diff --git a/apps/scandic-web/app/api/web/auth/dtmc/route.ts b/apps/scandic-web/app/api/web/auth/dtmc/route.ts
index e0795dd1d..4f4ce8b05 100644
--- a/apps/scandic-web/app/api/web/auth/dtmc/route.ts
+++ b/apps/scandic-web/app/api/web/auth/dtmc/route.ts
@@ -88,6 +88,8 @@ async function linkEmployeeToUser(
       case 403:
         queryParam = "forbidden"
         break
+      case 500:
+        queryParam = "internal_server_error"
     }
     return {
       success: false,
diff --git a/apps/scandic-web/auth.dtmc.ts b/apps/scandic-web/auth.dtmc.ts
index 06e014d13..b78ea52be 100644
--- a/apps/scandic-web/auth.dtmc.ts
+++ b/apps/scandic-web/auth.dtmc.ts
@@ -88,11 +88,23 @@ const config = {
       ) {
         const employeeId = profile["user.employeeid"]
         if (employeeId && typeof employeeId === "string") {
+          logger.info(
+            "[auth.dtmc] DTMC authentication successful - employeeId extracted"
+          )
           return {
             access_token: "", // JWT requires it, but DTMC does not need it, so save on cookie size by using empty string
             loginType: "dtmc",
             employeeId,
           }
+        } else {
+          logger.error(
+            "[auth.dtmc] DTMC authentication failed - no employeeId found in Microsoft profile. Check Azure app registration optional claims configuration.",
+            {
+              userObjectId: profile.oid,
+              tenantId: profile.tid,
+              clientId: profile.aud,
+            }
+          )
         }
       }