From d39f5253bfedbb6167ba28c8628ca96709630d82 Mon Sep 17 00:00:00 2001
From: nilsteampassnet <nils@teampass.net>
Date: Sun, 8 Sep 2024 19:14:14 +0200
Subject: [PATCH] 3.1.2

OAuth2 with Microsoft Entra is now available
---
 docs/features/authentication.md               |  39 ++++
 includes/config/include.php                   |   4 +-
 includes/core/load.js.php                     |   3 +-
 includes/core/login.js.php                    |  88 ++++++--
 includes/core/login.oauth2.php                |  44 ++++
 includes/core/login.php                       |  37 +++-
 includes/core/login.sso.php                   |  16 --
 includes/language/bulgarian.php               |   1 +
 includes/language/catalan.php                 |   1 +
 includes/language/chinese.php                 |   1 +
 includes/language/czech.php                   |   1 +
 includes/language/dutch.php                   |   1 +
 includes/language/english.php                 |   3 +-
 includes/language/estonian.php                |   1 +
 includes/language/french.php                  |   1 +
 includes/language/german.php                  | 139 ++++++------
 includes/language/greek.php                   |   1 +
 includes/language/hungarian.php               |   1 +
 includes/language/italian.php                 |   1 +
 includes/language/japanese.php                |   1 +
 includes/language/norwegian.php               |   1 +
 includes/language/polish.php                  |   1 +
 includes/language/portuguese.php              |   1 +
 includes/language/portuguese_br.php           |   1 +
 includes/language/romanian.php                |   1 +
 includes/language/russian.php                 |   1 +
 includes/language/spanish.php                 |   1 +
 includes/language/swedish.php                 |   1 +
 includes/language/turkish.php                 |   1 +
 includes/language/ukrainian.php               |   1 +
 includes/language/vietnamese.php              |   1 +
 includes/tables_integrity.json                |  34 +--
 index.php                                     |  15 +-
 pages/oauth.php                               |  56 +----
 sources/identify.php                          | 200 ++++++++++++++----
 sources/main.functions.php                    |  68 +++++-
 sources/main.queries.php                      |  47 ----
 .../src/AzureAuthController.php               | 158 +++++++++++++-
 .../performchecks/src/PerformChecks.php       |   2 +-
 39 files changed, 685 insertions(+), 290 deletions(-)
 create mode 100644 includes/core/login.oauth2.php
 delete mode 100644 includes/core/login.sso.php

diff --git a/docs/features/authentication.md b/docs/features/authentication.md
index 62e7fd0f6..3a69fc785 100755
--- a/docs/features/authentication.md
+++ b/docs/features/authentication.md
@@ -86,3 +86,42 @@ If disabled for a user, a red fingerprint symbol is shown in the users list.
 
 ![Settings tasks options](../_media/tp3_auth_mfa_3.png)
 
+
+## Oauth2 with Microsoft Entra (Azure)
+
+Users can authenticate through your Entra AD. The first time a user is authenticate in Teampass through oauth2, his account will be created in Teampass.
+
+👉 Notice that if the user has `group memberships` defined in AD and that those groups also exist in Teampass, then the user will be automatically associated to the matching groups (based upon their names).
+
+### Setting up at Entra side
+
+You need to create a new `App registration` for example called `Teampass`.
+
+This App will have an `Application (client) ID` and a `Directory (tenant) ID`.
+A `Client secret` is also expected, not the `Secret ID` but the `Value` (the one that is only seen once).
+
+You will have to define a new `Redirect URIs` with the value provided from Teampass OAuth configuration page.
+And it is suggested to use option `Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)` as `Supported account types`.
+
+Now define `API permissions` with next permissions:
+
+* `Microsoft Graph`:
+  * `email` with Type `Delegated`
+  * `Group.Read.All` with Type `Delegated`
+  * `Group.Read.All` with Type `Application`
+  * `offline_access` with Type `Delegated`
+  * `openid` with Type `Delegated`
+  * `profile` with Type `Delegated`
+  * `User.Read` with Type `Delegated`
+* `Teampass`:
+  * `Read.All` with Type `Delegated`
+
+Don't forget to `Grant admin consent for Default Directory`.
+
+Finaly define the users allowaed to access this new Application
+
+### Setting up in Teampass
+
+Navigate to `OAuth` page from the administration, and provide the expected information.
+
+It is suggested to perform a test with a fake user.
\ No newline at end of file
diff --git a/includes/config/include.php b/includes/config/include.php
index 3d7567c01..cd9f67993 100755
--- a/includes/config/include.php
+++ b/includes/config/include.php
@@ -28,7 +28,7 @@
 
 define('TP_VERSION', '3.1.2');
 define("UPGRADE_MIN_DATE", "1724862801");
-define('TP_VERSION_MINOR', '61');
+define('TP_VERSION_MINOR', '63');
 define('TP_TOOL_NAME', 'Teampass');
 define('TP_ONE_DAY_SECONDS', 86400);
 define('TP_ONE_WEEK_SECONDS', 604800);
@@ -40,7 +40,7 @@
 define('TP_COPYRIGHT', '2009-'.date('Y'));
 define('TP_ALLOWED_TAGS', '<b><i><sup><sub><em><strong><u><br><br /><a><strike><ul><blockquote><blockquote><img><li><h1><h2><h3><h4><h5><ol><small><font>');
 define('TP_FILE_PREFIX', 'EncryptedFile_');
-define('NUMBER_ITEMS_IN_BATCH', 1000);
+define('NUMBER_ITEMS_IN_BATCH', 100);
 define('WIP', false);
 define('UPGRADE_SEND_EMAILS', true);
 define('KEY_LENGTH', 16);
diff --git a/includes/core/load.js.php b/includes/core/load.js.php
index 104c7b868..02588b923 100755
--- a/includes/core/load.js.php
+++ b/includes/core/load.js.php
@@ -559,7 +559,8 @@ function(data) {
                         '<?php echo $lang->get('generate_new_keys_info'); ?>' +
                     '</div>' +
                     '<div class="hidden" id="new-encryption-div">' +
-                        '<div class="row">' +
+                     
+                        '<div class="row'+((store.get('teampassUser').auth_type !== 'ldap' && store.get('teampassUser').auth_type !== 'oauth2') ? '' : ' hidden') + '">' +
                             '<div class="input-group mb-2">' +
                                 '<div class="input-group-prepend">' +
                                     '<span class="input-group-text"><?php echo $lang->get('confirm_password'); ?></span>' +
diff --git a/includes/core/login.js.php b/includes/core/login.js.php
index 73105d45a..aaba6472e 100755
--- a/includes/core/login.js.php
+++ b/includes/core/login.js.php
@@ -31,7 +31,7 @@
 
 ?>
 <script type="text/javascript">
-    var debugJavascript = false;
+    var debugJavascript = true;
 
     // On page load
     $(function() {
@@ -58,7 +58,7 @@
         $('#login').focus();
 
         // Page has beed reloaded due to session key inconsistency
-        if (store.get('teampassUser') !== null && typeof store.get('teampassUser') !== 'undefined'&& store.get('teampassUser').page_reload === 1) {
+        if (store.get('teampassUser') !== null && typeof store.get('teampassUser') !== 'undefined' && store.get('teampassUser').page_reload === 1) {
             // Set previous values
             $("#pw").val(store.get('teampassUser').pwd);
             $("#login").val(store.get('teampassUser').login);
@@ -74,6 +74,40 @@ function(teampassUser) {
             );
         }
 
+        // Manage case of oauth2 login
+        var userOauth2Info = <?php echo empty($userOauth2InfoJson) ? 'null' : $userOauth2InfoJson; ?>;
+        // Case of oauth2 login
+        if (userOauth2Info !== null && userOauth2Info['oauth2TokenUsed'] === false) {
+            // disable token
+            userOauth2Info['oauth2TokenUsed'] = true;
+            // get the Teampass login from userPrincipalName
+            userOauth2Info['login'] = userOauth2Info['userPrincipalName'].split("@")[0];
+
+            // manage cryto ID
+            function hashUserId(userId) {
+                const hash = CryptoJS.SHA256(userId);
+                return hash.toString(CryptoJS.enc.Hex).substring(0, 16);
+            }
+            $("#pw").val(hashUserId(userOauth2Info['id']));
+            
+            // store userOauth2Info   
+            store.set(
+                'userOauth2Info', userOauth2Info
+            );
+            
+            if (debugJavascript === true) {
+                console.log("We have an oauth2 login");
+            }
+
+            // launch identification process inside Teampass.
+            launchIdentify(false, "", "", false);
+        } else {
+            // clear userOauth2Info
+            store.set(
+                'userOauth2Info', ''
+            );
+        }
+
         // Prepare iCheck format for checkboxes
         $('input[type="checkbox"].flat-blue').iCheck({
             checkboxClass: 'icheckbox_flat-blue'
@@ -100,7 +134,7 @@ function(teampassUser) {
             
             // Launch identification process inside Teampass.
             if (debugJavascript === true) {
-                console.log('User starts auth');
+                console.log('User starts auth through Duo');
             }
             
             launchIdentify(true, '<?php isset($nextUrl) === true ? $nextUrl : ''; ?>');
@@ -109,25 +143,28 @@ function(teampassUser) {
         // Click on log in button
         $('#but_identify_user').click(function() {
             if (debugJavascript === true) {
-                console.log('User starts auth');
+                console.log('User starts auth through button but_identify_user click');
             }
             launchIdentify(false, '<?php isset($nextUrl) === true ? $nextUrl : ''; ?>');
         });
 
         // Click on log in button with Azure Entra
-        if($("#but_login_with_sso").length > 0) {
-            $('#but_login_with_sso').click(function() {
+        if($("#but_login_with_oauth2").length > 0) {
+            $('#but_login_with_oauth2').click(function() {
                 if (debugJavascript === true) {
-                    console.log('User starts auth with Azure');
-                }
+                console.log('User starts auth through button but_login_with_oauth2 click');
+            }
+                $('#but_login_with_oauth2, #but_identify_user').prop('disabled', true);
                 launchIdentify(false, '<?php isset($nextUrl) === true ? $nextUrl : ''; ?>', false, true);
             });
         }
-
+        
         // Relaunch authentication
-        if (($("#pw").val() !== "" || $("#login").val() !== "")) {
+        if (($("#pw").val() !== "" || $("#login").val() !== "") && store.get('userOauth2Info').oauth2LoginOngoing === false) {
             $(this).delay(500).queue(function() {
-                document.getElementById('but_identify_user').click();
+                if($("#but_identify_user").length > 0) {
+                    document.getElementById('but_identify_user').click();
+                }
                 $(this).dequeue();
             });
         }
@@ -506,11 +543,18 @@ function(data) {
     /**
      * 
      */
-    function launchIdentify(isDuo, redirect, psk, sso = false) {
+    function launchIdentify(isDuo, redirect, psk, oauth2 = false) {
         if (redirect == undefined) {
             redirect = ""; //Check if redirection
         }
 
+        // manage OAUTH2 login
+        // in this case we need to redirect in order to load oauth2 login page
+        if (oauth2 === true) {
+            document.location.href="includes/core/login.oauth2.php";
+            return false;
+        }
+
         // Check credentials are set
         if (($("#pw").val() === "" || $("#login").val() === "") && isDuo !== true) {
             // Show warning
@@ -569,12 +613,6 @@ function launchIdentify(isDuo, redirect, psk, sso = false) {
             console.log('KEY : <?php echo $session->get('key'); ?>')
         }
 
-        // manage SSO login
-        if (sso === true) {
-            document.location.href="includes/core/login.sso.php";
-            return false;
-        }
-
         // Get 2fa
         //TODO : je pense que cela pourrait etre modifié pour ne pas faire de requete ajax ; on dispose des infos via `get_teampass_settings`
         $.post(
@@ -586,7 +624,6 @@ function launchIdentify(isDuo, redirect, psk, sso = false) {
                 }
             },
             function(data) {
-                //data = prepareExchangedData(data, 'decode', "<?php echo $session->get('key'); ?>");
                 data = JSON.parse(data);
 
                 // Handle the case where the user doesn't exists.
@@ -711,16 +748,19 @@ function(teampassUser) {
 
                 if (debugJavascript === true) {
                     console.log('Data submitted to identifyUser:');
-                    console.log(mfaData);
+                    console.log({...mfaData, ...store.get('userOauth2Info')});
                 }
                 
