Support for multitenant apps
Before you start
- You are fully aware of the consequences of allowing users in any Azure AD tenant to sign in to your application after consenting to use their account with your application.
- You have understand the difference between Azure Active Directory Guest users and users from another organizational directory (see https://www.wpo365.com/guest-users-or-multi-tenant/ for details).
- You must already have configured the single sign-on capability of the WordPress + Office 365 plugin.
- You are a Global Administrator for your company’s Office 365 tenant / Azure AD directory (or have at least the ability to edit the Azure Active Directory App registration that was created previously when the single sign-on capability was configured).
- You are an Administrator for your WordPress website.
- In Azure Portal click the 'hamburger' (icon with three horizontal lines in the upper corner) to open the menu.
- Navigate to Azure Active Directory > App registrations.
- Select the App registration that you created when you configured the single sign-on capability of the plugin.
- Click Authentication from the 'App registration' menu on the left.
- Scroll down to Supported account types.
- Check Accounts in any organizational directory (Any Azure AD directory - Multitenant).
- Click Save.
Please note that if you'd like to add users with personal Microsoft accounts (MSAL e.g. Outlook, Skype, Xbox) that you need to manually update the manifest as explained on the page itself.
- Navigate to the plugin's wizard WP Admin > WPO365 and click User Registration.
- Check the option Allow users from other tenants.
- Click Save configuration.
Optionally, you can restrict access to your website to users coming from selected domains.
- Navigate to WP Admin > WPO365 > Single Sign-on.
- Allow users coming from specific domains by adding domains those domains to the Domain whitelist (see https://docs.wpo365.com/article/43-domain-whitelist for details).
For the plugin to be able to retrieve information about a user from another tenant e.g. the Azure AD groups the user belongs to or the user's profile image, it must be able to request access tokens from that user's (Azure AD) tenant. By default, the plugin is capable of requesting information from another tenant if multi-tenancy is configured according to the steps outlined in this article. However, before the plugin successfully can request data, an administrator of the other tenant must have granted permissions to the Enterprise Application that will be automatically created in the other tenant's Azure AD as soon as a first user of that other tenant successfully signs in with your multi-tenanted App registration.
Perform the following steps to find the Enterprise Application in another tenant's Azure AD.
- As an administrator of another tenant with sufficient privileges first navigate to Azure Portal Azure Active Directory Enterprise applications.
- From the drop down list Application type be sure to select All applications and then search for the Application (client) ID that was assigned to the App registration for the WordPress website in the home tenant.
- Click on the name to load the Overview page of the Enterprise application.
- Continue to the Permissions page (in the Security section) and click Grant consent for ...
Only when an administrator of another tenant has granted consent will the plugin be able to request access tokens for users of another tenant.
Test and Troubleshoot
To test your multitenant app you can log on with a (test) user that is a member of a different Azure AD tenant.
- Enable the plugin's Debug log (see https://docs.wpo365.com/article/19-enable-debug-log).
- Navigate to the plugin's wizard WP Admin > WPO365 > ... > Debug.
- Check Log ID token.
- Now try to sign in again with the (test) user that is a member of a different Azure AD tenant.
- Navigate back to WP Admin > WPO365 > ... > Debug and click Show all.
- Search for the ID token in the log and check to see if it is complete.