Frequently Asked Questions (FAQ)

Backend users: Yes. A matching be_users record with the same email address must exist in TYPO3.

Frontend users: By default, yes. However, if auto-create is enabled in the site configuration, the extension will automatically create a disabled fe_users record on first login. An administrator must then enable the account before the user can sign in.

See Frontend user auto-creation for details.

Yes. For frontend login, add the Azure Login content element to a page. For backend login, the extension automatically adds a "Sign in with Microsoft" tab to the TYPO3 backend login screen. Both require a redirect URI configured in Microsoft Entra ID.

The backend redirect URI is automatically derived from the TYPO3 route configuration and shown as a read-only field in the backend module.

Yes. The Backend tab in the configuration module allows you to create multiple backend login configurations. Each one appears as a separate "Sign in with Microsoft" button on the backend login screen, with its own label (e.g. company name). This is useful when multiple Azure tenants need backend access.

The extension requires delegated permissions only: openid, profile, and User.Read. No application permissions are needed. See the Azure Entra ID setup for details.

The recommended method is the backend module at Web > Azure Login. This allows per-site configuration with encrypted client secret storage and supports multiple backend login configurations.

As a fallback, global credentials can be set via Admin Tools > Settings > Extension Configuration > ok_azure_login.

See chapter Configuration.

Yes. The backend module stores configuration per TYPO3 site root page. Click on any page belonging to a site in the page tree, and the module resolves the correct site automatically. Each site can have its own Tenant ID, Client ID, Client Secret, and frontend redirect URI.

When configured via the backend module, the client secret is encrypted using PHP Sodium (sodium_crypto_secretbox) before being stored in the database. The encryption key is derived from TYPO3's $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'].

The secret is never displayed in the backend module after saving.

Warning

If the TYPO3 encryption key is not set, the backend module shows a warning. Secrets stored via Extension Configuration (fallback) are not encrypted.

The auto-created fe_users record is disabled by default. The user will see a message explaining that their account has been created but is pending activation. An administrator must enable the account in the TYPO3 backend before the user can sign in.

Auto-created users are assigned to the default user groups configured in the site settings and stored on the configured storage page.

See chapter Where to get help.

Frequently Asked Questions (FAQ)

How do I install this extension?

Do users need to exist in TYPO3 before they can log in?

Can I use this for both frontend and backend login?

Can I have multiple backend login configurations?

Which Microsoft Graph API permissions are needed?

Where do I configure the Azure credentials?

Can I use different Azure credentials per site?

How is the client secret stored?

What happens if a frontend user account is auto-created?

Where can I get help?