-                identifyUser(redirect, psk, mfaData, randomstring);
+                identifyUser(redirect, psk, mfaData, randomstring, store.get('userOauth2Info'));
+
+                // Clear userOauth2Info
+                //store.set('userOauth2Info', '');
             }
         );
     }
 
     //Identify user
-    function identifyUser(redirect, psk, data, randomstring) {
+    function identifyUser(redirect, psk, data, randomstring, oauth2Info) {
         var old_data = data;
         // Check if session is still existing
         //send query
@@ -729,7 +769,7 @@ function identifyUser(redirect, psk, data, randomstring) {
                 type: "identify_user",
                 login: $('#login').val(),
                 data: prepareExchangedData(
-                    JSON.stringify(data),
+                    JSON.stringify({...data, ...oauth2Info}),
                     'encode',
                     '<?php echo $session->get('key'); ?>'
                 ),
@@ -881,6 +921,8 @@ function(teampassUser) {
                     }
                 }
 
+                $('#but_login_with_oauth2, #but_identify_user').prop('disabled', false);
+
                 // Clear Yubico
                 if ($("#yubico_key").length > 0) {
                     $("#yubico_key, #yubico_user_id, #yubico_user_key").val("");
diff --git a/includes/core/login.oauth2.php b/includes/core/login.oauth2.php
new file mode 100644
index 000000000..a54b4e49a
--- /dev/null
+++ b/includes/core/login.oauth2.php
@@ -0,0 +1,44 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * Teampass - a collaborative passwords manager.
+ * ---
+ * This file is part of the TeamPass project.
+ * 
+ * TeamPass is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3 of the License.
+ * 
+ * TeamPass is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ * 
+ * Certain components of this file may be under different licenses. For
+ * details, see the `licenses` directory or individual file headers.
+ * ---
+ * @file      login.oauth2.php
+ * @author    Nils Laumaillé (nils@teampass.net)
+ * @copyright 2009-2024 Teampass.net
+ * @license   GPL-3.0
+ * @see       https://www.teampass.net
+ */
+
+use TeampassClasses\AzureAuthController\AzureAuthController;
+session_start();
+require_once __DIR__. '/../../includes/config/include.php';
+require_once __DIR__.'/../../sources/main.functions.php';
+
+// init
+loadClasses();
+
+// Création d'une instance du contrôleur
+$azureAuth = new AzureAuthController($SETTINGS);
+
+// Redirection vers Azure pour l'authentification
+$azureAuth->redirect();
diff --git a/includes/core/login.php b/includes/core/login.php
index 0ff5343c1..c80881b60 100755
--- a/includes/core/login.php
+++ b/includes/core/login.php
@@ -53,18 +53,45 @@
     $get['duo_code'] = $request->query->get('duo_code');
 }
 
+// Manage case of Oauth2 login
 if (isset($_GET['code']) === true && isset($_GET['state']) === true && $get['post_type'] === 'oauth2') {
     $get['code'] = filter_var($_GET['code'], FILTER_SANITIZE_SPECIAL_CHARS);
     $get['state'] = filter_var($_GET['state'], FILTER_SANITIZE_SPECIAL_CHARS);
     $get['session_state'] = filter_var($_GET['session_state'], FILTER_SANITIZE_SPECIAL_CHARS);
 
-    error_log('---- CALLBACK ----');
+    if (WIP === true) error_log('---- OAUTH2 START ----');
 
     // Création d'une instance du contrôleur
     $azureAuth = new AzureAuthController($SETTINGS);
 
     // Traitement de la réponse de callback Azure
-    $azureAuth->callback();
+    $userInfo = $azureAuth->callback();
+
+    if ($userInfo['error'] === false) {
+        // Si aucune erreur, stocker les informations utilisateur dans la session PHP
+
+        // Stocker les informations de l'utilisateur dans la session
+        $session->set('userOauth2Info', $userInfo['userOauth2Info']);
+
+        // Rediriger l'utilisateur vers la page d'accueil ou une page d'authentification réussie
+        header('Location: index.php');
+        exit;
+    } else {
+        // Gérer les erreurs
+        echo 'Erreur lors de la récupération des informations utilisateur : ' . $userInfo['message'];
+    };
+}
+
+// Azure step is done
+if (null !== $session->get('userOauth2Info') && empty($session->get('userOauth2Info')) === false && $session->get('userOauth2Info')['oauth2TokenUsed'] === false) {
+    // Azure step is done
+    // Check if user exists in Teampass
+    if (WIP === true) error_log('---- CALLBACK LOGIN ----');
+
+    $session->set('user-login', strstr($session->get('userOauth2Info')['userPrincipalName'], '@', true));
+
+    // Encoder les valeurs de la session en JSON
+    $userOauth2InfoJson = json_encode($session->get('userOauth2Info'));
 }
 
 echo '
@@ -220,7 +247,7 @@ function updateLogonButton(timeToGo){
         }
         updateLogonButton(seconds);
     },
-    1000
+    500
     );
 });
 </script>';
@@ -278,13 +305,13 @@ function updateLogonButton(timeToGo){
             </div>
         </div>';
         
-// SSO div
+// OAUTH2 div
 if (isKeyExistingAndEqual('oauth2_enabled', 1, $SETTINGS) === true) {
     echo '
         <hr class="mt-3 mb-3"/>
         <div class="row mb-2">
             <div class="col-12">
-                <button id="but_login_with_sso" class="btn btn-primary btn-block">' . $SETTINGS['oauth2_client_appname'] . '</button>
+                <button id="but_login_with_oauth2" class="btn btn-primary btn-block">' . $SETTINGS['oauth2_client_appname'] . '</button>
             </div>
         </div>';
 }
diff --git a/includes/core/login.sso.php b/includes/core/login.sso.php
deleted file mode 100644
index 0ec82f2fb..000000000
--- a/includes/core/login.sso.php
+++ /dev/null
@@ -1,16 +0,0 @@
-<?php
-use TeampassClasses\AzureAuthController\AzureAuthController;
-session_start();
-require_once __DIR__. '/../../includes/config/include.php';
-require_once __DIR__.'/../../sources/main.functions.php';
-
-// init
-loadClasses();
-
-// MDP teampss.user c@mx5q^tL6
-
-// Création d'une instance du contrôleur
-$azureAuth = new AzureAuthController($SETTINGS);
-
-// Redirection vers Azure pour l'authentification
-$azureAuth->redirect();
diff --git a/includes/language/bulgarian.php b/includes/language/bulgarian.php
index 645bc25ac..da1a13d26 100755
--- a/includes/language/bulgarian.php
+++ b/includes/language/bulgarian.php
@@ -1188,5 +1188,6 @@
     'show_item_data' => 'Show item data in items list',
     'show_item_data_tip' => 'Permits to display extra information in the items list (username, email and url). This could be useful to have a quick view of the item content.',
     'items_page_split_view_mode' => 'Show item details in page split view mode',
+    'replace_tenant_id' => 'Adapt the URL but keep {tenant-id} as is. It will be replaced live by the tenant ID.',
 
 );
diff --git a/includes/language/catalan.php b/includes/language/catalan.php
index a2e102306..171ce0b4c 100755
--- a/includes/language/catalan.php
+++ b/includes/language/catalan.php
@@ -1188,5 +1188,6 @@
     'show_item_data' => 'Show item data in items list',
     'show_item_data_tip' => 'Permits to display extra information in the items list (username, email and url). This could be useful to have a quick view of the item content.',
     'items_page_split_view_mode' => 'Show item details in page split view mode',
+    'replace_tenant_id' => 'Adapt the URL but keep {tenant-id} as is. It will be replaced live by the tenant ID.',
 
 );
diff --git a/includes/language/chinese.php b/includes/language/chinese.php
index fc5beb761..7167e884d 100755
--- a/includes/language/chinese.php
+++ b/includes/language/chinese.php
@@ -1188,5 +1188,6 @@
     'show_item_data' => 'Show item data in items list',
     'show_item_data_tip' => 'Permits to display extra information in the items list (username, email and url). This could be useful to have a quick view of the item content.',
     'items_page_split_view_mode' => 'Show item details in page split view mode',
+    'replace_tenant_id' => 'Adapt the URL but keep {tenant-id} as is. It will be replaced live by the tenant ID.',
 
 );
diff --git a/includes/language/czech.php b/includes/language/czech.php
index 6aa5eb3e9..27d316732 100755
--- a/includes/language/czech.php
+++ b/includes/language/czech.php
@@ -1188,5 +1188,6 @@
     'show_item_data' => 'Show item data in items list',
     'show_item_data_tip' => 'Permits to display extra information in the items list (username, email and url). This could be useful to have a quick view of the item content.',
     'items_page_split_view_mode' => 'Show item details in page split view mode',
+    'replace_tenant_id' => 'Adapt the URL but keep {tenant-id} as is. It will be replaced live by the tenant ID.',
 
 );
diff --git a/includes/language/dutch.php b/includes/language/dutch.php
index 29502f448..b973dd2ff 100755
--- a/includes/language/dutch.php
+++ b/includes/language/dutch.php
@@ -1188,5 +1188,6 @@
     'show_item_data' => 'Show item data in items list',
     'show_item_data_tip' => 'Permits to display extra information in the items list (username, email and url). This could be useful to have a quick view of the item content.',
     'items_page_split_view_mode' => 'Show item details in page split view mode',
+    'replace_tenant_id' => 'Adapt the URL but keep {tenant-id} as is. It will be replaced live by the tenant ID.',
 
 );
diff --git a/includes/language/english.php b/includes/language/english.php
index cfca5c720..ce0e5a516 100755
--- a/includes/language/english.php
+++ b/includes/language/english.php
@@ -28,6 +28,7 @@
  * @see       https://www.teampass.net
  */
 return array(
+    'tenant_id' => 'Tenant ID',
     'items_page_split_view_mode' => 'Show item details in page split view mode',
     'show_item_data' => 'Show item data in items list',
     'show_item_data_tip' => 'Permits to display extra information in the items list (username, email and url). This could be useful to have a quick view of the item content.',
@@ -57,7 +58,7 @@
     'token_endpoint' => 'Token Endpoint',
     'test_configuration' => 'Test configuration',
     'setup_wizard' => 'Setup Wizard',
-    'replace_tenant_id' => 'Please enter the tenant ID  in place of {tenant-id}.',
+    'replace_tenant_id' => 'Adapt the URL but keep {tenant-id} as is. It will be replaced live by the tenant ID.',
 
     'login_with_sso' => 'Login with SSO',
     'folder_created' => 'Folder created',
diff --git a/includes/language/estonian.php b/includes/language/estonian.php
index f479e1194..04d2da282 100755
--- a/includes/language/estonian.php
+++ b/includes/language/estonian.php
@@ -1188,5 +1188,6 @@
     'show_item_data' => 'Show item data in items list',
     'show_item_data_tip' => 'Permits to display extra information in the items list (username, email and url). This could be useful to have a quick view of the item content.',
     'items_page_split_view_mode' => 'Show item details in page split view mode',
+    'replace_tenant_id' => 'Adapt the URL but keep {tenant-id} as is. It will be replaced live by the tenant ID.',
 
 );
diff --git a/includes/language/french.php b/includes/language/french.php
index e406ffca4..ea34aa3f9 100755
--- a/includes/language/french.php
+++ b/includes/language/french.php
@@ -1188,5 +1188,6 @@
     'show_item_data' => 'Afficher les détails de l&apos;objet dans la liste',
     'show_item_data_tip' => 'Permet d&apos;afficher des informations supplémentaires dans la liste des éléments (nom d&apos;utilisateur, e-mail et URL). Cela peut être utile pour avoir un aperçu rapide du contenu de l&apos;élément.',
     'items_page_split_view_mode' => 'Afficher le détail d&apos;un objet sur la page des objets',
+    'replace_tenant_id' => 'Adapter l&apos;url tout en laissant {tenant-id}. Il sera remplacer lors de l&apos;appel.',
 
