Support for multitenant apps (SAML 2.0)

Use this guide, if you want to configure support for the  multi-tenancy feature of Azure Active Directory applications and enable it for the WordPress + Office 365 plugin. You can use the multi-tenancy capability of Azure AD to allow accounts from one, some or all Microsoft Azure AD tenants to access your WordPress website.

Please note Should you need to grant access to your WordPress site exclusively to users from a select few Azure Active Directories, consider configuring WPO365 to support multiple Identity Providers instead.

Please note Even though WPO365 supports the SAML 2.0 protocol for use with Azure AD's multi-tenancy feature, there are a few drawbacks. For example, we were not able to receive a user's email claim as part of the SAML response.

Before you start

App registration

  • In Entra Portal click to expand the Identity menu.
  • Navigate to Applications > Enterprise Applications.
  • Select the Enterprise application that you created when you configured SAML 2.0 based Single Sign-on (SSO).
  • From the Overview page, copy the Application ID.

  • Navigate from Enterprise Applications to App registrations.
  • Select the tab All applications and search for the App registration using the Application ID that you just copied.
  • Click the application's Display name to configure it.

  • On the App registration's Authentication page, select Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) under Supported account types.

  • Continue to the App registration's API Permissions page.
  • Click + Add a permission and select Microsoft Graph > Delegated permissions > User.Read.

  • Click Add permissions to save your changes.
  • Finally, click Grant admin consent for ...

Please note If the Grant admin consent for ... is greyed out then you do not have sufficient permissions to continue. Since this is mandatory you must contact your Global Administrator and ask for help.

Plugin configuration

Perform the following steps to configure WPO365 to allow users from other tenants to sign into your WordPress website with their Microsoft account.

Single Sign-on
  • Navigate to WP Admin > WPO365 > Single Sign-on and verify that you have already configured SAML 2.0 based Single Sign-on.
  • Scroll down to the section SAML 2.0 IdP Metadata and change the value IdP - Single Sign-on Service URL to by replacing the tenant ID with the term "common".
  • Scroll further down to the section labelled SSO related options and check the option Allow users from other tenants (support AAD multi-tenancy).

  • Scroll down and click Save configuration.
User registration

You can restrict access to your website to users coming from selected tenants and / or domains.

Test and Troubleshoot

To test your multi-tenant app you can log on with a (test) user that is a member of a different Azure AD tenant. 

  • Navigate to the plugin's wizard WP Admin > WPO365 > Plugin self-test.
  • Click Start self-test and when asked, sign in with an Microsoft 365 account from another tenant.
  • Inspect the results once the test completes and ensure that at least the first three test cases did pass without errors.
  • You can view the SAML response by clicking the corresponding link for the test case SAML response has been processed and no errors occurred.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us