diff --git a/index.php b/index.php
index e0f92b5..d0ce5d1 100755
--- a/index.php
+++ b/index.php
@@ -1,16 +1,90 @@
 <?php
 require_once 'config.php';
 
-// DETECT OAUTH CALLBACK - Azure AD redirects to root with ?code= parameter
-// If this is an OAuth callback, redirect to auth.php to process it
+use League\OAuth2\Client\Provider\GenericProvider;
+
+// HANDLE OAUTH CALLBACK FROM AZURE AD
+// Azure redirects to root URL with ?code= and ?state= parameters
 if (isset($_GET['code']) && isset($_GET['state'])) {
-    // Preserve all query parameters and redirect to auth.php
-    $queryString = http_build_query($_GET);
-    header("Location: auth.php?" . $queryString);
-    exit;
+    // Start session to access PKCE verifier and state
+    if (session_status() === PHP_SESSION_NONE) {
+        session_start();
+    }
+
+    // Verify state to prevent CSRF attacks
+    if (empty($_GET['state']) || (isset($_SESSION['oauth2state']) && $_GET['state'] !== $_SESSION['oauth2state'])) {
+        unset($_SESSION['oauth2state']);
+        unset($_SESSION['oauth2_code_verifier']);
+        die('Invalid state. Possible CSRF attack.');
+    }
+
+    try {
+        // Retrieve code verifier from session
+        if (!isset($_SESSION['oauth2_code_verifier'])) {
+            die('Code verifier not found in session.');
+        }
+
+        $codeVerifier = $_SESSION['oauth2_code_verifier'];
+
+        // Configure Azure AD OAuth2 Provider
+        $provider = new GenericProvider([
+            'clientId'                => AZURE_CLIENT_ID,
+            'redirectUri'             => AZURE_REDIRECT_URI,
+            'urlAuthorize'            => AZURE_AUTHORITY . '/oauth2/v2.0/authorize',
+            'urlAccessToken'          => AZURE_AUTHORITY . '/oauth2/v2.0/token',
+            'urlResourceOwnerDetails' => 'https://graph.microsoft.com/v1.0/me',
+            'scopes'                  => 'openid profile email User.Read'
+        ]);
+
+        // Exchange authorization code for access token with PKCE
+        $accessToken = $provider->getAccessToken('authorization_code', [
+            'code' => $_GET['code'],
+            'code_verifier' => $codeVerifier
+        ]);
+
+        // Get user information from Microsoft Graph API
+        $request = $provider->getAuthenticatedRequest(
+            'GET',
+            'https://graph.microsoft.com/v1.0/me',
+            $accessToken->getToken()
+        );
+
+        $client = new \GuzzleHttp\Client();
+        $response = $client->send($request);
+        $userData = json_decode($response->getBody(), true);
+
+        // Store user information in session
+        $_SESSION['authenticated'] = true;
+        $_SESSION['user_id'] = $userData['id'];
+        $_SESSION['user_name'] = $userData['displayName'] ?? $userData['userPrincipalName'];
+        $_SESSION['user_email'] = $userData['userPrincipalName'] ?? $userData['mail'];
+        $_SESSION['access_token'] = $accessToken->getToken();
+        $_SESSION['last_activity'] = time();
+
+        // Initialize user files array for tracking uploads
+        $_SESSION['user_files'] = [];
+
+        // Clean up temporary session variables
+        unset($_SESSION['oauth2state']);
+        unset($_SESSION['oauth2_code_verifier']);
+
+        // Regenerate session ID for security
+        session_regenerate_id(true);
+
+        // Redirect to main application (clean URL, no query parameters)
+        header('Location: index.php');
+        exit;
+
+    } catch (\League\OAuth2\Client\Provider\Exception\IdentityProviderException $e) {
+        // Handle authentication errors
+        die('Authentication failed: ' . htmlspecialchars($e->getMessage()));
+    } catch (\Exception $e) {
+        // Handle other errors
+        die('An error occurred: ' . htmlspecialchars($e->getMessage()));
+    }
 }
 
-// Require authentication - redirect to login if not authenticated
+// Normal flow - require authentication
 requireAuth();
 
 // Get current user info