 );
diff --git a/includes/language/german.php b/includes/language/german.php
index 4e5c01185..f78c9f079 100755
--- a/includes/language/german.php
+++ b/includes/language/german.php
@@ -66,7 +66,7 @@
     'perform_checks' => 'Führe Überprüfungen durch',
     'email_body_temporary_encryption_code' => 'Hallo, <br><br>Dies ist eine generierte E-Mail von Teampass Passwort Manager.<br><br>Einige Änderungen wurden mit deinem Account durchgeführt, welche eine neu Verschlüsselung der Einträge benötigt für die Datensicherheit. Beim nächsten Login zu Teampass, bitte nutze diesen code:<br><br><b>#enc_code#</b><br><br><br>Herzliche Grüße',
     'temporary_encryption_code' => 'Dein temporärer Verschlüsselungscode',
-    'renecyption_expected' => 'Wir müssen Ihre Schlüssel neu verschlüsseln, um sie an die Ihrem Konto und Ihren Rechten entsprechenden Privilegien anzupassen.',
+    'renecyption_expected' => 'Wir müssen Ihre Passwörter neu verschlüsseln, um sie an die Ihrem Konto und Ihren Rechten entsprechenden Privilegien anzupassen.',
     'error_no_user_in_ad' => 'Benutzer im AD nicht gefunden',
     'error_ad_user_expired' => 'Benutzerkonto ist abgelaufen!',
     'error' => 'Fehler abgefangen',
@@ -466,7 +466,7 @@
     'create_item_based_upon_template' => 'Verwendung der Vorlage für Item',
     'create_item_based_upon_template_tip' => 'Wenn diese Funktion aktiviert ist, kann der Autor eine Vorlage auswählen, die aus benutzerdefinierten Feldern besteht. Beachten Sie, dass für diese Funktion auch benutzerdefinierte Felder aktiviert sein müssen.',
     'main_template' => 'Benutze eine Vorlage',
-    'is_mandatory' => 'Is verpflichtend',
+    'is_mandatory' => 'Ist verpflichtend',
     'error_field_is_mandatory' => 'Mindestens ein Pflichtfeld ist leer',
     'restrict_visibility_to' => 'Eingeschränkte Sichtbarkeit für',
     'every_roles' => 'Jede Rolle',
@@ -665,8 +665,8 @@
     'confirm_del_from_fav' => 'Bitte bestätigen Sie die Löschung des Favoriten',
     'connections' => 'Verbindungen',
     'copy' => 'Kopieren',
-    'copy_to_clipboard_small_icons' => 'Kleine Symbole bei Kopieren in Zwischenspeicher aktivieren',
-    'copy_to_clipboard_small_icons_tip' => 'Dies kann die Speicheranforderungen für Benutzer älterer Computer reduzieren. Die Elementinformationen werden nicht in den Zwischenspeicher geladen. Schnelles Kopieren von Benutzernamen und Passwörtern ist jedoch nicht möglich. ',
+    'copy_to_clipboard_small_icons' => 'Symbol zum <i>Kopieren</i> in Eintragsliste aktivieren',
+    'copy_to_clipboard_small_icons_tip' => 'Fügt ein Symbol hinzu, um Passwörter direkt aus der Elementliste in die Zwischenablage zu kopieren. Das Passwort kann kopiert werden, ohne den gesamten Inhalt eines Eintrags zu laden.',
     'date' => 'Datum',
     'date_format' => 'Datumsformat',
     'delete' => 'Löschen',
@@ -831,7 +831,7 @@
     'expand' => 'Aufklappen',
     'collapse' => 'Zusammenklappen',
     'settings_ldap_user_attribute' => 'Benutzerattribut durchsuchen',
-    'settings_ldap_user_attribute_tip' => 'LDAP-Attribut nach Benutzernamen durchsuchen',
+    'settings_ldap_user_attribute_tip' => 'LDAP-Attribut für den Benutzernamen.<br>Beispiel: Für openLDAP: cn ; uid. Für Active Directory:  samaccountname.',
     'log_user_initial_pwd_changed' => 'Initiales Passwort wurde gesetzt',
     'log_user_email_changed' => 'Benutzer E-Mail geändert in',
     'log_user_created' => 'Benutzer Account wurde erstellt',
@@ -989,7 +989,7 @@
     'settings_ldap_and_local_authentication_tip' => 'Aktiviere diese Option, um Benutzer Anmeldungen aus dem LDAP und Teampass Datenbank zu erlauben.',
     'enable_http_request_login' => 'Automatischesanmelden nutzt den HTTP Header mit Anmeldeinformationen',
     'duration_login_attempt' => 'Sekunden bis zur automatischen Anmeldung',
-    'newly_created_user_role' => 'Neu angelegte Benutzer erhatlen die Rolle',
+    'newly_created_user_role' => 'Neu angelegte Benutzer erhalten die Rolle',
     'email_debug_level' => 'Wähle ein Debug Level',
     'email_debug_client' => 'Client Befehle',
     'email_debug_server' => 'Client-Befehle und Server-Antworten',
@@ -1006,7 +1006,7 @@
     'settings_api_token_duration_tip' => 'Verzögerung, während der das generierte JWT-Token gültig ist. Nach dieser Verzögerung wird eine Autorisierungsanfrage an die API gestellt.',
     'show_encryption_code_to_admin' => 'Dies ist der verschlüsselte Code, den der Benutzer bei dieser Anmeldung benötigt. Sie haben darum gebeten, ihn zu sehen. Bitte kopieren Sie ihn und geben Sie ihn auf sichere Weise weiter. Der Code lautet',
     'previous_password' => 'Vorheriges Passwort genutzt, um sich Anzumelden',
-    'generate_new_otp' => 'Generate new OTP',
+    'generate_new_otp' => 'OTP neu erzeugen',
     'generate_new_otp_informations' => 'Dieser Vorgang besteht darin, alle Schlüssel für den ausgewählten Benutzer neu zu generieren. Infolgedessen muss der Benutzer bei der nächsten Anmeldung den generierte OTP neueingeben.',
     'html' => 'html',
     'execution_time' => 'Ausführungszeit',
@@ -1039,7 +1039,7 @@
     'loading_main_page' => 'Lade Hauptseite ...',
     'link' => 'Link',
     'error_not_allowed_to_authenticate' => 'Dir ist es nicht erlaubt sich anzumelden',
-    'enable_tasks_log' => 'Aktiviere Cron JOb log',
+    'enable_tasks_log' => 'Aktiviere Cron Job log',
     'enable_tasks_log_tip' => 'Ermöglicht die Protokollierung aller vom Cron-Job ausgeführten Aufgaben in der Tabelle <i>processes_log</i>. Könnte für die Überprüfung von Ereignissen nützlich sein.',
     'items_and_folders_statistics' => 'Einträge und Ordner Statistik',
     'item_copying' => 'Eintrag wird kopiert',
@@ -1058,30 +1058,30 @@
     'ad_groupe_and_roles_mapping' => 'AD Gruppen und Rollen Zuordnung ',
     'select_adgroup_mapping' => 'Select the role to map with current AD group',
     'enable_backlog_mail' => 'Enable sending backlog emails',
-    'provide_label' => 'Provide a label',
+    'provide_label' => 'Bezeichung angeben',
     'uploading' => 'Wird hochgeladen...',
     'keys_encryption_not_ready' => 'Be informed that your password keys are currently in process of being created. Please wait a few minutes more.',
     'account_not_ready' => 'Benutzerkonto im Aufbau',
     'add_new_job' => 'Neuen Auftrag hinzufügen',
-    'tasks_cron_not_running' => 'Cron job is not set. Please edit crontab with your server user (usually www-data) with command <code>crontab -u www-data -e</code>.<br>Or press the button to try its creation automatically.',
+    'tasks_cron_not_running' => 'Cron-Job ist nicht aktiv. Bitte fügen Sie den Befehl <code>crontab -u www-data -e</code> im Crontab des Server-User (normalerweise www-data) hinzu.<br>Oder drücken sie den Button um die Erstellung automatisch zu versuchen.',
     'tasks_cron_running' => 'Zeitgesteuerter Auftrag ist korrekt gesetzt',
     'currently_using_version' => 'Aktuell geladene Version',
     'git_commit_value' => 'Wert des Git Commit',
     'generate_new_keys' => 'Neue Schlüssel generieren',
     'generate_new_keys_info' => 'By continuing, you will generate new encryption keys for all objects you have access to. This should only be done if you have no password shown.',
-    'generate_new_keys_end' => 'Process is on going in background and could take several minutes. You can now close this window.',
-    'confirm_password' => 'We need you to confirm your password',
+    'generate_new_keys_end' => 'Der Vorgang läuft im Hintergrund und kann mehrere Minuten dauern. Sie können dieses Fenster schließen.',
+    'confirm_password' => 'Bitte das Passwort bestätigen',
     'no_code_is_requested' => 'No code is requested.',
     'user_encryption_ongoing' => 'Account is currently being encrypting. Your request cannot continue. Please wait until this is finished.',
-    'teampass_information' => 'Teampass information',
+    'teampass_information' => 'Informationen über Teampass',
     'show_password' => 'Zeige Passwort',
-    'new_user_info_by_mail' => 'New user will receive an email with his credentials',
-    'login_credentials' => 'Login credentials',
+    'new_user_info_by_mail' => 'Neue Benutzer bekommen eine E-Mail mit ihren Anmeldedaten',
+    'login_credentials' => 'Anmeldedaten',
     'email_body_user_config_1' => 'Hello #lastname#,<br><br>Dies ist eine generierte E-Mail des Teampass Passwords Manager.<br><br>Diese Zugangsdaten werden bei der nächsten Nutzung von Teampass erwartet:<ul><li>Benutzer: #login#</li><li>Passwort: #password#</li><li>Verschlüsselungscode: #code#</li></ul><br><br><br>Grüße',
-    'email_body_user_config_3' => 'Hello #lastname#,<br><br>This is a generated email from Teampass passwords manager.<br><br>Following password is expected next time using Teampass:<br><br><b>#password#</b><br><br><br>Cheers',
-    'email_body_user_config_4' => 'Hello #lastname#,<br><br>This is a generated email from Teampass passwords manager.<br><br>Your Teampass account is fully ready.<br><br>Cheers',
-    'email_body_user_config_5' => 'Hello #lastname#,<br><br>This is a generated email from Teampass passwords manager.<br><br>Following code is expected next time using Teampass:<br><br><b>#code#</b><br><br><br>Cheers',
-    'email_body_user_config_6' => 'Hello #lastname#,<br><br>This is a generated email from Teampass passwords manager.<br><br>Following credentials are expected next time using Teampass:<ul><li>login: #login#</li><li>Password: #password#</li></ul><br><br><br>Cheers',
+    'email_body_user_config_3' => 'Hallo #lastname#,<br><br>Dies ist eine generierte E-Mail des Teampass Passwords Manager.<br><br>Dieses Passwort wird bei der nächsten Nutzung von Teampass erwartet:<br><br><b>#password#</b><br><br><br>Grüße',
+    'email_body_user_config_4' => 'Hallo #lastname#,<br><br>Dies ist eine generierte E-Mail des Teampass Passwords Manager.<br><br>Ihr Teampass Account ist jetzt bereit.<br><br>Grüße',
+    'email_body_user_config_5' => 'Hallo #lastname#,<br><br>Dies ist eine generierte E-Mail des Teampass Passwords Manager.<br><br>Dieser Verschlüsselungscode wird bei der nächsten Nutzung von Teampass erwartet:<br><br><b>#code#</b><br><br><br>Grüße',
+    'email_body_user_config_6' => 'Hallo #lastname#,<br><br>Dies ist eine generierte E-Mail des Teampass Passwords Manager.<br><br>Diese Zugangsdaten werden bei der nächsten Nutzung von Teampass erwartet:<ul><li>Benutzer: #login#</li><li>Passwort: #password#</li></ul><br><br><br>Grüße',
     'error_data_not_valid' => 'Daten sind nicht valide',
     'mfa_enabled' => 'MFA aktiviert',
     'mfa_disabled_for_user' => 'MFA deaktiviert für Benutzer',
@@ -1095,9 +1095,9 @@
     'in_minutes' => 'in Minuten',
     'hourly' => 'Stündlich',
