TYPO3 and Microsoft - A perfect match

Back to overviewTYPO3 with Microsoft cloud services and Azure for secure, scalable integration

TYPO3 and Managed Identities: Practical Guide

Author: Oliver Kroener(Updated )

TYPO3 and Managed Identities: Practical Guide

The integration of TYPO3 with Microsoft Cloud Services is becoming increasingly important as companies need secure, maintainable, and scalable solutions for modern web applications. Especially when combined with Azure, Microsoft 365, and other cloud services, authentication plays a central role. This is exactly where Managed Identities come in: they allow TYPO3 to access Azure resources without having to store sensitive credentials such as usernames and passwords or classic access keys in the code.

In this practical guide, we show how TYPO3 and Managed Identities can work together, what advantages this architecture offers, and what you should consider during implementation. The focus is on secure, cloud-native integration of TYPO3 with Microsoft services.

What are Managed Identities?

Managed Identities are a feature of Microsoft Entra ID that allows Azure resources to authenticate securely against other cloud services. Instead of storing secret credentials in source code, configuration files, or environment variables, Azure automatically takes care of identity management.

For TYPO3, this means the application can access Azure Key Vault, Azure Storage, Azure SQL, or other protected services, for example, without developers having to maintain long-lived secrets. This reduces the risk of data leaks and significantly simplifies operations.

System-Assigned vs. User-Assigned Managed Identity

Microsoft distinguishes between two variants of Managed Identities:

System-Assigned Managed Identity

This identity is assigned directly to an Azure resource, such as an App Service instance or a virtual machine. It is tightly bound to the resource and is automatically created and deleted when the resource is removed.

User-Assigned Managed Identity

Here, the identity is managed as a separate Azure resource. It can be assigned to multiple services and is especially suitable for more complex scenarios with reusable permissions.

Why connect TYPO3 with Microsoft Cloud Services?

TYPO3 is a powerful enterprise CMS that is often used in demanding corporate environments. In such environments, security, availability, and integration with existing Microsoft infrastructures are crucial. Connecting TYPO3 with Microsoft Cloud Services opens up numerous possibilities:

First, content, files, and configuration can be stored securely in Azure services. Second, business processes can be automated, for example in media processing, caching, or data integration. Third, the use of Managed Identities improves the security posture because no permanently embedded credentials are required anymore.

Especially for companies that already rely on Azure and Microsoft Entra ID, TYPO3 is a strong choice for a modern, cloud-capable web platform.

Typical use cases for TYPO3 and Managed Identities

The combination of TYPO3 and Managed Identities is particularly useful in the following scenarios:

  • Access to Azure Key Vault for secure management of configuration values and secrets
  • Storage and delivery of media files via Azure Blob Storage
  • Connection to Azure SQL Database or other databases with identity-based authentication
  • Integration of Microsoft Graph for user, group, or calendar data
  • Automated workflows with Azure Functions, Logic Apps, or Event Grid

These scenarios show that Managed Identities are not just a security feature, but can also simplify architecture and significantly improve the operations of professional TYPO3 installations.

Requirements for integration

Before integrating TYPO3 with Managed Identities in Microsoft Cloud Services, a few basics should be in place. This includes a suitable Azure environment in which the TYPO3 instance runs, such as an Azure App Service, an Azure VM, or a container setup in Azure Kubernetes Service.

You also need:

  • An Azure subscription with the appropriate permissions
  • A configured Microsoft Entra ID environment
  • TYPO3 in a supported version
  • Access to the server or hosting configuration
  • Knowledge of PHP, TYPO3 configuration, and Azure role management

Depending on the target system, additional adjustments in the TYPO3 framework or in an extension may be needed to implement token-based access cleanly.

How authentication with Managed Identities works

The basic principle is simple: the Azure resource hosting TYPO3 receives a Managed Identity. This identity is granted the necessary roles or access rights in Azure. TYPO3 or a TYPO3 extension then requests an access token via the Azure environment, which is used for the desired service.

In the background, Azure uses the so-called Instance Metadata Service or similar mechanisms to provide the application with a short-lived token. TYPO3 therefore does not need to store secrets itself, but instead works with dynamic authentication information.

Example workflow

A typical workflow looks like this:

1. An Azure App Service instance hosts TYPO3.
2. A System-Assigned Managed Identity is enabled for the App Service.
3. This identity is granted access to Azure Key Vault or Azure Storage.
4. At runtime, TYPO3 retrieves a token via Azure APIs.
5. The application securely accesses the protected resource.

This model is not only secure, but also low-maintenance, as classical secret rotation is no longer required.

Connecting TYPO3 securely with Azure Key Vault

One of the most common use cases is connecting TYPO3 with Azure Key Vault. Sensitive data such as API keys, SMTP credentials, or connection strings can be stored centrally there. Instead of placing this information directly in TYPO3 configuration files, the application can retrieve it from Key Vault when needed.

Such a setup offers several advantages: secrets are managed centrally, permissions can be granted very granularly, and the overall security standard of the solution increases significantly. At the same time, TYPO3 remains flexible because changes to credentials no longer have to be tied to deployments.

