=== Tradløs Suite ===
Contributors: tradlos
Tags: single sign-on, sso, login, microsoft 365, azure
Requires at least: 5.5
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.2.2
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Connect WordPress to Microsoft 365 & Azure: Sign in with Microsoft (SSO), automatic app setup, credential monitoring, and a modular add-on hub.

== Description ==

**Tradløs Suite** turns WordPress into a control center for your Microsoft 365 and Azure
environment — with a clean, self-service setup that does not require copying secrets out of the
Azure portal.

It is a modular hub: enable only the pieces you need, and add more over time.

= Core features (free) =

* **Sign in with Microsoft (SSO)** — add a "Sign in with Microsoft" button to the WordPress
  login screen (and WooCommerce, if present). Link sign-ins to existing users by email or
  auto-create accounts — your choice. Optional, lockout-safe "require SSO" enforcement for
  chosen roles (off by default).
* **Automatic setup** — a Microsoft Global Administrator signs in once via the device-code
  flow and the plugin provisions its own Microsoft Entra application, generates a secret, and
  grants admin consent for the modules you enabled. No manual app registration, no copy-paste.
  Re-running setup updates the existing application in place instead of creating a new one.
* **Provider-agnostic by design** — Microsoft 365 today, with a "choose your platform"
  onboarding built to add Google Workspace and AWS later.
* **Credential monitoring** — a daily check warns you by email before your client secret
  expires (30/14/7/1 days), with an at-a-glance status card.
* **Azure management** — browse subscriptions, resource groups and resources, and start/stop
  virtual machines from the dashboard.
* **Add-on marketplace & support** — discover optional modules and submit support requests
  from inside wp-admin.
* **Light / dark admin theme** — a one-click toggle for the suite's admin screens.

= Privacy & data ownership =

Your data stays on your site. Each install performs its own OAuth and stores tokens encrypted
in your own WordPress database. Tradløs servers never receive or broker your Microsoft identity
tokens.

= Premium add-ons =

Some optional modules are available separately as commercial add-ons. The core plugin above is
fully functional on its own; add-ons are never required.

== Installation ==

1. Install and activate **Tradløs Suite** from Plugins → Add New, or upload the plugin ZIP.
2. Go to the **Tradløs → Connect** screen and choose Microsoft.
3. On **Tradløs → Setup**, click **Set up automatically** and have a Microsoft Global
   Administrator sign in at the shown device-login URL and approve consent.
4. Use **Test connection** to confirm, then enable the modules you want under **Tradløs →
   Modules**. "Sign in with Microsoft" appears on your login screen.

No code, Composer, or external build tools are required.

== Frequently Asked Questions ==

= Do I need to register an app in Azure myself? =
No. The "Set up automatically" flow provisions a dedicated Microsoft Entra application in your
own tenant for you. A manual paste-your-own-credentials option is also provided.

= If Microsoft sign-in breaks, can I still log in? =
Yes. The Microsoft button is added alongside the normal username/password form — it never
replaces it. The optional "require SSO" enforcement is off by default, automatically stops
enforcing if the connection is unavailable, and has an emergency bypass constant.

= Does it work without WooCommerce? =
Yes. WooCommerce-specific surfaces simply do not appear when WooCommerce is absent.

= Where are my credentials stored? =
Encrypted in your site's own database. They are never sent to Tradløs.

== External services ==

This plugin connects to Microsoft services to provide Microsoft 365 / Azure integration. These
calls happen only after you start setup or a user signs in with Microsoft:

* **Microsoft identity platform** (`login.microsoftonline.com`, `microsoft.com/devicelogin`) —
  to authenticate, run the device-code setup flow, and obtain/refresh OAuth tokens.
* **Microsoft Graph** (`graph.microsoft.com`) — to provision the app registration, read the
  signed-in user's profile for account linking, and perform the actions of enabled modules.
* **Azure Resource Manager** (`management.azure.com`) — only when the Azure module is enabled,
  to list and manage your Azure resources.

Data sent is limited to what each operation requires (e.g. OAuth parameters, the requested API
calls). This is governed by the Microsoft Privacy Statement (https://privacy.microsoft.com/) and
the Microsoft Services Agreement (https://www.microsoft.com/servicesagreement/).

If you submit a support or add-on request from the Support/Marketplace screens, that request
(your message and contact email) is emailed to Tradløs support (support@tradlos.com) so we can
respond. This is sent only when you explicitly submit the form.

== Changelog ==

= 1.2.2 =
* Provisioner updates an existing Entra app in place on re-run (no duplicate apps); idempotent
  delegated + application consent.
* Modules can declare required Graph scopes via a filter.

= 1.2.1 =
* Light / dark admin theme toggle.

= 1.2.0 =
* Provider-agnostic identity layer and "Connect your platform" onboarding.
* Credential-expiry watchdog, in-dashboard marketplace, and support desk.

= 1.1.0 =
* Rebranded into the modular Tradløs Suite hub.

== Upgrade Notice ==

= 1.2.2 =
Re-running automatic setup now updates your existing Entra app instead of creating a new one.