     'daily' => 'Täglich',
-    'clean_orphan_objects' => 'Clean orphan objects',
+    'clean_orphan_objects' => 'Verwaiste Objekte säubern',
     'run_once' => 'Ein Mal ausführen',
-    'run_weekday' => 'Run on weekday',
+    'run_weekday' => 'An Wochentagen ausführen',
     'monday' => 'Montag',
     'tuesday' => 'Dienstag',
     'wednesday' => 'Mittwoch',
@@ -1106,87 +1106,88 @@
     'saturday' => 'Samstag',
     'sunday' => 'Sonntag',
     'monthly' => 'Monatlich',
-    'day_of_month' => 'Day of month',
+    'day_of_month' => 'Tag des Monats',
     'day' => 'Tag',
     'reset' => 'Zurücksetzen',
-    'error_while_creating_file' => 'Error while creating file',
-    'new_keys_generated' => 'New keys generated',
+    'error_while_creating_file' => 'Fehler beim Erstellen der Datei',
+    'new_keys_generated' => 'Neue Schlüssel wurden generiert',
     'user_creation' => 'Benutzer-Erstellung',
     'user_deletion' => 'Benutzer-Löschung',
     'maximum_session_expiration_time' => 'Maximale Sitzungsdauer',
-    'maximum_session_expiration_time_tip' => 'Maximum time in minutes a session can be extended by a user',
+    'maximum_session_expiration_time_tip' => 'Maximale Zeit in Minuten, um die eine Sitzung verlängert werden kann',
     'index_session_duration_too_long' => 'Die Dauer der Sitzung ist zu lang',
-    'extend_session_duration_by' => 'Extend session duration by',
-    'settings_ldap_user_dn_attribute' => 'User Distinguished Name',
-    'settings_ldap_user_dn_attribute_tip' => 'The attribute label for the user Distinguished Name (DN) in the AD.<br>Example: For openLDAP: dn. For Active Directory:  distinguishedname.',
-    'open_tasks_settings' => 'Open tasks settings',
+    'extend_session_duration_by' => 'Sitzung verlängern um',
+    'settings_ldap_user_dn_attribute' => 'Benutzer Distinguished Name',
+    'settings_ldap_user_dn_attribute_tip' => 'LDAP-Attribut für Distinguished Name (DN).<br>Beispiel: Für openLDAP: dn. Für Active Directory:  distinguishedname.',
+    'open_tasks_settings' => 'Aufgaben Einstellungen',
     'maximum' => 'Maximum',
     'updated' => 'Aktualisiert',
     'number_of_days' => 'Anzahl Tage',
     'number_of_times' => 'Anzahl Wiederholungen',
     'sharekey_not_ready' => 'Sharekey not yet generated ... all item data may not be ready ... please try later',
     'item_action_not_yet_possible' => 'Action not yet possible on this item',
-    'open' => 'Open',
-    'reload_user_cache_table' => 'Reload user cache table',
-    'send_email_to_user' => 'Send email to user',
-    'items_management' => 'Items operations',
-    'previously_used_passwords' => 'Previously used passwords',
+    'open' => 'Öffnen',
+    'reload_user_cache_table' => 'Cache-Tabelle des Benutzers neu laden',
+    'send_email_to_user' => 'E-Mail an Benutzer senden',
+    'items_management' => 'Änderungen an Einträgen',
+    'previously_used_passwords' => 'Vorher genutzte Passwörter',
     'next_passwords_were_valid_until_date' => 'Next passwords were valid until date',
-    'feature_disabled_by_administrator' => 'Feature disabled by administrator',
-    'shared_globaly' => 'Shared globaly',
+    'feature_disabled_by_administrator' => 'Funktion durch Administrator deaktiviert',
+    'shared_globaly' => 'Global freigegeben',
     'settings_otv_subdomain' => 'OTV subdomain name',
     'settings_otv_subdomain_tip' => 'Dedicated subdomain for onetime links. Considere your main Teampass URL as isolated from internet, this subdomain could be reachable by everyone to share this item with someone outside your organisation. From security perspective it is a lot safer with such mechanics. Note: This would requite to have a DNS entry for this subdomain pointing to your Teampass server.',
     'existing_valid_otv_links' => 'OTV valid links',
     'started' => 'Started',
-    'recovery_keys_not_downloaded' => 'Recovery keys not downloaded',
-    'no_recovery_keys' => 'I do not have recovery keys. This will clear all passwords from my personal items.',
-    'provide_recovery_keys' => 'Provide your recovery keys',
+    'recovery_keys_not_downloaded' => 'Recovery-Schlüssel wurden nicht heruntergeladen',
+    'no_recovery_keys' => 'Ich habe keine Recovery-Schlüssel. Dies löscht alle Passwörter aus meinen persönlichen Einträgen.',
+    'provide_recovery_keys' => 'Recovery-Schlüssel angeben',
     'public_key' => 'Öffentlicher Schlüssel',
     'private_key' => 'Privater Schlüssel',
-    'download_recovery_keys' => 'Download your recovery keys',
-    'download_recovery_keys_confirmation' => 'You are about to download your recovery keys. Please store them in a safe place as they should be mandatory in case of deasaster.',
-    'recovery_keys_download_date' => 'Recovery keys download date',
-    'keys_not_recovered' => 'Public and Private keys not stored',
-    'keys_not_recovered_explanation' => 'In order to prevent against any passwords lost, you should store safely your personal Teampass keys',
-    'get_your_recovery_keys' => 'Get your recovery keys',
+    'download_recovery_keys' => 'Recovery-Schlüssel herunterladen',
+    'download_recovery_keys_confirmation' => 'Hier können Sie Ihre Recovery-Schlüssel herunterladen. Bitte speichern Sie diese an einem sichern Ort, denn bei einer Wiederherstellung werden Sie zwingend benötigt.',
+    'recovery_keys_download_date' => 'Recovery-Schlüssel wurden heruntergeladen am',
+    'keys_not_recovered' => 'Öffentliche und private Keys werden nicht gespeichert',
+    'keys_not_recovered_explanation' => 'Um den Verlust von Kennwörtern zu verhindern, sollten Sie Ihre persönlichen Teampass-Keys sicher abspeichern',
+    'get_your_recovery_keys' => 'Recovery-Schlüssel herunterladen',
     'keys_management' => 'Keys management',
-    'please_confirm_task_to_be_run' => 'Please confirm the task to be performed',
+    'please_confirm_task_to_be_run' => 'Bitte bestätigen Sie diesen Vorgang',
     'user_keys_downloaded' => 'User keys downloaded',
-    'mfa_code_send_by_email' => 'MFA code sent by email',
+    'mfa_code_send_by_email' => 'MFA Code wurde per E-Mail versandt',
     'otp' => 'OTP',
-    'otp_code' => 'OTP code',
-    'enabled_otp_for_item' => 'Enable OTP code',
-    'at_otp_status' => 'OTP status',
-    'phone_number' => 'Related phone number (optional)',
-    'otp_secret' => 'OTP secret key',
-    'settings_ldap_group_objectclasses_attibute' => 'AD Group ObjectClasses attribute',
-    'settings_ldap_group_objectclasses_attibute_tip' => 'Les objectClasses à utiliser pour rechercher les groupes. Plusieurs objectClasses sont séparés par une virgule(,). Exemples : groupOfNames,group outop,posixGroup',
-    'display_warning_icons' => 'Display warning icons',
-    'password_length_by_default' => 'By default password length',
-    'progress' => 'Progress',
-    'tasks_log_retention_delay_in_days' => 'Tasks log retention delay (in days)',
-    'tasks_log_table_size' => 'Tasks log table size',
-    'error_otp_secret' => 'Enable to decode the OTP secret, is the secret correct?',
-    'users_api_access_info' => 'Users can access the API with same access rights as in Teampass.',
-    'error_folder_not_allowed_for_this_user' => 'Folder is not allowed for this user',
+    'otp_code' => 'OTP Code',
+    'enabled_otp_for_item' => 'OTP aktivieren',
+    'at_otp_status' => 'OTP Status',
+    'phone_number' => 'Zugeordnete Telefonnummer (optional)',
+    'otp_secret' => 'OTP Secret',
+    'settings_ldap_group_objectclasses_attibute' => 'objectClasses der Gruppen in LDAP',
+    'settings_ldap_group_objectclasses_attibute_tip' => 'Die objectClasses in denen nach Gruppen gesucht wird. Mehrere objectClasses werden mit Komma(,) getrennt. Beispiel: groupOfNames,group oder top,posixGroup',
+    'display_warning_icons' => 'Warn-Symbole anzeigen',
+    'password_length_by_default' => 'Standard-Passwortlänge',
+    'progress' => 'Fortschritt',
+    'tasks_log_retention_delay_in_days' => 'Aufbewahrung von Aufgaben-Log (in Tagen)',
+    'tasks_log_table_size' => 'Größe der Aufgaben-Log-Tabelle',
+    'error_otp_secret' => 'Konnte OTP Secret nicht verarbeiten, ist es korrekt?',
+    'users_api_access_info' => 'Benutzer können auf die API mit den selben Berechtigungen wie in Teampass zugreifen',
+    'error_folder_not_allowed_for_this_user' => 'Zugriff auf diesen Ordner ist für den Benutzer nicht erlaubt',
     'allowed_to_create' => 'Allowed to create',
     'allowed_to_read' => 'Allowed to read',
     'allowed_to_update' => 'Allowed to update',
     'allowed_to_delete' => 'Allowed to delete',
-    'folder_created' => 'Folder created',
+    'folder_created' => 'Ordner erstellt',
     'login_with_sso' => 'Login with SSO',
-    'server_connected_to_internet' => 'Server is connected to internet',
-    'server_not_connected_to_internet' => 'Server is connected to internet',
-    'server_not_connected_to_internet_tip' => 'This could lead to several functionnalities not working properly. Especially MFA',
+    'server_connected_to_internet' => 'Server ist mit dem Internet verbunden',
+    'server_not_connected_to_internet' => 'Server ist nicht mit dem Internet verbunden',
+    'server_not_connected_to_internet_tip' => 'Dies kann einige Funktionen beeinträchtigen. Insbesondere MFA',
     'tools' => 'Tools',
     'user_config_not_compliant' => 'User configuration is not compliant',
     'fix_personal_items_empty' => 'Fix personal items are empty',
     'fix_personal_items_empty_tip' => 'This tool permits to fix the issue where personal items are empty after a Teampass upgrade. It requires to have restored a copy of table teampass_items from Teampass version 2. The table needs to be named teampass_items_v2.',
     'table_not_exists' => 'Expected table does not exist. Please restore it from a backup.',
     'tools_usage_warning' => 'Using tools can have a direct impact on the database. Please be careful. Always perform a dump before and define a maintenance period.',
-    'select_user' => 'Select user',
-    'show_item_data' => 'Show item data in items list',
-    'show_item_data_tip' => 'Permits to display extra information in the items list (username, email and url). This could be useful to have a quick view of the item content.',
+    'select_user' => 'Benutzer wählen',
+    'show_item_data' => 'Daten in Eintragsliste anzeigen',
+    'show_item_data_tip' => 'Zeigt zusätzliche Informationen in der Eintragsliste an (Benutzername, E-Mail, URL). Dies erlaubt einen schnellen Überblick über den Inhalt der Einträge.',
     'items_page_split_view_mode' => 'Show item details in page split view mode',
+    'replace_tenant_id' => 'Adapt the URL but keep {tenant-id} as is. It will be replaced live by the tenant ID.',
 
