Thanks!
Ok, I figured it out: the redirect URL has to match the caller's URL exactly, wherever it's called from, so when executed in the debugger, the URL would need to start with the local WebCore server, with whatever port it has configured, followed by the name of the project folder, and ending with the project.html. I.e.: just copy it from the browser when you run it.
Next, it only returns a subset of user properties in the "UserData: TMicrosoftUserData" parameter, and does not have userPrincipalName value, which I need.
It's all buried in JS (plus the structure definition in PAS), so it's not too easy to change (plus the next TMS update would override it), so I'd like to request more details in this class in the next update, please.
The data it gets from Azure includes businessPhones, jobTitle, mobilePhone, officeLocation, preferredLanguage and userPrincipalName, so it would make sense to return all of these.
And ideally the entire JWT as well - there are more details there, including the IP address of the user, as used to sign into Azure. And JWT would allow me to do an independent validation of the signature as well (which may or may not be happening in JS). - the more security checks it allows me / the caller to add, the merrier.