diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index f90bc66..abc3c8d 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -4,11 +4,12 @@ import { PrismaAdapter } from "@auth/prisma-adapter";
 import { prisma } from "@/lib/prisma";
 import type { Role } from "@/generated/prisma/client";
 
-// Build the OAuth redirect proxy URL so the callback includes the Next.js
-// basePath (/hp-prod-tracker). Auth.js route matching uses basePath="/api/auth"
-// (without the prefix), but the redirect_uri sent to Microsoft must include it.
-const redirectProxyUrl = process.env.AUTH_URL
-  ? `${process.env.AUTH_URL}/api/auth`
+// next-auth v5 beta ignores redirectProxyUrl when building the redirect_uri
+// sent to the OAuth provider — it strips the pathname from AUTH_URL and appends
+// basePath directly to the origin. We must pass redirect_uri explicitly so the
+// /hp-prod-tracker basePath is included in the Microsoft callback URL.
+const explicitRedirectUri = process.env.AUTH_URL
+  ? `${process.env.AUTH_URL}/api/auth/callback/microsoft-entra-id`
   : undefined;
 
 export const { handlers, auth, signIn, signOut } = NextAuth({
@@ -25,8 +26,11 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
       // Safe for Entra ID — Microsoft verifies organizational emails.
       // Required to link SSO accounts to pre-seeded User records by email match.
       allowDangerousEmailAccountLinking: true,
-      // Include the Next.js basePath in the OAuth redirect URI
-      redirectProxyUrl,
+      // Explicitly set redirect_uri so /hp-prod-tracker basePath is included.
+      // next-auth v5 beta strips the pathname from AUTH_URL otherwise.
+      ...(explicitRedirectUri && {
+        authorization: { params: { redirect_uri: explicitRedirectUri } },
+      }),
     }),
   ],
   session: {