 );
diff --git a/includes/language/greek.php b/includes/language/greek.php
index 7bb231b0c..c10b7f84e 100755
--- a/includes/language/greek.php
+++ b/includes/language/greek.php
@@ -1188,5 +1188,6 @@
     'show_item_data' => 'Show item data in items list',
     'show_item_data_tip' => 'Permits to display extra information in the items list (username, email and url). This could be useful to have a quick view of the item content.',
     'items_page_split_view_mode' => 'Show item details in page split view mode',
+    'replace_tenant_id' => 'Adapt the URL but keep {tenant-id} as is. It will be replaced live by the tenant ID.',
 
 );
diff --git a/includes/language/hungarian.php b/includes/language/hungarian.php
index 0d0a07661..0a3b71923 100755
--- a/includes/language/hungarian.php
+++ b/includes/language/hungarian.php
@@ -1188,5 +1188,6 @@
     'show_item_data' => 'Show item data in items list',
     'show_item_data_tip' => 'Permits to display extra information in the items list (username, email and url). This could be useful to have a quick view of the item content.',
     'items_page_split_view_mode' => 'Show item details in page split view mode',
+    'replace_tenant_id' => 'Adapt the URL but keep {tenant-id} as is. It will be replaced live by the tenant ID.',
 
 );
diff --git a/includes/language/italian.php b/includes/language/italian.php
index ba3075392..2b2b38255 100755
--- a/includes/language/italian.php
+++ b/includes/language/italian.php
@@ -1188,5 +1188,6 @@
     'show_item_data' => 'Show item data in items list',
     'show_item_data_tip' => 'Permits to display extra information in the items list (username, email and url). This could be useful to have a quick view of the item content.',
     'items_page_split_view_mode' => 'Show item details in page split view mode',
+    'replace_tenant_id' => 'Adapt the URL but keep {tenant-id} as is. It will be replaced live by the tenant ID.',
 
 );
diff --git a/includes/language/japanese.php b/includes/language/japanese.php
index 8f3b038e8..142f53c0c 100755
--- a/includes/language/japanese.php
+++ b/includes/language/japanese.php
@@ -1188,5 +1188,6 @@
     'show_item_data' => 'Show item data in items list',
     'show_item_data_tip' => 'Permits to display extra information in the items list (username, email and url). This could be useful to have a quick view of the item content.',
     'items_page_split_view_mode' => 'Show item details in page split view mode',
+    'replace_tenant_id' => 'Adapt the URL but keep {tenant-id} as is. It will be replaced live by the tenant ID.',
 
 );
diff --git a/includes/language/norwegian.php b/includes/language/norwegian.php
index 69d39ad95..a0c44dd40 100755
--- a/includes/language/norwegian.php
+++ b/includes/language/norwegian.php
@@ -1188,5 +1188,6 @@
     'show_item_data' => 'Show item data in items list',
     'show_item_data_tip' => 'Permits to display extra information in the items list (username, email and url). This could be useful to have a quick view of the item content.',
     'items_page_split_view_mode' => 'Show item details in page split view mode',
+    'replace_tenant_id' => 'Adapt the URL but keep {tenant-id} as is. It will be replaced live by the tenant ID.',
 
 );
diff --git a/includes/language/polish.php b/includes/language/polish.php
index 40db6edec..080491348 100755
--- a/includes/language/polish.php
+++ b/includes/language/polish.php
@@ -1188,5 +1188,6 @@
     'show_item_data' => 'Show item data in items list',
     'show_item_data_tip' => 'Permits to display extra information in the items list (username, email and url). This could be useful to have a quick view of the item content.',
     'items_page_split_view_mode' => 'Show item details in page split view mode',
+    'replace_tenant_id' => 'Adapt the URL but keep {tenant-id} as is. It will be replaced live by the tenant ID.',
 
 );
diff --git a/includes/language/portuguese.php b/includes/language/portuguese.php
index bce74990d..56db4c93d 100755
--- a/includes/language/portuguese.php
+++ b/includes/language/portuguese.php
@@ -1188,5 +1188,6 @@
     'show_item_data' => 'Show item data in items list',
     'show_item_data_tip' => 'Permits to display extra information in the items list (username, email and url). This could be useful to have a quick view of the item content.',
     'items_page_split_view_mode' => 'Show item details in page split view mode',
+    'replace_tenant_id' => 'Adapt the URL but keep {tenant-id} as is. It will be replaced live by the tenant ID.',
 
 );
diff --git a/includes/language/portuguese_br.php b/includes/language/portuguese_br.php
index ce69080cb..bc7d142c3 100755
--- a/includes/language/portuguese_br.php
+++ b/includes/language/portuguese_br.php
@@ -1188,5 +1188,6 @@
     'show_item_data' => 'Show item data in items list',
     'show_item_data_tip' => 'Permits to display extra information in the items list (username, email and url). This could be useful to have a quick view of the item content.',
     'items_page_split_view_mode' => 'Show item details in page split view mode',
+    'replace_tenant_id' => 'Adapt the URL but keep {tenant-id} as is. It will be replaced live by the tenant ID.',
 
 );
diff --git a/includes/language/romanian.php b/includes/language/romanian.php
index e2ead0700..35d8ff1ae 100755
--- a/includes/language/romanian.php
+++ b/includes/language/romanian.php
@@ -1188,5 +1188,6 @@
     'show_item_data' => 'Show item data in items list',
     'show_item_data_tip' => 'Permits to display extra information in the items list (username, email and url). This could be useful to have a quick view of the item content.',
     'items_page_split_view_mode' => 'Show item details in page split view mode',
+    'replace_tenant_id' => 'Adapt the URL but keep {tenant-id} as is. It will be replaced live by the tenant ID.',
 
 );
diff --git a/includes/language/russian.php b/includes/language/russian.php
index 98365685f..2ae6f6324 100755
--- a/includes/language/russian.php
+++ b/includes/language/russian.php
@@ -1188,5 +1188,6 @@
     'show_item_data' => 'Show item data in items list',
     'show_item_data_tip' => 'Permits to display extra information in the items list (username, email and url). This could be useful to have a quick view of the item content.',
     'items_page_split_view_mode' => 'Show item details in page split view mode',
+    'replace_tenant_id' => 'Adapt the URL but keep {tenant-id} as is. It will be replaced live by the tenant ID.',
 
 );
diff --git a/includes/language/spanish.php b/includes/language/spanish.php
index 6d8824d08..fce7d9f6b 100755
--- a/includes/language/spanish.php
+++ b/includes/language/spanish.php
@@ -1188,5 +1188,6 @@
     'show_item_data' => 'Show item data in items list',
     'show_item_data_tip' => 'Permits to display extra information in the items list (username, email and url). This could be useful to have a quick view of the item content.',
     'items_page_split_view_mode' => 'Show item details in page split view mode',
+    'replace_tenant_id' => 'Adapt the URL but keep {tenant-id} as is. It will be replaced live by the tenant ID.',
 
 );
diff --git a/includes/language/swedish.php b/includes/language/swedish.php
index 411c4bb28..5189f008a 100755
--- a/includes/language/swedish.php
+++ b/includes/language/swedish.php
@@ -1188,5 +1188,6 @@
     'show_item_data' => 'Show item data in items list',
     'show_item_data_tip' => 'Permits to display extra information in the items list (username, email and url). This could be useful to have a quick view of the item content.',
     'items_page_split_view_mode' => 'Show item details in page split view mode',
+    'replace_tenant_id' => 'Adapt the URL but keep {tenant-id} as is. It will be replaced live by the tenant ID.',
 
 );
diff --git a/includes/language/turkish.php b/includes/language/turkish.php
index d010ef37e..9c3827811 100755
--- a/includes/language/turkish.php
+++ b/includes/language/turkish.php
@@ -1188,5 +1188,6 @@
     'show_item_data' => 'Show item data in items list',
     'show_item_data_tip' => 'Permits to display extra information in the items list (username, email and url). This could be useful to have a quick view of the item content.',
     'items_page_split_view_mode' => 'Show item details in page split view mode',
+    'replace_tenant_id' => 'Adapt the URL but keep {tenant-id} as is. It will be replaced live by the tenant ID.',
 
 );
diff --git a/includes/language/ukrainian.php b/includes/language/ukrainian.php
index b5b8dd632..c9b0d42e9 100755
--- a/includes/language/ukrainian.php
+++ b/includes/language/ukrainian.php
@@ -1188,5 +1188,6 @@
     'show_item_data' => 'Show item data in items list',
     'show_item_data_tip' => 'Permits to display extra information in the items list (username, email and url). This could be useful to have a quick view of the item content.',
     'items_page_split_view_mode' => 'Show item details in page split view mode',
+    'replace_tenant_id' => 'Adapt the URL but keep {tenant-id} as is. It will be replaced live by the tenant ID.',
 
 );
diff --git a/includes/language/vietnamese.php b/includes/language/vietnamese.php
index 43b0b63b5..934dfdafc 100755
--- a/includes/language/vietnamese.php
+++ b/includes/language/vietnamese.php
@@ -1188,5 +1188,6 @@
     'show_item_data' => 'Show item data in items list',
     'show_item_data_tip' => 'Permits to display extra information in the items list (username, email and url). This could be useful to have a quick view of the item content.',
     'items_page_split_view_mode' => 'Show item details in page split view mode',
+    'replace_tenant_id' => 'Adapt the URL but keep {tenant-id} as is. It will be replaced live by the tenant ID.',
 
 );
diff --git a/includes/tables_integrity.json b/includes/tables_integrity.json
index b5e3d402d..62a0b6793 100644
--- a/includes/tables_integrity.json
+++ b/includes/tables_integrity.json
@@ -1,7 +1,7 @@
 [
     {
         "table_name": "api",
-        "structure_hash": "0006a9639e80024487d7b0e84b22e18dae63d84b71bbd585f491ab9426c7a988"
+        "structure_hash": "366d799c25538decb526c73025cd9aaf71de0c10c1ebdcdb0da76f868c817dd4"
     },
     {
         "table_name": "automatic_del",
@@ -9,15 +9,15 @@
     },
     {
         "table_name": "background_subtasks",
-        "structure_hash": "964516a5b3667d761723f188c87fbc9ab90f2e393f6d94326df135fea1dc01fb"
+        "structure_hash": "fa1b91a90831d8551dd15382363055d740c6a276aba8d4ea6179ba47d456b44f"
     },
     {
         "table_name": "background_tasks",
-        "structure_hash": "a0898a3f459ba246019b05d55c3ca0426745cb93153dec26fac9634834477d9b"
+        "structure_hash": "ea6c9d60a1cf79a304c6a14222659d19f7211a50d9b74b4059bbe93bf10c5dfc"
     },
     {
         "table_name": "background_tasks_logs",
-        "structure_hash": "ab77226ca8ef4921c0aa7b2b442ea333bf5c700c9f0335d092a62c1543f57ada"
+        "structure_hash": "fee2924d79e4b81e5f3c6f9b756852c1c4bb315581c68103557d8216f30ed3af"
     },
     {
         "table_name": "cache",
@@ -25,7 +25,7 @@
     },
     {
         "table_name": "cache_tree",
-        "structure_hash": "60b3d246fff33a45b6e151217446cb9ae14f6e00fcaa0f7c70ddfd2e29a6e2e8"
+        "structure_hash": "4ac912df6bc26f62f277cb2bce22c9d8108af7a47d67c6a823adc9fc7185c0ed"
     },
     {
         "table_name": "categories",
@@ -53,7 +53,7 @@
     },
     {
         "table_name": "files",
-        "structure_hash": "c72e1f6e81a5bd6a346dbea87d5538ec8546f9cbdcf1fa3c2af93e01c6f5e3ca"
+        "structure_hash": "4fe2dba769c93b40e3519b8668e871be1eaab231045d1877b64d53128fe3cf9e"
     },
     {
         "table_name": "items",
@@ -65,7 +65,7 @@
     },
     {
         "table_name": "items_edition",
-        "structure_hash": "17dac18c7ef640e3c74791e6467c345bd2db3239beeec48987f1b581904464ab"
+        "structure_hash": "91a4f29fd1f242b4d2ad9c1ad5bf0b62cfb9bc3a8dcecca4a2a8210aef01208f"
     },
     {
         "table_name": "items_otp",
@@ -97,19 +97,19 @@
     },
     {
         "table_name": "log_items",
-        "structure_hash": "c394770da836eee405ce63b2789716f1bbc6ded68e412b130c6bfb5c148d2c9f"
+        "structure_hash": "a0ea4a98e800a21d10f1d1f3f7415e7b7d13f8416005ed2edea89d65c8fb775c"
     },
     {
         "table_name": "log_system",
-        "structure_hash": "e06372e0b89d7b381814d35631d6b7e65ca1cb7d211ca5aa98830b3f57bc54cc"
+        "structure_hash": "c7ca1922e4407dc3c49c5d13780f6f28883caaa9fa776e8349a6372eb9667713"
     },
     {
         "table_name": "misc",
-        "structure_hash": "248c3d60364997252039c9dad0d9745c0aef621cc78be8f0a69998e08068754c"
+        "structure_hash": "c57a696824200dcf34cf06c293af85efb28bbba0e08338d0f1e4d6d2abc51d45"
     },
     {
         "table_name": "nested_tree",
-        "structure_hash": "67d03362c5a3c9a398288621977d14ddf286a1ce9f72443077a310421ffa8578"
+        "structure_hash": "1eb849da0b5770fd7ef347fe1bb5ceecae92b0b90ac84b01e1ca9ebe0314f8f3"
     },
     {
         "table_name": "notification",
@@ -117,7 +117,7 @@
     },
     {
         "table_name": "otv",
-        "structure_hash": "d99a5c1dfc99cb467fa148a61e735255697daa0a639fffcb9c4bbdf999432db1"
+        "structure_hash": "240be92633f1e8165d8f52bad083cce95ec19752f5877ecb72e1050759662d56"
     },
     {
         "table_name": "processes",
@@ -161,15 +161,15 @@
     },
     {
         "table_name": "sharekeys_fields",
-        "structure_hash": "fead983813715532e9354936ee524493108ea3408b3fed8265d8a8a4bad6752c"
+        "structure_hash": "4c43d87852d7b9dbc58bc1337245f20074d7c8f6e59d7cce1ae75d5dad22582b"
     },
     {
         "table_name": "sharekeys_files",
-        "structure_hash": "b6fdffea6cc4d82019e289e693b236920dbb4e7c5c90e0e8fb35ae19d9126346"
+        "structure_hash": "bcae5ea668519654581f065b57a1f0991f4f1abd34ad19cf8d7405785eeeb594"
     },
     {
         "table_name": "sharekeys_items",
-        "structure_hash": "b0682bd1dbecfcbc73c804e645c1aee51be64b24f37fb6dd2d8e290c57a58585"
+        "structure_hash": "36d7a797caeb4692087c9fb89b43812fe1b5ba8f5341e330274f9a20f6d855a7"
     },
     {
         "table_name": "sharekeys_logs",
@@ -193,7 +193,7 @@
     },
     {
         "table_name": "tokens",
-        "structure_hash": "2173ba0b4a0460280019e1efcef4b4d3b0b069c1d2f3403f4f787c69c2779d37"
+        "structure_hash": "d1b251d7ddc11808f3966b0bd4a12bcd13e481ede1c8ec5c773a3a83cd3d7c38"
     },
     {
         "table_name": "user_requests",
@@ -201,7 +201,7 @@
     },
     {
         "table_name": "users",
-        "structure_hash": "08c9bee02458241ffea201a2486660bf3ab9e69f2836ea9d5a5379a6182617cd"
+        "structure_hash": "9066dfea1645af9d990e53eeeb0f09c6b29de4ce2cadd759572b84e86135dbce"
     },
     {
         "table_name": "version_control",
diff --git a/index.php b/index.php
index 9305cd846..7665a63d8 100755
--- a/index.php
+++ b/index.php
@@ -333,7 +333,7 @@
                                     <i class="fa-solid fa-user-circle fa-fw mr-2"></i><?php echo $lang->get('my_profile'); ?>
                                 </a>
                                 <?php
-                                    if (empty($session_auth_type) === false && $session_auth_type !== 'ldap') {
+                                    if (empty($session_auth_type) === false && $session_auth_type !== 'ldap' && $session_auth_type !== 'oauth2') {
                                         ?>
                                     <a class="dropdown-item user-menu" href="#" data-name="password-change">
                                         <i class="fa-solid fa-lock fa-fw mr-2"></i><?php echo $lang->get('index_change_pw'); ?>
@@ -572,17 +572,15 @@
                                     <i class="fa-solid fa-id-card nav-icon"></i>
                                     <p>' . $lang->get('ldap') . '</p>
                                 </a>
-                            </li>';
-if (WIP === true) {
-    echo '
+                            </li>
+
                             <li class="nav-item">
                                 <a href="#" data-name="oauth" class="nav-link', $get['page'] === 'oauth' ? ' active' : '', '">
                                     <i class="fa-solid fa-plug nav-icon"></i>
                                     <p>' . $lang->get('oauth') . '</p>
                                 </a>
-                            </li>';
-}
-echo '
+                            </li>
+                            
                             <li class="nav-item">
                                 <a href="#" data-name="uploads" class="nav-link', $get['page'] === 'uploads' ? ' active' : '', '">
                                     <i class="fa-solid fa-file-upload nav-icon"></i>
@@ -1125,8 +1123,9 @@ function(teampassSettings) {}
         exit;
     }
     
