Configuration 

Backend module (recommended) 

The recommended way to configure Azure credentials is via the dedicated backend module. This allows you to manage credentials per TYPO3 site, so each site can use its own Azure app registration.

1. Open the backend module

   In the TYPO3 backend, navigate to Web > Azure Login.

2. Select a page in the page tree

   Click on any page that belongs to the site you want to configure. The module automatically resolves the site root page from the TYPO3 Site Configuration.

3. Fill in the credentials

   The form displays the following fields:

   Tenant ID

   Tenant ID

   type

   string

   The Directory (tenant) ID from your Microsoft Entra ID app registration.

   Client ID

   Client ID

   type

   string

   The Application (client) ID from your Microsoft Entra ID app registration.

   Client Secret

   Client Secret

   type

   string (password)

   The Client Secret Value from your Microsoft Entra ID app registration.

   Attention

   This is the secret Value, not the Secret ID.

   The secret is encrypted using PHP Sodium before being stored in the database. It is never displayed in the form after saving. If a secret is already stored, a green indicator is shown. Leave the field empty to keep the existing secret, or enter a new value to replace it.

   Redirect URI (Frontend)

   Redirect URI (Frontend)

   type

   string (URL)

   The OAuth callback URL for frontend login. This must match one of the redirect URIs registered in your Azure app.

   Example: https://your-domain.com/your-login-page

   Redirect URI (Backend)

   Redirect URI (Backend)

   type

   read-only (auto-generated)

   The OAuth callback URL for backend login, automatically derived from the registered backend route. This field is read-only and shown with a copy button. Register this URL as a redirect URI in your Azure app.

   Example: https://your-domain.com/typo3/azure-login/callback

   Note

   This URL is generated from the route configuration in Configuration/Backend/Routes.php and cannot be changed manually.

4. Save

   Click the save button in the document header. A success message confirms the configuration has been saved.

Extension settings (fallback) 

As a fallback, global credentials can be configured via Extension Configuration in the TYPO3 backend (Admin Tools > Settings > Extension Configuration > ok_azure_login).

These global settings are used when no per-site database configuration exists for the current site. This is useful for simple single-site installations or as a migration path from older versions of the extension.

The following settings are available:

Configuration resolution order 

The extension resolves Azure credentials in the following order:

1. Database configuration for the current site root page (from the backend module)
2. Extension Configuration (global fallback from ext_conf_template.txt)

If a database record exists for the site but has an empty Tenant ID, it is treated as unconfigured and the extension falls back to Extension Configuration.

TypoScript configuration 

The extension registers a static TypoScript template Azure Login that configures the Fluid template paths. Include it via the Template module (see Installation).

You can override the template paths via TypoScript constants:

plugin.tx_okazurelogin_login {
    view {
        templateRootPath = EXT:your_sitepackage/Resources/Private/Extensions/OkAzureLogin/Templates/
        partialRootPath = EXT:your_sitepackage/Resources/Private/Extensions/OkAzureLogin/Partials/
        layoutRootPath = EXT:your_sitepackage/Resources/Private/Extensions/OkAzureLogin/Layouts/
    }
}

Content element settings 

Azure Login (frontend login)

Button Theme

Choose between a dark or light Microsoft button style.

Azure Logout (frontend logout)

Button Theme

Choose between a dark or light Microsoft button style.

Microsoft Sign-Out

When enabled, the user is redirected to the Microsoft logout endpoint to sign them out of Microsoft as well as TYPO3.

Redirect URL

Custom URL to redirect to after logout. Defaults to the site root.

How it works 

The authentication flow is handled entirely by the extension:

1. The content element renders a "Sign in with Microsoft" button linking to the Microsoft Entra ID authorization endpoint.
2. The user authenticates at Microsoft and is redirected back with an authorization code.
3. A PSR-15 middleware intercepts the callback, exchanges the code for user information via the Microsoft Graph API, and injects the user data into the TYPO3 authentication chain.
4. The TYPO3 authentication service looks up the user by email in the appropriate user table (fe_users or be_users).
5. If a matching, non-disabled user is found, they are logged in and redirected to the return URL.

Security notes 

• Encrypted secrets: Client secrets stored via the backend module are encrypted at rest using PHP Sodium (sodium_crypto_secretbox). The encryption key is derived from TYPO3's encryptionKey.
• HMAC-signed state: The OAuth state parameter is HMAC-signed using TYPO3's encryptionKey and has a 10-minute TTL to prevent CSRF and replay attacks.
• Per-site isolation: Each TYPO3 site can have its own Azure credentials, preventing credential leakage across multi-site installations.
• Never commit client secrets to version control.
• Use separate Azure app registrations for development, staging, and production environments.
• Rotate client secrets regularly before their expiration date.