diff --git a/api/src/functions/oauthStart/oauthStart.scenarios.ts b/api/src/functions/oauthStart/oauthStart.scenarios.ts
new file mode 100644
index 0000000..d24ff74
--- /dev/null
+++ b/api/src/functions/oauthStart/oauthStart.scenarios.ts
@@ -0,0 +1,8 @@
+import type { ScenarioData } from '@redwoodjs/testing/api'
+
+export const standard = defineScenario({
+  // Define the "fixture" to write into your test database here
+  // See guide: https://redwoodjs.com/docs/testing#scenarios
+})
+
+export type StandardScenario = ScenarioData<unknown>
diff --git a/api/src/functions/oauthStart/oauthStart.test.ts b/api/src/functions/oauthStart/oauthStart.test.ts
new file mode 100644
index 0000000..d9b7fcd
--- /dev/null
+++ b/api/src/functions/oauthStart/oauthStart.test.ts
@@ -0,0 +1,29 @@
+import { mockHttpEvent, mockContext } from '@redwoodjs/testing/api'
+
+import { handler } from './oauthStart'
+
+//   Improve this test with help from the Redwood Testing Doc:
+//    https://redwoodjs.com/docs/testing#testing-functions
+
+describe('oauthStart function', () => {
+  it('Should respond with 200', async () => {
+    const httpEvent = mockHttpEvent({
+      queryStringParameters: {
+        id: '42', // Add parameters here
+      },
+    })
+
+    const response = await handler(httpEvent, mockContext())
+    const { data } = JSON.parse(response.body)
+
+    expect(response.statusCode).toBe(200)
+    expect(data).toBe('oauthStart function')
+  })
+
+  // You can also use scenarios to test your api functions
+  // See guide here: https://redwoodjs.com/docs/testing#scenarios
+  //
+  // scenario('Scenario test', async () => {
+  //
+  // })
+})
diff --git a/api/src/functions/oauthStart/oauthStart.ts b/api/src/functions/oauthStart/oauthStart.ts
new file mode 100644
index 0000000..f1019b7
--- /dev/null
+++ b/api/src/functions/oauthStart/oauthStart.ts
@@ -0,0 +1,41 @@
+import type { APIGatewayEvent, Context } from 'aws-lambda'
+
+import { logger } from 'src/lib/logger'
+
+/**
+ * The handler function is your code that processes http request events.
+ * You can use return and throw to send a response or error, respectively.
+ *
+ * Important: When deployed, a custom serverless function is an open API endpoint and
+ * is your responsibility to secure appropriately.
+ *
+ * @see {@link https://redwoodjs.com/docs/serverless-functions#security-considerations|Serverless Function Considerations}
+ * in the RedwoodJS documentation for more information.
+ *
+ * @typedef { import('aws-lambda').APIGatewayEvent } APIGatewayEvent
+ * @typedef { import('aws-lambda').Context } Context
+ * @param { APIGatewayEvent } event - an object which contains information from the invoker.
+ * @param { Context } _context - contains information about the invocation,
+ * function, and execution environment.
+ */
+export const handler = async (event: APIGatewayEvent, _context: Context) => {
+  logger.info(`${event.httpMethod} ${event.path}: oauth function`)
+
+  switch (event.path) {
+    case '/oauthStart/microsoft':
+      return await callback()
+    default:
+      return {
+        statusCode: 404,
+      }
+  }
+}
+
+const callback = async () => {
+  return {
+    statusCode: 302,
+    headers: {
+      Location: `https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=${process.env.MICROSOFT_OAUTH_CLIENT_ID}&grant_type=authorization_code&response_type=code&redirect_uri=${process.env.MICROSOFT_OAUTH_REDIRECT_URI}&scope=${process.env.MICROSOFT_OAUTH_SCOPES.split(' ').join('+')}`,
+    },
+  }
+}
diff --git a/redwood.toml b/redwood.toml
index bcae53f..c4c5a1b 100644
--- a/redwood.toml
+++ b/redwood.toml
@@ -10,9 +10,6 @@
   port = 8910
   apiUrl = "/api" # You can customize graphql and dbauth urls individually too: see https://redwoodjs.com/docs/app-configuration-redwood-toml#api-paths
   includeEnvironmentVariables = [
-    "MICROSOFT_OAUTH_CLIENT_ID",
-    "MICROSOFT_OAUTH_SCOPES",
-    "MICROSOFT_OAUTH_REDIRECT_URI",
     # Add any ENV vars that should be available to the web side to this array
     # See https://redwoodjs.com/docs/environment-variables#web
   ]
diff --git a/web/src/components/Hero/Hero.tsx b/web/src/components/Hero/Hero.tsx
index 00cd587..a16d622 100644
--- a/web/src/components/Hero/Hero.tsx
+++ b/web/src/components/Hero/Hero.tsx
@@ -53,11 +53,7 @@ export default function Hero() {
                 </p>
                 <div className="mt-10 flex items-center gap-x-6">
                   <a
-                    href={`https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=${
-                      process.env.MICROSOFT_OAUTH_CLIENT_ID
-                    }&grant_type=authorization_code&response_type=code&redirect_uri=${
-                      process.env.MICROSOFT_OAUTH_REDIRECT_URI
-                    }&scope=${process.env.MICROSOFT_OAUTH_SCOPES.split(' ').join('+')}`}
+                    href={`${global.RWJS_API_URL}/oauthStart/microsoft`}
                     className="rounded-md bg-indigo-600 px-3.5 py-2.5 text-sm font-semibold text-white shadow-sm hover:bg-indigo-500 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-indigo-600"
                   >
                     Anmelden