-    // LOGIN form
+    // LOGIN form  
     include $SETTINGS['cpassman_dir'] . '/includes/core/login.php';
+    
 } else {
     // Clear session
     $session->invalidate();
diff --git a/pages/oauth.php b/pages/oauth.php
index cb649be94..95a6d519c 100755
--- a/pages/oauth.php
+++ b/pages/oauth.php
@@ -148,7 +148,7 @@
                                     </small>
                                 </div>
                                 <div class='col-7'>
-                                    <input type='text' class='form-control form-control-sm setting-oauth' id='oauth2_callback_url' value='<?php echo $SETTINGS['cpassman_url']; ?>'>
+                                    <input type='text' class='form-control form-control-sm setting-oauth' id='oauth2_callback_url' value='<?php echo $SETTINGS['cpassman_url'].'/'.OAUTH2_REDIRECTURI; ?>' disabled>
                                 </div>
                             </div>
 
@@ -170,6 +170,15 @@
                                 </div>
                             </div>
 
+                            <div class='row mb-2 tr-ldap'>
+                                <div class='col-5'>
+                                    <?php echo $lang->get('tenant_id'); ?>
+                                </div>
+                                <div class='col-7'>
+                                    <input type='text' class='form-control form-control-sm setting-oauth' id='oauth2_tenant_id' value='<?php echo $SETTINGS['oauth2_tenant_id'] ?? ''; ?>'>
+                                </div>
+                            </div>
+
                             <div class='row mb-2 tr-ldap'>
                                 <div class='col-5'>
                                     <?php echo $lang->get('scopes'); ?>
@@ -210,51 +219,6 @@
 
                         </form>
                     </div>
-
-                    <div class='card card-primary'>
-                        <div class='card-header'>
-                            <h3 class='card-title'><?php echo $lang->get('setup_wizard'); ?></h3>
-                        </div>
-                        <!-- /.card-header -->
-                        <!-- form start -->
-                        <form role='form-horizontal'>
-                            <div class='card-body'>
-                                <div class='tab-content mt-2' id=''>
-                                    <div class='row mb-2'>
-                                        <button type='button' class='btn btn-primary btn-sm  mr-2' id='but_perform_setup'>
-                                            <i class='fas fa-cog mr-2'></i><?php echo $lang->get('perform'); ?>
-                                        </button>
-                                    </div>
-                                    <div class='row mb-2'>
-                                        <div class='col-8'>
-<?php
-if (isset($_GET['code']) === true && isset($_GET['state']) === true) {
-    $get['code'] = filter_var($_GET['code'], FILTER_SANITIZE_SPECIAL_CHARS);
-    $get['state'] = filter_var($_GET['state'], FILTER_SANITIZE_SPECIAL_CHARS);
-    $get['session_state'] = filter_var($_GET['session_state'], FILTER_SANITIZE_SPECIAL_CHARS);
-
-    error_log('---- CALLBACK ----');
-
-    // Création d'une instance du contrôleur
-    $azureAuth = new AzureAuthController($SETTINGS, true);
-
-    // Traitement de la réponse de callback Azure
-    $azureAuth->getAllGroups();//callbackSetup();
-
-
-} 
-?>
-                                        </div>
-                                        <div class='col-4'>
-                                            
-                                        </div>
-                                    </div>
-                                       
-                                </div>
-
-                            </div>
-                        </form>
-                    </div>
                 
             </div>
             <!-- /.col-md-6 -->
diff --git a/sources/identify.php b/sources/identify.php
index 86d95a36f..1a72636b3 100755
--- a/sources/identify.php
+++ b/sources/identify.php
@@ -48,7 +48,6 @@
 use TeampassClasses\LdapExtra\OpenLdapExtra;
 use TeampassClasses\LdapExtra\ActiveDirectoryExtra;
 use TeampassClasses\AzureAuthController\AzureAuthController;
-use TheNetworg\OAuth2\Client\Provider\Azure;
 
 // Load functions
 require_once 'main.functions.php';
@@ -78,7 +77,7 @@
         'user_id' => returnIfSet($session->get('user-id'), null),
         'user_key' => returnIfSet($session->get('key'), null),
         'login' => isset($_POST['login']) === false ? null : $_POST['login'],
-        'sso' => isset($_POST['sso']) === false ? null : $_POST['sso'],
+        'oauth2' => returnIfSet($session->get('userOauth2Info'), null),
     ]
 );
 
@@ -382,26 +381,9 @@ function identifyUser(string $sentData, array $SETTINGS): bool
         return false;
     }
 
-    $userInfo = $userInitialData['userInfo'];
+    $userInfo = $userInitialData['userInfo'] + $dataReceived;
     $return = '';
 
-    // If we have oauth2-azure enabled then we need to check if the user is in the Azure Entra ID
-    /*if (isKeyExistingAndEqual('oauth2_azure', 1, $SETTINGS) === true) {
-        $authAzure = identifyDoAzureChecks(
-            $SETTINGS,
-            $userInfo,
-            (string) $username
-        );
-        if ($authAzure['error'] === true) {
-            // deepcode ignore ServerLeak: File and path are secured directly inside the function decryptFile()
-            echo prepareExchangedData(
-                $authAzure['array'],
-                'encode'
-            );
-            return false;
-        }
-    }*/
-
     // Check if LDAP is enabled and user is in AD
     $userLdap = identifyDoLDAPChecks(
         $SETTINGS,
@@ -421,13 +403,6 @@ function identifyUser(string $sentData, array $SETTINGS): bool
         return false;
     }
     if (isset($userLdap['user_info']) === true && (int) $userLdap['user_info']['has_been_created'] === 1) {
-        /*$userInfo = DB::queryfirstrow(
-            'SELECT *
-            FROM ' . prefixTable('users') . '
-            WHERE login = %s',
-            $username
-        );*/
-        //$userInfo = $userLdap['user_info'];
         echo json_encode([
             'data' => prepareExchangedData(
                 [
@@ -442,8 +417,28 @@ function identifyUser(string $sentData, array $SETTINGS): bool
         return false;
     }
 
+    // Should we create new oauth2 user?
+    $userOauth2 = createOauth2User(
+        (array) $SETTINGS,
+        (array) $userInfo,
+        (string) $username,
+        (string) $passwordClear,
+        (int) $userLdap['user_info']['has_been_created']
+    );
+    if ($userOauth2['error'] === true) {
+        // deepcode ignore ServerLeak: File and path are secured directly inside the function decryptFile()
+        echo prepareExchangedData(
+            $userOauth2['array'],
+            'encode'
+        );
+        $session->remove('userOauth2Info');
+        return false;
+    }
+   
     // Check user and password
-    if ($userLdap['userPasswordVerified'] === false && (int) checkCredentials($passwordClear, $userInfo) !== 1) {
+    if ($userLdap['userPasswordVerified'] === false && $userOauth2['userPasswordVerified'] === false
+        && (int) checkCredentials($passwordClear, $userInfo) !== 1
+    ) {
         echo prepareExchangedData(
             [
                 'value' => '',
@@ -749,7 +744,7 @@ function identifyUser(string $sentData, array $SETTINGS): bool
         );
         
         // Get user's rights
-        if ($userLdap['user_initial_creation_through_ldap'] === true) {
+        if ($userLdap['user_initial_creation_through_external_ad'] === true || $userOauth2['retExternalAD']['has_been_created'] === 1) {
             // is new LDAP user. Show only his personal folder
             if ($SETTINGS['enable_pf_feature'] === '1') {
                 $session->set('user-personal_visible_folders', [$userInfo['id']]);
@@ -1339,13 +1334,15 @@ function authenticateThroughAD(string $username, array $userInfo, string $passwo
     }
 
     // Create LDAP user if not exists and tasks enabled
-    if ($userInfo['ldap_user_to_be_created'] === true) {   
-        $userInfo = ldapCreateUser(
+    if ($userInfo['ldap_user_to_be_created'] === true) {
+        $userInfo = externalAdCreateUser(
             $username,
             $passwordClear,
             $userADInfos['mail'][0],
             $userADInfos['givenname'][0],
             $userADInfos['sn'][0],
+            'ldap',
+            [],
             $SETTINGS
         );
 
@@ -1519,7 +1516,7 @@ function finalizeAuthentication(
             $userInfo['id']
         );
     }
-    if (WIP === true) error_log("finalizeAuthentication - hashedPassword: " . $hashedPassword. " | ".$passwordManager->verifyPassword($userInfo['pw'], $passwordClear));
+    if (WIP === true) error_log("finalizeAuthentication - hashedPassword: " . $hashedPassword. " | ".$passwordManager->verifyPassword($userInfo['pw'], $passwordClear)." || ".$passwordClear);
 }
 
