Frequently Asked Questions (FAQ) 

Yes. The extension matches the authenticated Microsoft account to an existing fe_users or be_users record by email address. If no matching record is found, the login is rejected. The extension does not create new user accounts automatically.

Yes. For frontend login, add the Azure Login content element to a page. For backend login, the extension automatically adds a "Sign in with Microsoft" tab to the TYPO3 backend login screen. The frontend redirect URI must be configured manually. The backend redirect URI is auto-generated and can be copied from the backend configuration module. Both URIs must be registered in Microsoft Entra ID.

The extension requires delegated permissions only: openid, profile, and User.Read. No application permissions are needed. See the Azure Entra ID setup for details.

The recommended method is the backend module at Web > Azure Login. This allows per-site configuration with encrypted client secret storage.

As a fallback, global credentials can be set via Admin Tools > Settings > Extension Configuration > ok_azure_login.

See chapter Configuration.

Yes. The backend module stores configuration per TYPO3 site root page. Click on any page belonging to a site in the page tree, and the module resolves the correct site automatically. Each site can have its own Tenant ID, Client ID, Client Secret, and frontend redirect URI. The backend redirect URI is auto-generated from the route configuration.

When configured via the backend module, the client secret is encrypted using PHP Sodium (sodium_crypto_secretbox) before being stored in the database. The encryption key is derived from TYPO3's $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'].

The secret is never displayed in the backend module after saving.

See chapter Where to get help.