Authentication & SSO

Inventorix supports two login methods: local email/password accounts and Microsoft Entra ID (Azure AD) single sign-on via Socialite. Authentication settings — including SSO credentials and multi-factor authentication — are managed in the admin panel under Settings → Authentication.

Local login

Every user account has a login_enabled flag. When set to false, the user cannot access the panel regardless of their credentials or SSO status. You can toggle this on a per-user basis from the Users list in the admin panel.

Password reset emails are sent through the configured mail transport (see Mail & SMTP).

Microsoft Entra ID (Azure AD) SSO

Inventorix integrates with Microsoft Entra ID using the socialiteproviders/microsoft-azure package. When enabled, a Login via Entra ID button appears on the login page. Users who authenticate via SSO are matched to existing accounts by their Entra object ID (entra_id column).

Registering the application in Entra

1. In the Azure portal, go to Azure Active Directory → App registrations → New registration.
2. Set the redirect URI to your Inventorix instance:

   https://your-domain.com/auth/microsoft/callback

   The URI must match the value you configure in MS_REDIRECT_URI / the admin UI exactly — including the scheme and any trailing path.
3. Under Certificates & secrets, create a new client secret and note the value immediately (it is only shown once).
4. Note the Application (client) ID and Directory (tenant) ID from the Overview page.

Environment variables

These variables seed the database settings on first migration. After that, use the in-app Settings → Authentication page.

Variable	Default	Purpose
MS_LOGIN_ENABLED	false	Set to true to activate the Entra ID login button
MS_CLIENT_ID	(empty)	Application (client) ID from Entra app registration
MS_CLIENT_SECRET	(empty)	Client secret value
MS_TENANT_ID	(empty)	Directory (tenant) ID
MS_REDIRECT_URI	${APP_URL}/auth/microsoft/callback	Callback URL registered in Entra

In-app SSO settings

Navigate to Settings → Authentication in the admin panel. The Microsoft Azure / Entra ID section contains:

Field	Purpose
Enabled toggle	Shows or hides the Entra ID login button; gates the OAuth routes
Client ID	Application (client) ID
Client secret	Write-only; stored encrypted. Leave blank to keep the stored value.
Redirect URI	Must match the URI registered in Entra
Tenant ID	Restricts login to a specific Entra directory

Settings saved here are applied to the Laravel runtime config on every request — no restart is required. The Client ID and Tenant ID fields are required when the enabled toggle is on.

Secret handling

The client secret is stored encrypted in the database and never sent back to the browser. Leaving the field blank on save preserves the existing stored value.

Multi-factor authentication

Inventorix supports authenticator-app-based MFA (TOTP) through Filament’s built-in multi-factor authentication feature. MFA settings are managed in Settings → Authentication under the Multi-factor authentication section.

Setting	Purpose
Enabled	Allows users to enrol in MFA via their profile page
Force	Requires all users to complete MFA enrolment before accessing the panel
Recoverable	Allows users to generate recovery codes in case they lose access to their authenticator app

These settings are applied at runtime on every panel request. Changes take effect immediately without a worker restart.

Env variable seeding

The initial MFA settings are seeded from AUTH_MULTIFACTOR_AUTH_ENABLED (default true), AUTH_MULTIFACTOR_AUTH_FORCE (default false), and AUTH_MULTIFACTOR_AUTH_RECOVERABLE (default false). After the settings migration runs, these env vars have no further effect — manage MFA from the admin UI.

Precedence

Database settings (the admin UI) override environment variables at runtime for both SSO and MFA. The env vars are only read during the settings migrations that create the initial database rows. Updating .env after first boot has no effect on authentication behaviour.