 /**
@@ -1605,7 +1602,16 @@ function yubicoMFACheck($dataReceived, string $userInfo, array $SETTINGS): array
  *
  * @return array
  */
-function ldapCreateUser(string $login, string $passwordClear, string $userEmail, string $userName, string $userLastname, array $SETTINGS): array
+function externalAdCreateUser(
+    string $login,
+    string $passwordClear,
+    string $userEmail,
+    string $userName,
+    string $userLastname,
+    string $authType,
+    array $userGroups,
+    array $SETTINGS
+): array
 {
     // Generate user keys pair
     $userKeys = generateUserKeys($passwordClear);
@@ -1613,6 +1619,27 @@ function ldapCreateUser(string $login, string $passwordClear, string $userEmail,
     // Create password hash
     $passwordManager = new PasswordManager();
     $hashedPassword = $passwordManager->hashPassword($passwordClear);
+    
+    // If any groups provided, add user to them
+    if (count($userGroups) > 0) {
+        $groupIds = [];
+        foreach ($userGroups as $group) {
+            // Check if exists in DB
+            $groupData = DB::queryFirstRow(
+                'SELECT id
+                FROM ' . prefixTable('roles_title') . '
+                WHERE title = %s',
+                $group["displayName"]
+            );
+
+            if (DB::count() > 0) {
+                array_push($groupIds, $groupData['id']);
+            }
+        }
+        $userGroups = implode(';', $groupIds);
+    } else {
+        $userGroups = '';
+    }
 
     // Insert user in DB
     DB::insert(
@@ -1629,14 +1656,15 @@ function ldapCreateUser(string $login, string $passwordClear, string $userEmail,
             'personal_folder' => $SETTINGS['enable_pf_feature'] === '1' ? '1' : '0',
             'groupes_interdits' => '',
             'groupes_visibles' => '',
+            'fonction_id' => $userGroups,
             'last_pw_change' => (int) time(),
-            'user-language' => (string) $SETTINGS['default_language'],
+            'user_language' => (string) $SETTINGS['default_language'],
             'encrypted_psk' => '',
             'isAdministratedByRole' => isset($SETTINGS['ldap_new_user_is_administrated_by']) === true && empty($SETTINGS['ldap_new_user_is_administrated_by']) === false ? $SETTINGS['ldap_new_user_is_administrated_by'] : 0,
             'public_key' => $userKeys['public_key'],
             'private_key' => $userKeys['private_key'],
             'special' => 'none',
-            'auth_type' => 'ldap',
+            'auth_type' => $authType,
             'otp_provided' => '1',
             'is_ready_for_usage' => '0',
         ]
@@ -1651,7 +1679,7 @@ function ldapCreateUser(string $login, string $passwordClear, string $userEmail,
             'user_id' => $newUserId,
             'value' => encryptUserObjectKey(base64_encode(base64_encode(uniqidReal(39))), $userKeys['public_key']),
             'timestamp' => time(),
-            'read_only' => 1,
+            'allowed_to_read' => 1,
             'allowed_folders' => '',
             'enabled' => 0,
         )
@@ -1675,11 +1703,12 @@ function ldapCreateUser(string $login, string $passwordClear, string $userEmail,
         $tree->rebuild();
     }
 
+
     return [
         'error' => false,
         'message' => '',
         'proceedIdentification' => true,
-        'user_initial_creation_through_ldap' => true,
+        'user_initial_creation_through_external_ad' => true,
         'id' => $newUserId,
     ];
 }
@@ -2106,7 +2135,10 @@ public function get_is_too_much_attempts($attempts) {
         }
     }
 
-    public function get_user_info($login, $enable_ad_user_auto_creation) {
+    public function get_user_info($login, $enable_ad_user_auto_creation, $oauth2_enabled) {
+        $session = SessionManager::getSession();
+
+        // Get user info from DB
         $data = DB::queryFirstRow(
             'SELECT u.*, a.value AS api_key
             FROM ' . prefixTable('users') . ' AS u
@@ -2117,12 +2149,16 @@ public function get_user_info($login, $enable_ad_user_auto_creation) {
         
         // User doesn't exist then return error
         // Except if user creation from LDAP is enabled
-        if (DB::count() === 0 && $enable_ad_user_auto_creation === false) {
+        if (DB::count() === 0 && ($enable_ad_user_auto_creation === false || $oauth2_enabled === false)) {
             throw new Exception(
                 "error" 
             );
         }
-        $data['ldap_user_to_be_created'] = $enable_ad_user_auto_creation === true && DB::count() === 0 ? true : false;
+        // We cannot create a user with LDAP if the OAuth2 login is ongoing
+        $oauth2LoginOngoing = isset($session->get('userOauth2Info')['oauth2LoginOngoing']) ? $session->get('userOauth2Info')['oauth2LoginOngoing'] : false;
+        $data['ldap_user_to_be_created'] = $enable_ad_user_auto_creation === true && DB::count() === 0 && $oauth2LoginOngoing !== true ? true : false;
+        $data['oauth2_user_to_be_created'] = $oauth2_enabled === true && DB::count() === 0 && $oauth2LoginOngoing === true ? true : false;
+
 
         // ensure user fonction_id is set to false if not existing
         /*if (is_null($data['fonction_id']) === true) {
@@ -2192,6 +2228,7 @@ public function get_install_folder_is_not_present($admin, $install_folder) {
  * @param integer $sessionAdmin
  * @param string $sessionUrl
  * @param string $user_2fa_selection
+ * @param boolean $oauth2Token
  * @return array
  */
 function identifyDoInitialChecks(
@@ -2206,6 +2243,7 @@ function identifyDoInitialChecks(
     $session = SessionManager::getSession();
     $checks = new initialChecks();
     $enable_ad_user_auto_creation = isset($SETTINGS['enable_ad_user_auto_creation']) === true && (int) $SETTINGS['enable_ad_user_auto_creation'] === 1 ? true : false;
+    $oauth2_enabled = isset($SETTINGS['oauth2_enabled']) === true && (int) $SETTINGS['oauth2_enabled'] === 1 ? true : false;
     $lang = new Language($session->get('user-language') ?? 'english');
     
     // Brute force management
@@ -2214,6 +2252,7 @@ function identifyDoInitialChecks(
     } catch (Exception $e) {
         $session->set('next_possible_pwd_attempts', (time() + 10));
         $session->set('pwd_attempts', 0);
+        $session->set('userOauth2Info', '');
 
         logEvents($SETTINGS, 'failed_auth', 'user_not_exists', '', stripslashes($username), stripslashes($username));
 
@@ -2232,7 +2271,7 @@ function identifyDoInitialChecks(
 
     // Check if user exists
     try {
-        $userInfo = $checks->get_user_info($username, $enable_ad_user_auto_creation);
+        $userInfo = $checks->get_user_info($username, $enable_ad_user_auto_creation, $oauth2_enabled);
     } catch (Exception $e) {
         logEvents($SETTINGS, 'failed_auth', 'user_not_exists', '', stripslashes($username), stripslashes($username));
         return [
@@ -2381,6 +2420,85 @@ function identifyDoLDAPChecks(
 }
 
 
+function createOauth2User(
+    array $SETTINGS,
+    array $userInfo,
+    string $username,
+    string $passwordClear,
+    int $userLdapHasBeenCreated
+): array
+{
+    error_log($SETTINGS['oauth2_enabled']." -- ".$username." -- ".$userInfo['oauth2_user_to_be_created']." -- ".$userLdapHasBeenCreated);
+    // Prepare creating the new oauth2 user in Teampass
+    if ((int) $SETTINGS['oauth2_enabled'] === 1
+        && $username !== 'admin'
+        && (bool) $userInfo['oauth2_user_to_be_created'] === true
+        && $userLdapHasBeenCreated !== 1
+    ) {
+        $session = SessionManager::getSession();
+        $lang = new Language($session->get('user-language') ?? 'english');
+        
+        // Create Oauth2 user if not exists and tasks enabled
+        $userInfo = externalAdCreateUser(
+            $username,
+            $passwordClear,
+            $userInfo['mail'],
+            is_null($userInfo['givenname']) ? (is_null($userInfo['givenName']) ? '' : $userInfo['givenName']) : $userInfo['givenname'],
+            is_null($userInfo['surname']) ? '' : $userInfo['surname'],
+            'oauth2',
+            is_null($userInfo['groups']) ? '' : $userInfo['groups'],
+            $SETTINGS
+        );
+
+        // prepapre background tasks for item keys generation  
+        handleUserKeys(
+            (int) $userInfo['id'],
+            (string) $passwordClear,
+            (int) (isset($SETTINGS['maximum_number_of_items_to_treat']) === true ? $SETTINGS['maximum_number_of_items_to_treat'] : NUMBER_ITEMS_IN_BATCH),
+            uniqidReal(20),
+            true,
+            true,
+            true,
+            false,
+            $lang->get('email_body_user_config_2'),
+        );
+
+        // Complete $userInfo
+        $userInfo['has_been_created'] = 1;
+
+        error_log("--- USER CREATED ---");
+
+        return [
+            'error' => false,
+            'retExternalAD' => $userInfo,
+            'oauth2Connection' => true,
+            'userPasswordVerified' => true,
+        ];
+    
+    } elseif ((int) $SETTINGS['oauth2_enabled'] === 1
+        && isset($userInfo['id']) === true && empty($userInfo['id']) === false
+    ) {
+        // Oauth2 user already exists and authenticated
+        error_log("--- USER AUTHENTICATED ---");
+        $userInfo['has_been_created'] = 0;
+        return [
+            'error' => false,
+            'retExternalAD' => $userInfo,
+            'oauth2Connection' => true,
+            'userPasswordVerified' => true,
+        ];
+    }
+
+    // return if no addmin
+    return [
+        'error' => false,
+        'retLDAP' => [],
+        'ldapConnection' => false,
+        'userPasswordVerified' => false,
+    ];
+}
+
+
 function identifyDoMFAChecks(
     $SETTINGS,
     $userInfo,
diff --git a/sources/main.functions.php b/sources/main.functions.php
index fb48f23df..47ed7ceaf 100755
--- a/sources/main.functions.php
+++ b/sources/main.functions.php
@@ -418,7 +418,7 @@ function identAdmin($idFonctions, $SETTINGS, $tree)
  *
  * @return array
  */
-function convertToArray($element): array
+function convertToArray($element): ?array
 {
     if (is_string($element) === true) {
         if (empty($element) === true) {
@@ -1498,7 +1498,6 @@ function prefixTable(string $table): string
  * @param bool $uppercase Uppercase letters
  * @param bool $symbols Symbols
  * @param bool $lowercase Lowercase
- * @param array   $SETTINGS  SETTINGS
  * 
  * @return string
  */
@@ -1508,8 +1507,7 @@ function GenerateCryptKey(
     bool $numerals = false,
     bool $uppercase = false,
     bool $symbols = false,
-    bool $lowercase = false,
-    array $SETTINGS = []
+    bool $lowercase = false
 ): string {
     $generator = new ComputerPasswordGenerator();
     $generator->setRandomGenerator(new Php7RandomGenerator());
@@ -1531,6 +1529,66 @@ function GenerateCryptKey(
     return $generator->generatePasswords()[0];
 }
 