Best practices for Key Vault

When using Key Vault together with TYPO3, you should follow these best practices:

  • Use Managed Identities whenever possible instead of service principals with client secrets
  • Grant only the minimum permissions required
  • Strictly separate development, test, and production environments
  • Log access to secrets via Azure Monitoring
  • Externalize configurations dynamically instead of storing them statically in the repository

TYPO3 and Azure Storage: securely offloading media

Using Azure Blob Storage is also a typical scenario for TYPO3 in the Microsoft Cloud. Especially with large media libraries, downloads, or user-uploaded files, offloading files to cloud storage can significantly improve scalability.

Managed Identities simplify access to Azure Storage because TYPO3 does not need to store Storage Keys or SAS tokens permanently. Instead, the identity of the hosting environment is used to securely store or retrieve files.

Benefits for media management

Storing images, videos, and documents in Azure Blob Storage offers, among other things, the following benefits:

  • Relief for the web server
  • Better scalability under high traffic
  • Clean separation between application and file storage
  • Simpler backup and recovery strategies
  • Enhanced options for CDN and performance optimizations

Integrating TYPO3 with Microsoft Graph

For companies that want to connect TYPO3 with Microsoft 365 or Entra ID, the Microsoft Graph API is often the central interface. Through Graph, for example, user information, group memberships, or calendar data can be retrieved.

With a Managed Identity, a TYPO3 application can securely access Graph, provided the required permissions have been configured correctly. This is especially useful for intranet portals, internal employee areas, or personalized content.

It is important to plan permissions carefully. Since Microsoft Graph offers very powerful access options, you should only assign the scopes and roles that are truly needed for the specific use case.

Implementation in TYPO3: what developers should pay attention to

The concrete implementation depends heavily on the hosting environment and target system. In TYPO3, integration usually takes place via a custom extension, a service class, or an existing Azure integration. The goal is to neatly encapsulate token requests and API calls rather than distributing them directly in templates or controllers.

Recommended architecture

A good architecture for TYPO3 and Managed Identities consists of the following layers:

  • Presentation layer: templates and frontend output
  • Application layer: TYPO3 services, controllers, and business logic
  • Integration layer: Azure SDK, token handling, API clients
  • Infrastructure layer: Azure App Service, Key Vault, Storage, Entra ID

This separation makes maintenance, testing, and later extensions easier. It also makes the use of Managed Identities more transparent and easier to control.

Technical notes for PHP and TYPO3

Depending on the environment, access to Azure services can take place via Microsoft SDKs for PHP or via direct HTTP calls to Azure endpoints. It is important that tokens are stored only temporarily and renewed regularly. In addition, error handling, logging, and fallback mechanisms should be implemented cleanly.

TYPO3 developers should also make sure that:

  • no secrets end up in the source code
  • configuration values are retrieved via environment variables or central services
  • API errors are logged in a traceable way
  • timeouts and retries are defined for cloud calls
  • production and non-production environments remain separate

Security benefits of Managed Identities

The biggest advantage of Managed Identities lies in security. Classic authentication methods with fixed credentials always carry the risk that credentials are accidentally published, misconfigured, or used for too long. Managed Identities significantly reduce this attack surface.

Additional security benefits include:

  • No secret management in code
  • Automatic token renewal
  • Fine-grained access control via Azure roles
  • Lower risk during deployments
  • Better traceability through Azure Monitoring and auditing

Especially in regulated industries or companies with high compliance requirements, this approach is a clear advantage.

Common mistakes and how to avoid them

When introducing TYPO3 with Managed Identities, similar problems often arise. The good news: many of them can be avoided with clear processes.

Missing permissions

If TYPO3 has no access rights to Key Vault or Storage, this is usually due to missing Azure roles. Therefore, first check the assignment of the Managed Identity and the relevant RBAC roles.

Incorrect environment assumptions

A common mistake is assuming that the same configuration works locally, in staging, and in production. Managed Identities, however, are an Azure-specific concept and must be actively available in the target environment.

Poor token handling

Tokens should not be stored permanently or requested again unnecessarily often. A structured token cache with expiration control improves performance and stability.

Permissions that are too broad

Even though Managed Identities are secure, permissions that are too broad can increase risk. Follow the principle of least privilege.

Best practices for production use

To ensure that TYPO3 and Microsoft Cloud Services work reliably in production, you should consider some proven practices:

  • Use Managed Identities by default for all Azure-related access scenarios
  • Separate responsibilities between TYPO3 development and cloud administration
  • Automate deployments and permission assignments as much as possible
  • Continuously monitor access, latency, and error rates
  • Document architecture, roles, and dependencies transparently

These measures help build a robust and traceable TYPO3 platform in the Microsoft Cloud.

Conclusion: Why TYPO3 and Managed Identities are a strong duo

The combination of TYPO3 and Managed Identities is a modern, secure, and scalable way to connect web applications with Microsoft Cloud Services. Companies benefit from a significantly better security architecture, less administrative effort, and a clear separation between the application and secrets.

Whether for Azure Key Vault, Azure Storage, Microsoft Graph, or other cloud services: Managed Identities make integrating TYPO3 into the Microsoft world easier and more reliable. Anyone running TYPO3 in Azure should definitely include this concept in their architecture planning.

If you want to build a future-proof TYPO3 solution, using Managed Identities is an important step toward a professional cloud strategy.