Support for multitenant apps (SAML 2.0)

Use this guide, if you want to configure support for the multi-tenancy feature of Azure Active Directory applications and enable it for the WordPress + Office 365 plugin. You can use the multi-tenancy capability of Azure AD to allow accounts from one, some or all Microsoft Azure AD tenants to access your WordPress website.

Please note Should you need to grant access to your WordPress site exclusively to users from a select few Azure Active Directories, consider configuring WPO365 to support multiple Identity Providers instead.

Please note Even though WPO365 supports the SAML 2.0 protocol for use with Azure AD's multi-tenancy feature, there are a few drawbacks. For example, we were not able to receive a user's email claim as part of the SAML response.

Before you start

You are fully aware of the risks involved and that misconfiguration can lead to full account take-over.
You have purchased a premium extension, for example WPO365 | LOGIN+ to be able to support the Azure AD multi-tenancy feature (or any of the bundles WPO365 | CUSTOMERS, WPO365 | SYNC or WPO365 | INTRANET).
You have understand the difference between Azure Active Directory Guest users and users from another organizational directory (see https://www.wpo365.com/guest-users-or-multi-tenant/ for details).
You must already have configured the SAML 2.0 based single sign-on capability of the WordPress + Office 365 plugin.
You are a Global Administrator for your company’s Office 365 tenant / Azure AD directory (or have at least the ability to edit the Azure Active Directory App registration that was created previously when the single sign-on capability was configured).
You are an Administrator for your WordPress website.

App registration

In Entra Portal click to expand the Identity menu.
Navigate to Applications > Enterprise Applications.
Select the Enterprise application that you created when you configured SAML 2.0 based Single Sign-on (SSO).
From the Overview page, copy the Application ID.

Navigate from Enterprise Applications to App registrations.
Select the tab All applications and search for the App registration using the Application ID that you just copied.
Click the application's Display name to configure it.

On the App registration's Authentication page, select Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) under Supported account types.

Continue to the App registration's API Permissions page.
Click + Add a permission and select Microsoft Graph > Delegated permissions > User.Read.

Click Add permissions to save your changes.
Finally, click Grant admin consent for ...

Please note If the Grant admin consent for ... is greyed out then you do not have sufficient permissions to continue. Since this is mandatory you must contact your Global Administrator and ask for help.

Plugin configuration

Perform the following steps to configure WPO365 to allow users from other tenants to sign into your WordPress website with their Microsoft account.

Single Sign-on

Navigate to WP Admin > WPO365 > Single Sign-on and verify that you have already configured SAML 2.0 based Single Sign-on.
Scroll down to the section SAML 2.0 IdP Metadata and change the value IdP - Single Sign-on Service URL to https://login.microsoftonline.com/common/saml2 by replacing the tenant ID with the term "common".

Scroll further down to the section labelled SSO related options and check the option Allow users from other tenants (support AAD multi-tenancy).

Scroll down and click Save configuration.

User registration

You can restrict access to your website to users coming from selected tenants and / or domains.

Navigate to WP Admin > WPO365 > User registration.
Restrict access to users from specific domains only by adding domains those domains to the list of Allowed (login) domains (see https://docs.wpo365.com/article/43-domain-whitelist for details).
Restrict access to users from specific tenants only by adding those tenant directory IDs to the list of Allowed "other" tenants (see https://docs.wpo365.com/article/205-allowed-other-tenants for details).
Scroll down and click Save configuration.

Test and Troubleshoot

To test your multi-tenant app you can log on with a (test) user that is a member of a different Azure AD tenant.

Navigate to the plugin's wizard WP Admin > WPO365 > Plugin self-test.
Click Start self-test and when asked, sign in with an Microsoft 365 account from another tenant.
Inspect the results once the test completes and ensure that at least the first three test cases did pass without errors.
You can view the SAML response by clicking the corresponding link for the test case SAML response has been processed and no errors occurred.