Configuration of Microsoft Entra ID (formerly Azure AD)
This guide walks you through registering an application in Microsoft Entra ID so the extension can authenticate users via the OAuth 2.0 authorization code flow.
Attention
The Client ID can be found on the overview page in Azure and must not be confused with the Client Secret ID. For the secret configuration, only the Secret Value itself is required, not the Secret ID.
Note
This guide assumes you have administrative access to Microsoft Entra ID and the necessary permissions to register applications.
-
Register an application in Microsoft Entra ID
Go to https://portal.azure.com and navigate to Microsoft Entra ID > App registrations.
-
Configure the application
- Name: Choose a descriptive name (e.g., "TYPO3 Azure Login").
- Supported account types: Select "Accounts in this organizational directory only (Single tenant)".
-
Add redirect URIs
Under Redirect URI, select Web and add the callback URLs that match your TYPO3 site:
- Frontend:
https://your-domain.com/your-login-page(the page containing the Azure Login content element) - Backend:
https://your-domain.com/typo3/azure-login/callback
Tip
You can add multiple redirect URIs later in the Authentication section of the app registration. The frontend redirect URI should point to the page where Microsoft redirects the user after authentication.
The backend redirect URI is automatically generated by the extension from its route configuration. You can find and copy it in the backend configuration module (Web > Azure Login > Backend config). It always uses the path
/typo3/azure-login/callback.If you run a multi-site setup with different domains, add redirect URIs for each domain.
Click Register.
- Frontend:
-
Collect Tenant ID and Client ID
On the Overview page, note down:
- Directory (tenant) ID -- this is the
Tenant ID - Application (client) ID -- this is the
Client ID
Attention
The Client ID is the Application ID on the overview page. Do not confuse it with the Secret ID shown in the next step.
- Directory (tenant) ID -- this is the
-
Create a client secret
- Navigate to Certificates & secrets > Client secrets
- Click New client secret
- Enter a description and choose an expiration period
- Click Add
Attention
- Copy the Secret Value immediately after creation -- it will not be shown again.
- Manage the expiration and renew the secret before it expires to maintain uninterrupted service.
- The Secret Value is sensitive information. Store it securely and do not expose it in public repositories or logs.
-
Configure API permissions
The extension uses the authorization code flow with delegated permissions (not application permissions). It requests the following scopes:
openid-- Sign-inprofile-- Basic user profileUser.Read-- Read the signed-in user's profile (email, display name)
To configure:
- Navigate to API permissions
- Click Add a permission > Microsoft Graph > Delegated permissions
- Select:
openid,profile,User.Read - Click Add permissions
- Click Grant admin consent for [Your Organization]
Note
Unlike server-to-server integrations, this extension authenticates on behalf of the user. Only delegated permissions are needed -- application permissions are not required.
-
Configure in TYPO3
Enter the collected credentials (Tenant ID, Client ID, Client Secret, frontend redirect URI) in the TYPO3 backend module at Web > Azure Login. The backend redirect URI is shown as a read-only field with a copy button.
See Configuration for details.