Azure Login

Extension key: ok_azure_login
Package name: oliverkroener/ok-azure-login
Version: 4.0
Language: en
Author: Oliver Kroener <https://www.oliver-kroener.de> & Contributors
License: This document is published under the Open Publication License.
Rendered: Sat, 14 Feb 2026 22:58:28 +0000

Note

Purpose: Enables TYPO3 frontend and backend user login via Microsoft Entra ID (formerly Azure AD)
Authentication: Uses OAuth 2.0 authorization code flow with HMAC-signed state parameter
API Integration: Retrieves user profile via Microsoft Graph API /me endpoint
Flexibility: Supports both frontend (fe_users) and backend (be_users) authentication
Per-site configuration: Manage Azure credentials per TYPO3 site via a dedicated backend module
Security: Client secrets are encrypted at rest using PHP Sodium

Installation

How to install this extension via Composer and add the content elements to your TYPO3 site.

Configuration

Configure Azure credentials per site using the backend module or via global extension settings as fallback.

Frequently Asked Questions (FAQ)

Common questions about setup and usage.

Get Help

Where to get help and how to report issues.

Installation

Install with Composer

Note

Composer is the recommended way to install this extension.

Install the extension via Composer:

composer req oliverkroener/ok-azure-login

After installation, update the database schema to create the configuration table:

vendor/bin/typo3 database:updateschema

See also Installing extensions in the TYPO3 Getting Started guide.

Include the static TypoScript

In the TYPO3 backend, go to the Template module
Select the root page of your site
Choose Info/Modify and click Edit the whole template record
Switch to the Includes tab
Add Azure Login from the list of available static templates

Add the content elements

The extension provides two content elements, available under the Azure Login group in the New Content Element Wizard:

Azure Login: Renders a "Sign in with Microsoft" button. When a user authenticates via Microsoft Entra ID, the extension matches their email to an existing fe_users record and logs them in.
Azure Logout: Renders a "Sign out" button for logged-in users. Can optionally redirect to the Microsoft logout endpoint to sign the user out of Microsoft as well.

To add them:

Go to the Page module and select the page where the login or logout button should appear
Click Create new content element
Select from the Azure Login group: either Azure Login or Azure Logout
Configure the element settings (button theme, redirect URL, etc.) as needed
Save and clear caches

Backend login

The extension automatically registers a backend login provider. Once configured (see Configuration), a "Sign in with Microsoft" button appears as a separate tab on the TYPO3 backend login screen at /typo3/.

No additional setup is needed for backend login beyond configuring the Azure credentials. The backend redirect URI is automatically derived from the route configuration and shown as a read-only field with a copy button in the backend module. Register this URL in your Azure app registration.

Configuration of Microsoft Entra ID (formerly Azure AD)

This guide walks you through registering an application in Microsoft Entra ID so the extension can authenticate users via the OAuth 2.0 authorization code flow.

Attention

The Client ID can be found on the overview page in Azure and must not be confused with the Client Secret ID. For the secret configuration, only the Secret Value itself is required, not the Secret ID.

Note

This guide assumes you have administrative access to Microsoft Entra ID and the necessary permissions to register applications.

Register an application in Microsoft Entra ID

Go to https://portal.azure.com and navigate to Microsoft Entra ID > App registrations.
Configure the application
- Name: Choose a descriptive name (e.g., "TYPO3 Azure Login").
- Supported account types: Select "Accounts in this organizational directory only (Single tenant)".
Add redirect URIs

Under Redirect URI, select Web and add the callback URLs that match your TYPO3 site:
- Frontend: https://your-domain.com/your-login-page (the page containing the Azure Login content element)
- Backend: https://your-domain.com/typo3/azure-login/callback
Tip

You can add multiple redirect URIs later in the Authentication section of the app registration. The frontend redirect URI should point to the page where Microsoft redirects the user after authentication.

The backend redirect URI is automatically generated by the extension from its route configuration. You can find and copy it in the backend configuration module (Web > Azure Login > Backend config). It always uses the path /typo3/azure-login/callback.

If you run a multi-site setup with different domains, add redirect URIs for each domain.

Click Register.
Collect Tenant ID and Client ID

On the Overview page, note down:
- Directory (tenant) ID -- this is the Tenant ID
- Application (client) ID -- this is the Client ID
Attention

The Client ID is the Application ID on the overview page. Do not confuse it with the Secret ID shown in the next step.
Create a client secret
- Navigate to Certificates & secrets > Client secrets
- Click New client secret
- Enter a description and choose an expiration period
- Click Add
Attention
- Copy the Secret Value immediately after creation -- it will not be shown again.
- Manage the expiration and renew the secret before it expires to maintain uninterrupted service.
- The Secret Value is sensitive information. Store it securely and do not expose it in public repositories or logs.
Configure API permissions

The extension uses the authorization code flow with delegated permissions (not application permissions). It requests the following scopes:
- openid -- Sign-in
- profile -- Basic user profile
- User.Read -- Read the signed-in user's profile (email, display name)
To configure:
- Navigate to API permissions
- Click Add a permission > Microsoft Graph > Delegated permissions
- Select: openid, profile, User.Read
- Click Add permissions
- Click Grant admin consent for [Your Organization]
Note

Unlike server-to-server integrations, this extension authenticates on behalf of the user. Only delegated permissions are needed -- application permissions are not required.
Configure in TYPO3

Enter the collected credentials (Tenant ID, Client ID, Client Secret, frontend redirect URI) in the TYPO3 backend module at Web > Azure Login. The backend redirect URI is shown as a read-only field with a copy button.

