Authentication scenario

Usage The plugin basically supports the following authentication scenarios:


With this scenario, WPO365 will redirect users "anonymous" users i.e. users that are not yet logged-in, to Microsoft to sign in, when they try to access

  • WP Admin 
  • All published pages and posts
  • All WordPress REST API endpoints

Important The Intranet scenario does not block access to the media library e.g. /wp-content/uploads. Please refer to this guide for instructions on how to enforce authentication for folders below the /wp-content web directory. Alternatively, you can use a plugin such as Prevent Direct Access. The premium addon for this plugin can be configured to restrict access for media files to logged-in users.

Please note To allow access to a specific WordPress REST API endpoint you must add its path e.g. /wp-json/wp/v2/posts or /wp-json/gf/v2 for Gravity Forms to the plugin's list for Pages freed from authentication. To allow access to all WordPress REST API endpoints, you would only need to add the WP REST URL prefix e.g. /wp-json/.


With this scenario, WPO365 will redirect users "anonymous" users i.e. users that are not yet logged-in, to Microsoft to sign in, when they try to access

  • WP Admin

Please note To require users to sign in with Microsoft for selected pages only, then please check out our Audiences feature (scroll to Private pages).

Intranet (auth. only) and Internet (auth. only)

These two scenarios will be unlocked by the WPO365 | LOGIN+, WPO365 | PREMIUM and WPO365 | INTRANET extensions / bundles (see our website for details and pricing). The two scenarios work in most ways similar to their counterparts with one important exception: Website visitors are required to sign in with Microsoft but are not automatically signed in as WordPress users. If you intend to select one of these two scenarios, it is strongly recommend that you also read this article.

Please note To optimize overall performance in case of the Internet authentication mode, administrators can - starting with v10 - add the following line to the wp-config.php:

define( 'WPO_AUTH_SCENARIO', 'internet' );

This will prevent the plugin from loading for all requests that are not for WordPress administration pages. Please be aware that - if you add this line to your wp-config.php - you must also change the Redirect URI so that it ends with /wp-admin/ e.g. If this is not the case, the plugin won't be able to receive the authentication response sent by Microsoft and the plugin will not work as expected. 

Please also note that the following Login / Logout capabilities won't work and must be de-activated in advance

  • Sending Mail using Microsoft Graph
  • Dual Login
  • Error Page

Also, login error messages won't be displayed in the notification area just above the (default) login form.

Default value Internet.

Versions ALL

Visit the website

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us