SESSION_SECRET_KEY="replace-with-a-random-secret"
AZURE_TENANT_ID="<your-tenant-id>"
AZURE_CLIENT_ID="<your-client-id>"
AZURE_CLIENT_SECRET="<your-client-secret>"
AZURE_OAUTH_VERIFY_SSL="true"
# Optional: path to your corporate root CA bundle (preferred over disabling SSL)
# AZURE_OAUTH_CA_BUNDLE="/etc/ssl/certs/corporate-root-ca.pem"