diff --git a/server/controllers/azuread.js b/server/controllers/azuread.js
index 7e03a850..1aa03aee 100644
--- a/server/controllers/azuread.js
+++ b/server/controllers/azuread.js
@@ -1,8 +1,8 @@
 import axios from "axios";
+import {Buffer} from 'buffer';
 import { randomUUID } from "crypto";
 import pkceChallenge from "pkce-challenge";
 
-
 const configValidation = () => {
   const config = strapi.config.get("plugin::strapi-plugin-sso");
   if (
@@ -30,7 +30,6 @@ const OAUTH_RESPONSE_TYPE = "code";
 
 async function azureAdSignIn(ctx) {
   const config = configValidation();
-  const redirectUri = encodeURIComponent(config["AZUREAD_OAUTH_REDIRECT_URI"]);
   const endpoint = OAUTH_ENDPOINT(config["AZUREAD_TENANT_ID"]);
 
   // Generate code verifier and code challenge
@@ -40,7 +39,18 @@ async function azureAdSignIn(ctx) {
   // Store the code verifier in the session
   ctx.session.codeVerifier = codeVerifier;
 
-  const url = `${endpoint}?client_id=${config["AZUREAD_OAUTH_CLIENT_ID"]}&redirect_uri=${redirectUri}&scope=${config["AZUREAD_SCOPE"]}&response_type=${OAUTH_RESPONSE_TYPE}&code_challenge=${codeChallenge}&code_challenge_method=S256`;
+  const state = crypto.getRandomValues(Buffer.alloc(32)).toString('base64url');
+  ctx.session.oidcState = state;
+
+  const params = new URLSearchParams();
+  params.append('client_id', config['AZUREAD_OAUTH_CLIENT_ID']);
+  params.append('redirect_uri', config['AZUREAD_OAUTH_REDIRECT_URI']);
+  params.append('scope', config['AZUREAD_SCOPE']);
+  params.append('response_type', OAUTH_RESPONSE_TYPE);
+  params.append('code_challenge', codeChallenge);
+  params.append('code_challenge_method', 'S256');
+  params.append('state', state);
+  const url = `${endpoint}?${params.toString()}`;
   ctx.set("Location", url);
   return ctx.send({}, 302);
 }
@@ -56,6 +66,9 @@ async function azureAdSignInCallback(ctx) {
   if (!ctx.query.code) {
     return ctx.send(oauthService.renderSignUpError(`code Not Found`));
   }
+  if (!ctx.query.state || ctx.query.state !== ctx.session.oidcState) {
+    return ctx.send(oauthService.renderSignUpError(`Invalid state`))
+  }
 
   const params = new URLSearchParams();
   params.append("code", ctx.query.code);
@@ -80,6 +93,10 @@ async function azureAdSignInCallback(ctx) {
       },
     });
 
+    if (!userResponse.data.email) {
+      throw new Error('Email address is not set. Please set email property to the Azure AD user.');
+    }
+
     // whitelist check
     await whitelistService.checkWhitelistForEmail(userResponse.data.email)