Support for multitenant apps
Before you start
- You are fully aware of the consequences of allowing users in any Azure AD tenant to sign in to your application after consenting to use their account with your application.
- You have understand the difference between Azure Active Directory Guest users and users from another organizational directory (see https://www.wpo365.com/guest-users-or-multi-tenant/ for details).
- You must already have configured the single sign-on capability of the WordPress + Office 365 plugin.
- You are a Global Administrator for your company’s Office 365 tenant / Azure AD directory (or have at least the ability to edit the Azure Active Directory App registration that was created previously when the single sign-on capability was configured).
- You are an Administrator for your WordPress website.
- In Azure Portal click the 'hamburger' (icon with three horizontal lines in the upper corner) to open the menu.
- Navigate to Azure Active Directory > App registrations.
- Select the App registration that you created when you configured the single sign-on capability of the plugin.
- Click Authentication from the 'App registration' menu on the left.
- Scroll down to Supported account types.
- Check Accounts in any organizational directory (Any Azure AD directory - Multitenant).
- Click Save.
Please note that if you'd like to add users with personal Microsoft accounts (MSAL e.g. Outlook, Skype, Xbox) that you need to manually update the manifest as explained on the page itself.
- Navigate to the plugin's wizard WP Admin > WPO365 and click User Registration.
- Check the option Allow users from other tenants.
- Click Save configuration.
Optionally, you can restrict access to your website to users coming from selected domains.
- Navigate to WP Admin > WPO365 > Single Sign-on.
- Allow users coming from specific domains by adding domains those domains to the Domain whitelist (see https://docs.wpo365.com/article/43-domain-whitelist for details).
Test and Troubleshoot
To test your multitenant app you can log on with a (test) user that is a member of a different Azure AD tenant.
- Enable the plugin's Debug log (see https://docs.wpo365.com/article/19-enable-debug-log).
- Navigate to the plugin's wizard WP Admin > WPO365 > ... > Debug.
- Check Log ID token.
- Now try to sign in again with the (test) user that is a member of a different Azure AD tenant.
- Navigate back to WP Admin > WPO365 > ... > Debug and click Show all.
- Search for the ID token in the log and check to see if it is complete.