See Configuration for details.

Configuration

After completing the Microsoft Entra ID setup, configure the extension in TYPO3 with the credentials obtained from Azure.

Backend module (recommended)

The recommended way to configure Azure credentials is via the dedicated backend module. This allows you to manage credentials per TYPO3 site, so each site can use its own Azure app registration.

Open the backend module

In the TYPO3 backend, navigate to Web > Azure Login.
Select a page in the page tree

Click on any page that belongs to the site you want to configure. The module automatically resolves the site root page from the TYPO3 Site Configuration.
Fill in the credentials

The form displays the following fields:

Tenant ID

Tenant ID

type

string

The Directory (tenant) ID from your Microsoft Entra ID app registration.

Client ID

Client ID

type

string

The Application (client) ID from your Microsoft Entra ID app registration.

Client Secret

Client Secret

type

string (password)

The Client Secret Value from your Microsoft Entra ID app registration.

Attention

This is the secret Value, not the Secret ID.

The secret is encrypted using PHP Sodium before being stored in the database. It is never displayed in the form after saving. If a secret is already stored, a green indicator is shown. Leave the field empty to keep the existing secret, or enter a new value to replace it.

Redirect URI (Frontend)

Redirect URI (Frontend)

type

string (URL)

The OAuth callback URL for frontend login. This must match one of the redirect URIs registered in your Azure app.

Example: https://your-domain.com/your-login-page

Redirect URI (Backend)

Redirect URI (Backend)

type

read-only (auto-generated)

The OAuth callback URL for backend login, automatically derived from the registered backend route. This field is read-only and shown with a copy button. Register this URL as a redirect URI in your Azure app.

Example: https://your-domain.com/typo3/azure-login/callback

Note

This URL is generated from the route configuration in Configuration/Backend/Routes.php and cannot be changed manually.
Save

Click the save button in the document header. A success message confirms the configuration has been saved.

Important

The backend module requires admin access. It is only available to TYPO3 administrators.

Encryption

Client secrets are encrypted at rest using PHP Sodium authenticated encryption (sodium_crypto_secretbox). The encryption key is derived from TYPO3's $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'].

Warning

If the TYPO3 encryption key is not set, the backend module displays a warning and secrets cannot be encrypted. Configure the encryption key in the Install Tool before saving credentials.

If the encryption key changes after secrets have been saved, previously encrypted secrets become unreadable and must be re-entered.

Extension settings (fallback)

As a fallback, global credentials can be configured via Extension Configuration in the TYPO3 backend (Admin Tools > Settings > Extension Configuration > ok_azure_login).

These global settings are used when no per-site database configuration exists for the current site. This is useful for simple single-site installations or as a migration path from older versions of the extension.

The following settings are available:

tenantId

type: string
Default: (empty)

The Directory (tenant) ID from your Microsoft Entra ID app registration.

clientId

type: string
Default: (empty)

The Application (client) ID from your Microsoft Entra ID app registration.

clientSecret

type: string
Default: (empty)

The Client Secret Value from your Microsoft Entra ID app registration.

Attention

This is the secret Value, not the Secret ID. Note that secrets stored via Extension Configuration are not encrypted.

redirectUriFrontend

type: string
Default: (empty)

The OAuth callback URL for frontend login.

Example: https://your-domain.com/your-login-page

redirectUriBackend

type: string
Default: (empty)

Deprecated. The backend redirect URI is now automatically derived from the registered backend route (/typo3/azure-login/callback). This setting is ignored when using database configuration. It may still be used as a fallback in Extension Configuration for legacy setups.

Configuration resolution order

The extension resolves Azure credentials in the following order:

Database configuration for the current site root page (from the backend module)
Extension Configuration (global fallback from ext_conf_template.txt)

If a database record exists for the site but has an empty Tenant ID, it is treated as unconfigured and the extension falls back to Extension Configuration.

TypoScript configuration

The extension registers a static TypoScript template Azure Login that configures the Fluid template paths. Include it via the Template module (see Installation).

You can override the template paths via TypoScript constants:

plugin.tx_okazurelogin_login {
    view {
        templateRootPath = EXT:your_sitepackage/Resources/Private/Extensions/OkAzureLogin/Templates/
        partialRootPath = EXT:your_sitepackage/Resources/Private/Extensions/OkAzureLogin/Partials/
        layoutRootPath = EXT:your_sitepackage/Resources/Private/Extensions/OkAzureLogin/Layouts/
    }
}

Content element settings

Azure Login (frontend login)

Button Theme: Choose between a dark or light Microsoft button style.

