Administrator ).
  • You are an Administrator for your WordPress website.
  • Your website uses SSL and the internet address starts with https://.

Please note When you configure Entra External ID (Azure AD for Customers) based single sign-on (as opposed to regular Azure AD based single sign-on) some capabilities may no longer work as expected e.g. Microsoft 365 Apps, Roles + Access or User synchronization. 

Entra External ID (Azure AD for Customers)

The steps to create a new Entra External ID (Azure AD for Customers) preview tenant are basically beyond the scope of the WPO365 documentation. The following steps, however, are presented as a reference implementation and do not customize the user experience / branding. Some remarks are added that outline important steps that you should use to verify your own setup.

Plugin configuration

Proceed with the following steps to configure the WPO365 | LOGIN plugin to allow users to sign in with Entra External ID (Azure AD for Customers), as soon as you have have completed the steps outlined in the previous section.

  • Go to WordPress Admin > WPO365 > Single Sign-on.
  • As Identity Provider (IdP) select Entra External ID (AAD for Customers).
  • As SSO protocol select OpenID Connect.
  • As OpenID Connect flow select Auth.-code (recommended).
  • In another browser tab open Entra Portal and select your Entra External ID tenant  (Azure AD for Customers) (see https://learn.microsoft.com/en-us/azure/active-directory/external-identities/customers/how-to-create-customer-tenant-portal#get-the-customer-tenant-details for details steps). 
  • Navigate to Applications > App registrations and search for the App registration that you created when you registered your WordPress website as an application.
  • Go to the application registration’s Overview page and copy the Directory (tenant) ID and paste it into the corresponding field on the plugin’s Single Sign-on configuration page in the first browser tab.
  • Repeat the previous step and copy the Application (client) ID and paste it into the corresponding field on the plugin’s Single Sign-on configuration page.
  • Now it's time to retrieve the Application (client) secret that you created before and that you temporarily saved, for example in a text editor. Paste the secret in the corresponding field on the plugin's Single Sign-on configuration page.
  • Switch back to the browser and open the Authentication page of your App registration.
  • Ensure that the Redirect URI entered here matches exactly with the Redirect URI that you have entered / is automatically proposed on the plugin's wizard Single Sign-on page.
  • Now return to Entra Portal's Overview page. Here you can select Manage tenants. This will load a tabular view that summarizes the most important properties of your Entra tenants.
  • Select your Customers tenant and copy the (first segment) of the Domain name e.g. wpo365customers when the domain name is shown as wpo365customers.onmicrosoft.com (the values used here are just an example and your tenant will be named differently) and paste it into the corresponding field AAD B2C / Entra Ext. ID domain name on the plugin's Single Sign-on configuration page.

The highlighted fields must be reflect the values for your installation. Do not use the values provided in this example.

  • To test the configuration go to WordPress Admin > WPO365 > Plugin self-test and click Start test.

Please note For the time being, WPO365 will execute the Azure AD B2C test cases. New test cases specifically targeting Entra External ID (Azure AD for Customers) will be added soon. 

Send WordPress emails using Microsoft Graph

Since WPO365 separates the Azure AD instance used for SSO, from the one used to send WordPress emails using Microsoft Graph, you can still configure WPO365 to send emails using Microsoft Graph from an account located in your "home" (workforce) Azure AD tenant.

To configure WordPress to send emails using Microsoft Graph go to  WP Admin > WPO365 > Mail and check out this article for guidance.

Unsupported features

At this point in time, Entra External ID (Azure AD for Customers) does not offer support for a custom login domain (e.g. login.contoso.com instead of customers.ciamlogin.com). As a result, offering an embedded login experience is also not supported. Also the use of multiple User Flows and redirecting users to a User Flow's endpoint e.g. to update a profile, reset a password or to sign-up instead of sign-in or sign-up is not supported.

Tip Azure AD B2C does support all of these features. But keep in mind that the next generation Microsoft Entra External ID platform represents the future of CIAM for Microsoft, and rapid innovation, new features and capabilities will be focused on this platform. 

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us