Connect WordPress and Microsoft Entra | Azure | 365

Configure WPO365 REST API for Microsoft Graph

When you embed a SharePoint List in WordPress, you must perform the following steps to enable the WPO365 REST API for Microsoft Graph and allow client-side (= browser based) applications to request OneDrive / SharePoint data using its /drives and /sites endpoints.


When you embed a SharePoint Library in WordPress, WPO365 injects a small JavaScript application in the page. This client-side (= browser based) application will then try to create a connection to your WordPress server to request data from the WPO365 REST API for Microsoft Graph. Requests received by this API are first security-checked and then transparently forwarded to Microsoft Graph.

By default is the WPO365 REST API for Microsoft Graph not enabled.


  • Go to WP Admin > WPO365 > Integration and scroll to the section Microsoft 365 Apps.
  • Check the option to Enable WPO365 REST API for Microsoft Graph.
Configuration for scenario “Delegated Access”
  • Since you picked the scenario for “Delegated Access”, your users will have signed in with Microsoft prior to accessing the WPO365 REST API for Microsoft Graph. Therefore you should select Users must be signed in with Microsoft from the dropdown Require users to sign-in to use the WPO365 REST API for Microsoft Graph.
  • Continue by allow-listing the following endpoints
    • https://graph.microsoft.com/_/sites
    • https://graph.microsoft.com/_/drive

The underscore “_” in each endpoint is a placeholder for the version of Microsoft Graph that should be used and will be replaced by WPO365 with beta.

To allow-list an endpoint, you must click the “+” at the end of each list entry. The entry should appear greyed-out.


Configuration for scenario “Application Access”
  • Since you picked the scenario for “Application Access”, your users will not have signed in with Microsoft prior to accessing the WPO365 REST API for Microsoft Graph. Therefore you can use any of the available options from the dropdown Require users to sign-in to use the WPO365 REST API for Microsoft Graph.

Please note that the option Allow anonymous access does not require any authentication or authorization and this basically will allow anyone with sufficient technical skills to send requests to the WPO365 REST API for Microsoft Graph and potentially retrieve data from some of your Microsoft 365 services (depending on the endpoints that you allow client-side apps to request data from).


  • Continue by allow-listing the following endpoints and for each endpoint check the corresponding box on each line to allow the client-side app to use application-level permissions.
    • https://graph.microsoft.com/_/sites
    • https://graph.microsoft.com/_/drive

The underscore “_” in each endpoint is a placeholder for the version of Microsoft Graph that should be used and will be replaced by WPO365 with beta.

To allow-list an endpoint, you must click the “+” at the end of each list entry. The entry should appear greyed-out.


Related Features