Authentication scenario

Usage The plugin basically supports two authentication scenarios:

  • Intranet

Access to WP Admin and all published pages and posts requires authentication, since a corporation normally would not allow anonymous internet users to read internal corporate information.

  • Internet

Access to WP Admin requires authentication but all published pages and posts are available for anonymous internet users.

When you change the authentication scenario to Internet, the List of pages freed from authentication will disappear (professional, premium and intranet version only) and instead you can configure Private Pages.


When you selected the Intranet authentication scenario, the plugin will also block any requests to the WordPress REST API - for example to /wp-json/wp/v2/posts. If you have applications or plugins that need to fetch data from the WordPress REST API, you must add the default WP REST URL prefix - for example /wp-json/ - or a specific endpoint - for example /wp-json/wp/v2/posts - to the list of Pages freed from authentication.

Alternatively, you can keep the plugin blocking all requests to any WordPress REST API endpoint, unless the incoming request presents a BASIC AUTH header by checking the option  Skip WordPress REST API requests with BASIC AUTH header (also on the plugin's Single Sign-on configuration page).

Last but not least you can allow access to all WordPress REST API endpoints by adding the default WP REST URL prefix /wp-json/ to the list of Pages freed from authentication and instead configure a more granular authorization concept on the plugin's Integration configuration page - for example using Microsoft AD generated access tokens.


None of the authentication scenario's will enforce authentication for (otherwise anonymous) users who try to download media uploaded by authors to /wp-content/upload. Please refer to this guide for instructions on how to enforce authentication for folders below the /wp-content web directory.

Premium scenarios: Secured by Azure Active Directory (authenticate-only)

Starting with v16 the following two new authentication scenarios have been added:

  • Intranet (auth. only)
  • Internet (auth. only)

These scenarios will be unlocked by the WPO365 | LOGIN+, WPO365 | PREMIUM and WPO365 | INTRANET extensions / bundles (see our website for details and pricing). The two scenarios work in most ways similar to their counterparts with one important exception: Website visitors are required to sign in with Microsoft but are not automatically signed in as WordPress users. If you intend to select one of these two scenarios, it is strongly recommend that you also read this article.

Please note To optimize overall performance in case of the Internet authentication mode, administrators can - starting with v10 - add the following line to the wp-config.php: 

define( 'WPO_AUTH_SCENARIO', 'internet' );

This will prevent the plugin from loading for all requests that are not for WordPress administration pages. 

Please be aware that - if you add this line to your wp-config.php - you must change the Redirect URI so that it ends with /wp-admin/ e.g. If this is not the case, the plugin won't be able to receive the authentication response sent by Microsoft and the plugin will not work as expected. 

Please also note that the following Login / Logout capabilities won't work and must be de-activated in advance

  • Sending Mail using Microsoft Graph
  • Dual Login
  • Error Page

Also, login error messages won't be displayed in the notification area just above the (default) login form.

Default value Internet.

Versions ALL

Visit the website

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us