Entra External ID (Azure AD for Customers) based single sign-on for WordPress

Introduction

Use this guide if you want to configure the Entra External ID (Azure AD for Customers) based single sign-on capability of WPO365.

Recently Microsoft has introduced their next generation Customer Identity Access Management platform  Microsoft Entra External ID, also known as Azure Active Directory (Azure AD) for Customers. Check out this article if you want to read more about this exciting new platform. Even though this platform is still in preview, it can already be created and configured. WPO365 has already added support for this new platform and implemented many of the features it supports e.g. Single Sign-on and User synchronization for Azure AD B2C for Azure AD for Customers. 

What you can expect

When you configure the WPO365 | LOGIN plugin to use Entra External ID (Azure AD for Customers) as your Identity Provider (IdP), the WPO365 | LOGIN plugin will redirect users to the corresponding endpoint for authorization and to obtain an ID token.

https://<tenant-name>.ciamlogin.com/<tenant-name>.onmicrosoft.com/<tenant-name>/oauth2/v2.0/authorize

Before you start

• You have reviewed the installation prerequisites and have installed and activated the WPO365 | LOGIN plugin (see Getting started - Installation).
• You are a Global Administrator for your Azure AD B2C tenant (or you have at least obtained approval for your plans from a Global Administrator ).
• You are an Administrator for your WordPress website.
• Your website uses SSL and the internet address starts with https://.

Entra External ID (Azure AD for Customers)

The steps to create a new Entra External ID (Azure AD for Customers) preview tenant are basically beyond the scope of the WPO365 documentation. The following steps, however, are presented as a reference implementation and do not customize the user experience / branding. Some remarks are added that outline important steps that you should use to verify your own setup.

• Create an Entra External ID (Azure AD for Customers) tenant (see https://learn.microsoft.com/en-us/azure/active-directory/external-identities/customers/how-to-create-customer-tenant-portal).
• Register your WordPress website in the new tenant by creating an App registration (see https://learn.microsoft.com/en-us/azure/active-directory/external-identities/customers/how-to-register-ciam-app?tabs=webapp). Please ensure that you completed the following steps
  • Register a web application and as Redirect URI you must enter your website's URI with a trailing "/" if you configured WordPress permalinks e.g. https://www.wpo365.com/.
  • Create a client secret and make sure to copy the secret's Value and not the secret's ID and save if temporarily in a text editor (you cannot retrieve it once you navigate away from the page).
• Create a sign-in and sign-up User Flow (see https://learn.microsoft.com/en-us/azure/active-directory/external-identities/customers/how-to-user-flow-sign-up-sign-in-customers). Check this answer https://learn.microsoft.com/en-us/answers/questions/1341175/entra-azure-ad-for-customers-can-i-disable-sign-up from Microsoft in case you would like to disable the sign-up flow.
• Add the application that you registered before to the User Flow (see https://learn.microsoft.com/en-us/azure/active-directory/external-identities/customers/how-to-user-flow-add-application).
• Enable password reset (see https://learn.microsoft.com/en-us/azure/active-directory/external-identities/customers/how-to-enable-password-reset-customers). 
• Alternatively, however, you can configure the mail authentication method / Identity Provider to send users a so-called One Time Passcode. 

Plugin configuration

Proceed with the following steps to configure the WPO365 | LOGIN plugin to allow users to sign in with Entra External ID (Azure AD for Customers), as soon as you have have completed the steps outlined in the previous section.

• Go to WordPress Admin > WPO365 > Single Sign-on.
• As Identity Provider (IdP) select Entra External ID (AAD for Customers).
• As SSO protocol select OpenID Connect.
• As OpenID Connect flow select Auth.-code (recommended).
• In another browser tab open Entra Portal and select your Entra External ID tenant  (Azure AD for Customers) (see https://learn.microsoft.com/en-us/azure/active-directory/external-identities/customers/how-to-create-customer-tenant-portal#get-the-customer-tenant-details for details steps). 
• Navigate to Applications > App registrations and search for the App registration that you created when you registered your WordPress website as an application.
• Go to the application registration’s Overview page and copy the Directory (tenant) ID and paste it into the corresponding field on the plugin’s Single Sign-on configuration page in the first browser tab.
• Repeat the previous step and copy the Application (client) ID and paste it into the corresponding field on the plugin’s Single Sign-on configuration page.
• Now it's time to retrieve the Application (client) secret that you created before and that you temporarily saved, for example in a text editor. Paste the secret in the corresponding field on the plugin's Single Sign-on configuration page.
• Switch back to the browser and open the Authentication page of your App registration.
• Ensure that the Redirect URI entered here matches exactly with the Redirect URI that you have entered / is automatically proposed on the plugin's wizard Single Sign-on page.
• Now return to Entra Portal's Overview page. Here you can select Manage tenants. This will load a tabular view that summarizes the most important properties of your Entra tenants.
• Select your Customers tenant and copy the (first segment) of the Domain name e.g. wpo365customers when the domain name is shown as wpo365customers.onmicrosoft.com (the values used here are just an example and your tenant will be named differently) and paste it into the corresponding field AAD B2C / Entra Ext. ID domain name on the plugin's Single Sign-on configuration page.

The highlighted fields must be reflect the values for your installation. Do not use the values provided in this example.

• To test the configuration go to WordPress Admin > WPO365 > Plugin self-test and click Start test.

Send WordPress emails using Microsoft Graph

Since WPO365 separates the Azure AD instance used for SSO, from the one used to send WordPress emails using Microsoft Graph, you can still configure WPO365 to send emails using Microsoft Graph from an account located in your "home" (workforce) Azure AD tenant.

To configure WordPress to send emails using Microsoft Graph go to  WP Admin > WPO365 > Mail and check out this article for guidance.

Unsupported features

At this point in time, Entra External ID (Azure AD for Customers) does not offer support for a custom login domain (e.g. login.contoso.com instead of customers.ciamlogin.com). As a result, offering an embedded login experience is also not supported. Also the use of multiple User Flows and redirecting users to a User Flow's endpoint e.g. to update a profile, reset a password or to sign-up instead of sign-in or sign-up is not supported.