diff --git a/packages/core-service/src/core/integrations/integrations.controller.ts b/packages/core-service/src/core/integrations/integrations.controller.ts
index c4c0067..12adfc7 100644
--- a/packages/core-service/src/core/integrations/integrations.controller.ts
+++ b/packages/core-service/src/core/integrations/integrations.controller.ts
@@ -65,9 +65,16 @@ export class IntegrationsController {
     @Req() req: Request,
   ): Promise<{ success: boolean; data: { url: string } }> {
     // Redirect-URI dynamisch aus dem Anfrage-Host ableiten
-    // Unterstuetzt sowohl IP als auch DNS-Name (z.B. insight.xinion.lan)
+    // Protokoll: aus der konfigurierten SSO-URI (HTTPS) — Azure akzeptiert nur HTTPS
+    // fuer nicht-localhost URIs. x-forwarded-proto koennte http sein (Traefik-intern).
     const host = (req.get('x-forwarded-host') || req.get('host') || '').split(',')[0].trim();
-    const proto = req.get('x-forwarded-proto') || req.protocol || 'http';
+    const configuredUri = this.entraIdService.getIntegrationRedirectUri();
+    let proto = 'https';
+    try {
+      proto = new URL(configuredUri).protocol.replace(':', '');
+    } catch {
+      proto = req.get('x-forwarded-proto') || 'https';
+    }
     const redirectUri = host
       ? `${proto}://${host}/api/v1/auth/integrations/microsoft-365/callback`
       : undefined;