+/**
+ * GenerateGenericPassword
+ *
+ * @param int     $size      Length
+ * @param bool $secure Secure
+ * @param bool $numerals Numerics
+ * @param bool $uppercase Uppercase letters
+ * @param bool $symbols Symbols
+ * @param bool $lowercase Lowercase
+ * @param array   $SETTINGS  SETTINGS
+ * 
+ * @return string
+ */
+function generateGenericPassword(
+    int $size,
+    bool $secure,
+    bool $lowercase,
+    bool $capitalize,
+    bool $numerals,
+    bool $symbols,
+    array $SETTINGS
+): string
+{
+    if ((int) $size > (int) $SETTINGS['pwd_maximum_length']) {
+        return prepareExchangedData(
+            array(
+                'error_msg' => 'Password length is too long! ',
+                'error' => 'true',
+            ),
+            'encode'
+        );
+    }
+    // Load libraries
+    $generator = new ComputerPasswordGenerator();
+    $generator->setRandomGenerator(new Php7RandomGenerator());
+
+    // Manage size
+    $generator->setLength(($size <= 0) ? 10 : $size);
+
+    if ($secure === true) {
+        $generator->setSymbols(true);
+        $generator->setLowercase(true);
+        $generator->setUppercase(true);
+        $generator->setNumbers(true);
+    } else {
+        $generator->setLowercase($lowercase);
+        $generator->setUppercase($capitalize);
+        $generator->setNumbers($numerals);
+        $generator->setSymbols($symbols);
+    }
+
+    return prepareExchangedData(
+        array(
+            'key' => $generator->generatePasswords(),
+            'error' => '',
+        ),
+        'encode'
+    );
+}
+
 /**
  * Send sysLOG message
  *
@@ -4268,7 +4326,7 @@ function handleUserRecoveryKeysDownload(int $userId, array $SETTINGS):string
 
     if (DB::count() > 0) {
         $now = (int) time();
-
+error_log('password: '.$session->get('user-password'));
         // Prepare file content
         $export_value = file_get_contents(__DIR__."/../includes/core/teampass_ascii.txt")."\n".
             "Generation date: ".date($SETTINGS['date_format'] . ' ' . $SETTINGS['time_format'], $now)."\n\n".
diff --git a/sources/main.queries.php b/sources/main.queries.php
index 0cf9e298f..24a9546bb 100755
--- a/sources/main.queries.php
+++ b/sources/main.queries.php
@@ -1249,53 +1249,6 @@ function sendEmailsNotSent(
     }
 }
 
-function generateGenericPassword(
-    int $size,
-    bool $secure,
-    bool $lowercase,
-    bool $capitalize,
-    bool $numerals,
-    bool $symbols,
-    array $SETTINGS
-): string
-{
-    if ((int) $size > (int) $SETTINGS['pwd_maximum_length']) {
-        return prepareExchangedData(
-            array(
-                'error_msg' => 'Password length is too long! ',
-                'error' => 'true',
-            ),
-            'encode'
-        );
-    }
-    // Load libraries
-    //require_once __DIR__.'/../vendor/autoload.php';
-    $generator = new ComputerPasswordGenerator();
-    $generator->setRandomGenerator(new Php7RandomGenerator());
-
-    // Manage size
-    $generator->setLength(($size <= 0) ? 10 : $size);
-
-    if ($secure === true) {
-        $generator->setSymbols(true);
-        $generator->setLowercase(true);
-        $generator->setUppercase(true);
-        $generator->setNumbers(true);
-    } else {
-        $generator->setLowercase($lowercase);
-        $generator->setUppercase($capitalize);
-        $generator->setNumbers($numerals);
-        $generator->setSymbols($symbols);
-    }
-
-    return prepareExchangedData(
-        array(
-            'key' => $generator->generatePasswords(),
-            'error' => '',
-        ),
-        'encode'
-    );
-}
 
 function refreshUserItemsSeenList(
     array $SETTINGS
diff --git a/vendor/teampassclasses/azureauthcontroller/src/AzureAuthController.php b/vendor/teampassclasses/azureauthcontroller/src/AzureAuthController.php
index 588374515..5d0add522 100644
--- a/vendor/teampassclasses/azureauthcontroller/src/AzureAuthController.php
+++ b/vendor/teampassclasses/azureauthcontroller/src/AzureAuthController.php
@@ -38,22 +38,159 @@
  * RewriteRule ^login/azure/callback$ /path/to/AzureAuthController.php?method=callback [L]
 
  */
+use Exception;
 
 class AzureAuthController
 {
     protected $provider;
     protected $settings;
 
+    public function __construct(array $settings)
+    {
+        // Utilisation du point de terminaison v2.0
+
+        $this->provider = new Azure([
+            'clientId'                => $settings['oauth2_client_id'],
+            'clientSecret'            => $settings['oauth2_client_secret'],
+            'redirectUri'             => $settings['cpassman_url'].'/index.php?post_type=oauth2',
+            'urlAuthorize'            => 'https://login.microsoftonline.com/' . $settings['oauth2_tenant_id'] . '/oauth2/v2.0/authorize', // Utilisation du endpoint v2.0
+            'urlAccessToken'          => 'https://login.microsoftonline.com/' . $settings['oauth2_tenant_id'] . '/oauth2/v2.0/token',     // Endpoint v2.0 pour le token
+            'urlResourceOwnerDetails' => 'https://graph.microsoft.com/v1.0/me',  // Endpoint pour obtenir les infos de l'utilisateur
+            'scopes'                  => explode(",", $settings['oauth2_client_scopes']),  // Les scopes sont définis dans les paramètres
+            'defaultEndPointVersion'  => '2.0',  // Version du point de terminaison
+        ]);
+    }
+
+    public function redirect()
+    {
+        // Force user to select account
+        $options = [
+            'prompt' => 'select_account'
+        ];
+
+        // Rediriger l'utilisateur vers Azure AD pour l'authentification
+        $authUrl = $this->provider->getAuthorizationUrl($options);
+        $_SESSION['oauth2state'] = $this->provider->getState();
+        header('Location: ' . $authUrl);
+        exit;
+    }
+
+    public function callback()
+    {
+        // Vérification de l'état CSRF
+        if (empty($_GET['state']) || ($_GET['state'] !== $_SESSION['oauth2state'])) {
+            unset($_SESSION['oauth2state']);
+            exit('État invalide');
+        }
+
+        try {
+            // Échanger le code d'autorisation contre un token d'accès
+            $token = $this->provider->getAccessToken('authorization_code', [
+                'code' => $_GET['code']
+            ]);
+            //error_log('Token récupéré : ' . print_r($token, true));
+
+            // Récupérer les informations de l'utilisateur via Microsoft Graph
+            $graphUrl = 'https://graph.microsoft.com/v1.0/me';
+            $response = $this->provider->getAuthenticatedRequest('GET', $graphUrl, $token->getToken());
+            $user = $this->provider->getParsedResponse($response);
+
+            //error_log('Utilisateur récupéré : ' . print_r($user, true));
+
+            // Récupérer les groupes auxquels l'utilisateur appartient
+            $groupsUrl = 'https://graph.microsoft.com/v1.0/me/memberOf';
+            $groupsResponse = $this->provider->getAuthenticatedRequest('GET', $groupsUrl, $token->getToken());
+            $groups = $this->provider->getParsedResponse($groupsResponse);
+            
+            // Extraire uniquement les IDs et noms des groupes si disponibles
+            $userGroups = [];
+            if (isset($groups['value']) && is_array($groups['value'])) {
+                foreach ($groups['value'] as $group) {
+                    $userGroups[] = [
+                        'id' => $group['id'] ?? null,
+                        'displayName' => $group['displayName'] ?? null,
+                    ];
+                }
+            }
+            //error_log('Utilisateur  : ' . print_r(array_merge($user, array('groups' => $userGroups)), true));
+
+            // Get groups
+            //$groups = $this->getAllGroups($token);
+            //error_log('Groupes récupérés : ' . print_r($groups, true));
+
+            // Retourner les informations de l'utilisateur
+            return [
+                'error' => false,
+                'userOauth2Info' => array_merge($user, array('groups' => $userGroups, 'oauth2TokenUsed' => false, 'oauth2LoginOngoing' => true)),
+            ];
+
+        } catch (\Exception $e) {
+            error_log('Erreur inattendue : ' . $e->getMessage());
+            return [
+                'error' => true,
+                'message' => 'Erreur lors de la récupération du token : ' . $e->getMessage(),
+            ];
+        }
+    }
+
+    public function getAllGroups($token = null)
+    {
+        try {
+            if (is_null($token)) {
+                // Obtenir un token avec les scopes appropriés pour accéder aux groupes
+                $token = $this->provider->getAccessToken('authorization_code', [
+                    'code' => $_GET['code'],
+                ]);
+            }
+
+            // Faire une requête pour récupérer tous les groupes
+            $graphUrl = 'https://graph.microsoft.com/v1.0/groups';
+            $response = $this->provider->getAuthenticatedRequest('GET', $graphUrl, $token->getToken());
+            $groupsResponse  = $this->provider->getParsedResponse($response);
+
+            // Initialiser un tableau pour stocker les groupes avec id et displayName
+            $groupsList = [];
+
+            // Vérifier si la réponse contient des groupes
+            if (isset($groupsResponse['value']) && is_array($groupsResponse['value'])) {
+                foreach ($groupsResponse['value'] as $group) {
+                    // Extraire l'ID et le displayName de chaque groupe
+                    $groupsList[] = [
+                        'id' => $group['id'] ?? null, // Utiliser l'opérateur null coalescent pour éviter les erreurs
+                        'displayName' => $group['displayName'] ?? null,
+                    ];
+                }
+            }
+
+            // Retourner la liste des groupes avec id et displayName
+            return $groupsList;
+
+        } catch (Exception $e) {
+            return [
+                'error' => true,
+                'message' => 'Error while getting groups: ' . $e->getMessage(),
+            ];
+        }
+    }
+}
+
+
+class AzureAuthController_OLD
+{
+    protected $provider;
+    protected $settings;
+
     public function __construct(array $settings)
     {
         $this->provider = new Azure([
-            'clientId'                => $settings['oauth2_azure_clientId'],
-            'clientSecret'            => $settings['oauth2_azure_clientSecret'],
-            'redirectUri'             => $settings['oauth2_azure_redirectUri'],
-            'urlAuthorize'            => $settings['oauth2_azure_urlAuthorize'],
-            'urlAccessToken'          => $settings['oauth2_azure_urlAccessToken'],
-            'urlResourceOwnerDetails' => $settings['oauth2_azure_urlResourceOwnerDetails'],
-            'scopes'                  => explode(",", $settings['oauth2_azure_scopes']),
+            'clientId'                => $settings['oauth2_client_id'],
+            'clientSecret'            => $settings['oauth2_client_secret'],
+            'redirectUri'             => $settings['cpassman_url'].'/index.php?post_type=oauth2',
+            'urlAuthorize'            => strpos($settings['oauth2_client_endpoint'], '{tenant-id}') !== false ? str_replace('{tenant-id}', $settings['oauth2_tenant_id'], $settings['oauth2_client_endpoint']) : $settings['oauth2_client_endpoint'],
+            'urlAccessToken'          => strpos($settings['oauth2_client_token'], '{tenant-id}') !== false ? str_replace('{tenant-id}', $settings['oauth2_tenant_id'], $settings['oauth2_client_token']) : $settings['oauth2_client_token'],
+            'urlResourceOwnerDetails' => 'https://graph.microsoft.com/v1.0/me',
+            'scopes'                  => explode(",", $settings['oauth2_client_scopes']),
+            'defaultEndPointVersion' => '1.0',
         ]);
     }
 
@@ -68,9 +205,11 @@ public function redirect()
 
     public function callback()
     {
+        error_log('Callback initiated');
         // Vérifier l'état pour mitiger les attaques CSRF
         if (empty($_GET['state']) || ($_GET['state'] !== $_SESSION['oauth2state'])) {
             unset($_SESSION['oauth2state']);
+            error_log('Invalid state detected');
             exit('État invalide');
         }
 
@@ -79,17 +218,20 @@ public function callback()
             $token = $this->provider->getAccessToken('authorization_code', [
                 'code' => $_GET['code']
             ]);
+            error_log('Access token obtained successfully');
 
             // Récupérer les informations de l'utilisateur
             $user = $this->provider->getResourceOwner($token);
+            error_log('User information retrieved successfully');
 
             // Ici, gérer la connexion de l'utilisateur dans votre système
             return [
                 'error' => false,
-                'userAzureInfo' => $user,
+                'userOauth2Info' => $user,
             ];
 
         } catch (\Exception $e) {
+            error_log('Error while catching token: ' . $e->getMessage());
             return [
                 'error' => true,
                 'message' => 'Error while catching token: '.$e->getMessage(),
diff --git a/vendor/teampassclasses/performchecks/src/PerformChecks.php b/vendor/teampassclasses/performchecks/src/PerformChecks.php
index 0d51be30b..42a3b3e90 100755
--- a/vendor/teampassclasses/performchecks/src/PerformChecks.php
+++ b/vendor/teampassclasses/performchecks/src/PerformChecks.php
@@ -125,7 +125,7 @@ public function initialLogin(): bool
                 'SELECT id FROM ' . prefixTable('users') . ' WHERE login = %s',
                 $this->sessionVar['login']
             );
-            if (DB::count() > 0 || isset($this->sessionVar['sso']) === true) {
+            if (DB::count() > 0 || isset($this->sessionVar['oauth2']) === true) {
                 return true;
             }
         }