Azure Logout (frontend logout)

Button Theme: Choose between a dark or light Microsoft button style.
Microsoft Sign-Out: When enabled, the user is redirected to the Microsoft logout endpoint to sign them out of Microsoft as well as TYPO3.
Redirect URL: Custom URL to redirect to after logout. Defaults to the site root.

How it works

The authentication flow is handled entirely by the extension:

The content element renders a "Sign in with Microsoft" button linking to the Microsoft Entra ID authorization endpoint.
The user authenticates at Microsoft and is redirected back with an authorization code.
A PSR-15 middleware intercepts the callback, exchanges the code for user information via the Microsoft Graph API, and injects the user data into the TYPO3 authentication chain.
The TYPO3 authentication service looks up the user by email in the appropriate user table (fe_users or be_users).
If a matching, non-disabled user is found, they are logged in and redirected to the return URL.

Important

The extension does not create new user accounts. A matching fe_users or be_users record with the same email address must already exist in TYPO3.

Security notes

Encrypted secrets: Client secrets stored via the backend module are encrypted at rest using PHP Sodium (sodium_crypto_secretbox). The encryption key is derived from TYPO3's encryptionKey.
HMAC-signed state: The OAuth state parameter is HMAC-signed using TYPO3's encryptionKey and has a 10-minute TTL to prevent CSRF and replay attacks.
Per-site isolation: Each TYPO3 site can have its own Azure credentials, preventing credential leakage across multi-site installations.
Never commit client secrets to version control.
Use separate Azure app registrations for development, staging, and production environments.
Rotate client secrets regularly before their expiration date.

Frequently Asked Questions (FAQ)

See chapter Installation.

Yes. The extension matches the authenticated Microsoft account to an existing fe_users or be_users record by email address. If no matching record is found, the login is rejected. The extension does not create new user accounts automatically.

Yes. For frontend login, add the Azure Login content element to a page. For backend login, the extension automatically adds a "Sign in with Microsoft" tab to the TYPO3 backend login screen. The frontend redirect URI must be configured manually. The backend redirect URI is auto-generated and can be copied from the backend configuration module. Both URIs must be registered in Microsoft Entra ID.

The extension requires delegated permissions only: openid, profile, and User.Read. No application permissions are needed. See the Azure Entra ID setup for details.

The recommended method is the backend module at Web > Azure Login. This allows per-site configuration with encrypted client secret storage.

As a fallback, global credentials can be set via Admin Tools > Settings > Extension Configuration > ok_azure_login.

See chapter Configuration.

Yes. The backend module stores configuration per TYPO3 site root page. Click on any page belonging to a site in the page tree, and the module resolves the correct site automatically. Each site can have its own Tenant ID, Client ID, Client Secret, and frontend redirect URI. The backend redirect URI is auto-generated from the route configuration.

When configured via the backend module, the client secret is encrypted using PHP Sodium (sodium_crypto_secretbox) before being stored in the database. The encryption key is derived from TYPO3's $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'].

The secret is never displayed in the backend module after saving.

Warning

If the TYPO3 encryption key is not set, the backend module shows a warning. Secrets stored via Extension Configuration (fallback) are not encrypted.

See chapter Where to get help.

Where to get help

Note

You can get help in the TYPO3 Slack, ask a question in the official TYPO3 forum, or contact the extension author.

Visit oliver-kroener.de to contact the author directly.

Report Issues

Attention

You can report issues at https://github.com/oliverkroener/ok-azure-login/issues.

Installation

Install with Composer

Include the static TypoScript

Add the content elements

Configuration of Microsoft Entra ID (formerly Azure AD)

Configuration

Backend module (recommended)

Encryption

Extension settings (fallback)

Configuration resolution order

TypoScript configuration

Content element settings

How it works

Security notes

Frequently Asked Questions (FAQ)

Where to get help

Report Issues

Sitemap

Index

Azure Login

Installation

Microsoft Entra ID Setup

Configuration

Frequently Asked Questions (FAQ)

Get Help

Installation

Install with Composer

Include the static TypoScript

Add the content elements

Backend login

Configuration of Microsoft Entra ID (formerly Azure AD)

Configuration

Backend module (recommended)

Tenant ID

Client ID

Client Secret

Redirect URI (Frontend)

Redirect URI (Backend)

Encryption

Extension settings (fallback)

tenantId

clientId

clientSecret

redirectUriFrontend

redirectUriBackend

Configuration resolution order

TypoScript configuration

Content element settings

How it works

Security notes

Frequently Asked Questions (FAQ)

How do I install this extension?

Do users need to exist in TYPO3 before they can log in?

Can I use this for both frontend and backend login?

Which Microsoft Graph API permissions are needed?

Where do I configure the Azure credentials?

Can I use different Azure credentials per site?

How is the client secret stored?

Where can I get help?

Where to get help

Report Issues

Sitemap

Index