SSO for Microsoft Entra — Free Open-Source WordPress Plugin

Modern enterprise security requires more than just a username and password. Integrating Microsoft Entra ID (formerly Azure AD) with WordPress provides seamless single sign-on (SSO) for employees, reduces the attack surface of your site, and eliminates password fatigue.

At CODE TOT, we manage WordPress sites for dozens of businesses running on Microsoft 365. Every time we onboarded a new client, the same pain points surfaced: separate accounts for every team member, forgotten passwords, ex-employees with lingering access, and expensive proprietary SSO plugins that did more than most teams actually needed.

So we built SSO for Microsoft Entra — a free, open-source (GPL-2.0+) WordPress plugin that is available now on both WordPress.org and GitHub.

Why PKCE Matters for WordPress

Traditional OAuth "Implicit Flow" is now deprecated in Azure because it is susceptible to access token injection. Our plugin uses Proof Key for Code Exchange (PKCE). This adds a dynamically-generated secret that is hashed locally on the WordPress server and verified by Microsoft during the exchange — ensuring that only your site can use the authorization code it received.

This is the most secure OAuth 2.0 flow for WordPress SSO. No client secret ever touches the browser.

Key Features

FeatureDetail
OIDC + PKCEMost secure OAuth 2.0 flow — no client secret exposure on the frontend
Auto provisioningWordPress accounts created on first SSO login (Subscriber role by default)
Encrypted secretsClient secrets stored with libsodium or AES-256-GCM at rest
Rate limitingBuilt-in protection against brute-force SSO attempts
Auto-redirectOptionally skip the WordPress login page — go straight to Microsoft
Contextual helpAzure Portal setup guide built into the settings Help tab
VietnameseFull Vietnamese translation included

Enterprise-Grade Security

By connecting WordPress to Microsoft Entra, you automatically inherit your company's Multi-Factor Authentication (MFA) policies. You no longer need separate 2FA plugins on WordPress — Entra handles the heavy lifting before the user even touches your site.

The plugin also includes configurable rate limiting on SSO login attempts and encrypted client-secret storage using libsodium (XSalsa20-Poly1305) with AES-256-GCM fallback. Secrets are never written to log files.

How It Compares

FactorSSO for Microsoft EntraminiOrangeWPO365
PriceFree (bash)9–99/yr€99–€399/yr
Open source✅ GPL-2.0
OIDC + PKCE✅ Native❌ (SAML)
Encrypted secrets✅ libsodium/AES-256-GCM
Vietnamese
Rate limiting✅ Built-in❌ (addon)

The existing solutions are either expensive (miniOrange from 9/year, WPO365 from €99/year) or technically outdated. Ours is the only free, modern, open-source option using OpenID Connect with PKCE — and it comes with Vietnamese translation.

Quick Setup

  1. Install the plugin from WordPress.org or GitHub
  2. Register an app in Azure Portal: App registrations → New registration — set redirect URI to https://yoursite.com/sso/callback
  3. Configure in WordPress: Settings → Entra SSO → enter Tenant ID, Client ID, Client Secret
  4. Set permissions: Microsoft Graph → Delegated: openid, profile, email
  5. Test in an incognito window — click "Sign in with Microsoft"

For developers pushing to multiple environments:

# Install via WP-CLI
wp plugin install https://github.com/codetot-web/sso-for-microsoft-entra/archive/refs/heads/main.zip --activate

# Or clone directly
cd wp-content/plugins/
git clone https://github.com/codetot-web/sso-for-microsoft-entra.git

FAQ

Is it free?

Yes, 100% free and open-source under GPL-2.0. No premium tiers, no user limits.

Does it work with personal Microsoft accounts?

No. It's designed for organisational accounts managed through a Microsoft Entra ID tenant (work/school).

Does it support Multisite?

Yes. Each subsite can be configured independently, or use network-wide settings via Network Admin.

Single-tenant or multi-tenant?

For most internal WordPress sites, Single-Tenant is recommended. Multi-Tenant is only needed for external contractors or partners with their own Microsoft 365 environments.

Get Involved

If you're running WordPress for a business on Microsoft 365, give it a try. It's free, it's open source, and it just works.

Built by Khoi Pro — WordPress Core Contributor, Plugin Developer, and founder of CODE TOT.