Enable integration with Microsoft Services

Use this guide if you want to configure the integration capability of the WordPress + Office 365 plugin for it to be able t request access tokens needed to request data from Microsoft Services such as Microsoft Graph, SharePoint Online and Power BI (also see the following video https://youtu.be/0gUd5LUmgag).

Introduction

To enable integration with Microsoft Services such as Yammer, SharePoint Online and Power BI you must enable WordPress (with the help of the WPO365 | LOGIN plugin) to 

  • Either authenticate and authorize the currently logged-in user (= delegated access)
  • Or authenticate and authorize itself without a logged-in user present (= application access).

Enabling the WPO365 plugin to integrate with Microsoft Services can be achieved in five steps.

  1. Registering your application (= WordPress website) in Azure AD by creating an App registration.
  2. Allow it to issue access tokens (= authorization that must be presented each time data is requested from a Microsoft Service).
  3. Grant (API) Permissions (= configure the API endpoints that may be accessed with the access token).
  4. Create a Client secret (= effectively the password that you must sent along together with the App registration's Application (client) ID when requesting an Access token).
  5. Update the plugin's configuration to connect to the App registration

Before you start

  • You are a Global Administrator for your company’s Office 365 tenant / Azure AD directory (or have at least the ability to edit the Azure Active Directory App registration that was created previously when the single sign-on capability was configured).
  • You are an Administrator for your WordPress website.

Step 1 - App registration

If you already configured the Single Sign-on capability of the plugin then you already created an App registration in Azure AD. Go to WP Admin > WPO365 > Single Sign-on and click the link View in portal to view the App registration in Azure Portal.

If you haven't yet created an App registration e.g. because you do not intend to configure the Single Sign-On then please create one and perform the following steps.

  • In Azure Portal click the 'hamburger' (icon with three horizontal lines in the upper corner) to open the menu.
  • Navigate to Azure Active Directory > App registrations.
  • Click + New registration.
  • On the Register an application page appears, enter your application’s registration information.
    • Name Enter a meaningful application name that will be displayed to users of the app.
    • Supported account types Select which accounts you would like your application to support (most likely Accounts in this organizational directory only)
    • Platform configuration (Optional) Do not select a platform
  • Click Register to create the secondary App registration in Azure AD.
Please not that if you intend to configure Single Sign-on that you must do that first and then come back to enable the integration with Microsoft Services and use the App registration you created to enable Single Sign-on.

Step 2 - Allow issuing of access tokens

Perform the following steps to allow the App registration to issue access tokens.

  • Navigate to your App registration from the previous step.
  • Click Authentication from the 'App registration' menu on the left.
  • Scroll down to Implicit grant and check Access tokens (used for implicit flows) for the plugin to request such tokens from Microsoft.

Step 3 - API Permissions

  • Navigate to your App registration from the previous step.
  • Click API permissions from the 'App registration' menu on the left.
  • Now click + Add permission and add permissions using the table below that declares the required permissions on a per feature base.
  • Once you have added all necessary permissions you must click Grant admin consent for your tenant.
Feature Delegated permissions Application permissions

Single Sign-on

Open ID Connect

  • email
  • openid
  • profile
  • User.Read
-
User profile *
  • User.Read.All
Sending email using
Microsoft Graph
  • Mail.Send
User synchronization **
  • User.Read.All
Roles + Access
  • Group.Read.All
Avatar
  • User.Read.All
Custom User Fields
  • User.Read.All
Gutenberg Blocks | Documents
  • Sites.Read.All
M365 APPS | Employee Directory
  • User.Read.All
M365 APPS | SharePoint Online
  • SharePoint Sites.Search.All
M365 APPS | Documents
  • Sites.Read.All
M365 APPS | Yammer
  • Yammer user_impersonation
M365 APPS | Power BI
User owns data
  • Power BI Service Dashboard.Read.All
  • Power BI Service Dataset.Read.All
  • Power BI Service Report.Read.All

Azure AD User provisioning **
SCIM based

  • User.Read.All

Please note that all permissions in the previous table are Microsoft Graph permissions, unless indicated differently.

* If you only want to update a user's first, last and display name and email address each time a user interactively signs into your WordPress then you do not configure any additional API permissions.
** Optionally you may have to add Group.Read.All application permissions to support the included Roles + Access feature if configured.

Note the difference between Delegated permissions and Application permissions when adding permissions.

All permissions for all features supported by WPO365 plugins, extensions and bundles.

Before you continue to step 4, make sure that you have clicked Grant admin consent for your tenant or else the integration will not work as expected.

Step 4 - Certificates & Secrets

  • Click Certificates & Secrets from the 'App registration' menu on the left.
  • Click + New client secret.
  • Optionally you can give the new secret a name that helps you remember it later and choose an expiry date e.g. 24 Months.
  • Copy the secret's Value (not its ID) and temporarily paste it in a text file as soon as you save it. You won’t be able to retrieve it later.

Step 5 - Plugin configuration

  • Navigate to the Integration page of the plugin’s wizard and paste the Application (client) secret that you created in the previous step in the corresponding field in the Delegated access section.
  • If you have configured any application permissions during Step 3 - API Permissions then you must scroll down to the Application access section and perform the following steps.
    • Check the option to Use App-only token.
    • Also check the option immediately below it to Use existing App registration.
Please note that it is also possible to create a 2nd App registration to keep delegated and application permissions separated. In an attempt to simplify things, however, it is now recommended (and supported by the plugin starting with version 15.2) to use only 1 App registration. If you still would like to create a 2nd App registration you can follow the steps explained in Step 1 - App registration.
  • Select your preferred Microsoft Graph version (recommended is Beta).
  • Enable WPO365 API for Microsoft Graph if you're planning on using the Documents Gutenberg Block or User synchronization.
  • Enable the Token service if you’re planning on deploying any of the client-side apps that ship with the plugin e.g.
    • Content by Search (SharePoint Online)
    • Documents (SharePoint Online / OneDrive)
    • Employee Directory (Microsoft Graph)
    • Embedded Power BI
  • Enable the Check nonce for improved security.
  • Click Delete tokens to ensure that all existing access tokens are deleted and any changes you made are reflected by new fresh tokens retrieved from the Azure AD endpoint.

Plugin self-test

Perform the following steps to check your configuration.

  • Click Plugin self-test from the plugin's wizard menu.
  • Click Start self-test to check the current configuration and the plugin’s ability to retrieve a valid  access token.
As soon as the self-test is starting, the ‘Test mode’ will be activated. During this time the plugin is not protecting your website. The plugin will now try and sign in using Microsoft and you may be prompted by Microsoft to sign in. Please be aware that at no time your authentication input will be shared with (y)our website and or the plugin: All information you enter is only shared with Microsoft at all times!
  • Once the self-test is finished (during the self-test the page may be reloaded) you will see the test results. You can click on each entry in the list to view the full details incl. category, severity and a proposed resolution to fix the issue.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us