Frequently Asked Questions (FAQ)

Backend users: Yes. A matching be_users record with the same email address must already exist in TYPO3.

Frontend users: By default, yes. However, you can enable auto-creation in the backend module. When enabled, a disabled frontend user account is created automatically for authenticated Microsoft users who have no matching fe_users record. An administrator must then enable the account before the user can sign in.

See Backend module (recommended) for details on configuring auto-creation.

Yes. For frontend login, add the Azure Login content element to a page. For backend login, the extension automatically adds a "Sign in with Microsoft" tab to the TYPO3 backend login screen. Both require their own redirect URI configured in Microsoft Entra ID.

The extension requires delegated permissions only: openid, profile, and User.Read. No application permissions are needed. See the Azure Entra ID setup for details.

The recommended method is the backend module at Web > Azure Login. This allows per-site configuration with encrypted client secret storage.

As a fallback, global credentials can be set via Admin Tools > Settings > Extension Configuration > ok_azure_login.

See chapter Configuration.

When enabled in the backend module (per site), the extension automatically creates a disabled fe_users record for Microsoft users who authenticate successfully but have no existing TYPO3 account.

The new account receives the user's email as username, their display name, given name, and surname from Microsoft Graph, a random password, and any default frontend user groups you configured. The user sees a blue "account pending" info message.

An administrator must manually enable the account in the TYPO3 backend before the user can sign in. This prevents unauthorized access while still streamlining the onboarding process.

Yes. The backend module stores configuration per TYPO3 site root page. Click on any page belonging to a site in the page tree, and the module resolves the correct site automatically. Each site can have its own Tenant ID, Client ID, Client Secret, and redirect URIs.

Yes. Each site can have its own backend login configuration with a separate Azure app registration. Every site with valid, enabled backend credentials will show a separate "Sign in with Microsoft" button on the TYPO3 backend login screen, identified by the configured login button label (e.g. company name).

When configured via the backend module, the client secret is encrypted using PHP Sodium (sodium_crypto_secretbox) before being stored in the database. The encryption key is derived from TYPO3's $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'].

The secret is never displayed in the backend module after saving.

Warning

If the TYPO3 encryption key is not set, the backend module shows a warning. Secrets stored via Extension Configuration (fallback) are not encrypted.

See chapter Where to get help.

Frequently Asked Questions (FAQ)

How do I install this extension?

Do users need to exist in TYPO3 before they can log in?

Can I use this for both frontend and backend login?

Which Microsoft Graph API permissions are needed?

Where do I configure the Azure credentials?

How does frontend user auto-creation work?

Can I use different Azure credentials per site?

Can I have multiple backend login buttons?

How is the client secret stored?

Where can I get help?