Microsoft identity platform code samples

Article
09/21/2023

These code samples are built and maintained by Microsoft to demonstrate usage of our authentication libraries with the Microsoft identity platform. Common authentication and authorization scenarios are implemented in several application types, development languages, and frameworks.

Sign in users to web applications and provide authorized access to protected web APIs.
Protect a web API by requiring an access token to perform API operations.

Each code sample includes a README.md file describing how to build the project (if applicable) and run the sample application. Comments in the code help you understand how these libraries are used in the application to perform authentication and authorization by using the identity platform.

Samples and guides

Use the tabs to sort the samples by application type, or your preferred language/framework.

By app type
By language/framework

Single-page applications

These samples show how to write a single-page application secured with Microsoft identity platform. These samples use one of the flavors of MSAL.js.

Language/ Platform	Code sample(s) on GitHub	Auth libraries	Auth flow
Angular	• Sign in users • Sign in users (B2C) • Call Microsoft Graph • Call .NET Core web API • Call .NET Core web API (B2C) • Call Microsoft Graph via OBO • Use App Roles for access control • Use Security Groups for access control • Deploy to Azure Storage and App Service	MSAL Angular	• Authorization code with PKCE • On-behalf-of (OBO) • Continuous Access Evaluation (CAE)
Blazor WebAssembly	• Sign in users • Sign in users (B2C) • Call Microsoft Graph • Deploy to Azure App Service	MSAL.js	Implicit Flow
JavaScript	• Sign in users • Sign in users (B2C) • Call Microsoft Graph • Call Node.js web API • Call Node.js web API (B2C) • Deploy to Azure Storage and App Service	MSAL.js	• Authorization code with PKCE •
React	• Sign in users • Sign in users (B2C) • Sign-in users on both server and client side apps • Call Microsoft Graph • Call Azure REST API and Azure Storage • Call Node.js web API • Call Node.js web API (B2C) • Call Microsoft Graph via OBO • Use App Roles for access control • Use Security Groups for access control • Deploy to Azure Static Web Apps • Use step-up authentication to call Node.js web API	MSAL React	• Authorization code with PKCE • On-behalf-of (OBO) • Conditional Access • Conditional Access Auth Context (acrs) • Continuous Access Evaluation (CAE)

Web applications

The following samples illustrate web applications that sign in users. Some samples also demonstrate the application calling Microsoft Graph, or your own web API with the user's identity.

Language/ Platform	Code sample(s) on GitHub	Auth libraries	Auth flow
ASP.NET Core	ASP.NET Core Series • Sign in users • Sign in users (B2C) • Call Microsoft Graph • Customize token cache • Call Graph (multi-tenant) • Call Azure REST APIs • Protect web API • Protect web API (B2C) • Protect multi-tenant web API • Use App Roles for access control • Use Security Groups for access control • Deploy to Azure Storage and App Service	Microsoft.Identity.Web	• OpenID connect • Authorization code • On-Behalf-Of
Blazor	Blazor Server Series • Sign in users • Sign in users (B2C) • Call Microsoft Graph • Call web API • Call web API (B2C)	MSAL.NET	Hybrid flow
ASP.NET Core	Advanced Token Cache Scenarios	Microsoft.Identity.Web	On-Behalf-Of (OBO)
ASP.NET Core	Use the Conditional Access auth context to perform step-up authentication	Microsoft.Identity.Web	Authorization code
ASP.NET Core	Active Directory FS to Microsoft Entra migration	MSAL.NET	• SAML • OpenID connect
ASP.NET	• Microsoft Graph Training Sample • Sign in users and call Microsoft Graph • Sign in users and call Microsoft Graph with admin restricted scope • Quickstart: Sign in users	MSAL.NET	• OpenID connect • Authorization code
Java Spring	Microsoft Entra Spring Boot Starter Series • Sign in users • Sign in users (B2C) • Call Microsoft Graph • Use App Roles for access control • Use Groups for access control • Deploy to Azure App Service • Protect a web API	• MSAL Java • Microsoft Entra ID Boot Starter	Authorization code
Java Servlets	Spring-less Servlet Series • Sign in users • Sign in users (B2C) • Call Microsoft Graph • Use App Roles for access control • Use Security Groups for access control • Deploy to Azure App Service	MSAL Java	Authorization code
Node.js Express	Express web app series • Quickstart: sign in users • Sign in users • Sign in users (B2C) • Call Microsoft Graph • Call Microsoft Graph via BFF proxy • Deploy to Azure App Service • Use App Roles for access control • Use Security Groups for access control	MSAL Node	• Authorization code • Backend-for-Frontend (BFF) proxy
Python Flask	Flask Series • Sign in users • Sign in users (B2C) • A template to sign in Microsoft Entra ID or B2C users, and optionally call a downstream API (Microsoft Graph) • Call Microsoft Graph • Deploy to Azure App Service	MSAL Python	Authorization code
Python Django	Django Series • Sign in users • Sign in users (B2C) • Call Microsoft Graph • Deploy to Azure App Service	MSAL Python	Authorization code
Ruby	Graph Training • Sign in users and call Microsoft Graph	OmniAuth OAuth2	Authorization code

Web API

The following samples show how to protect a web API with the Microsoft identity platform, and how to call a downstream API from the web API.

Language/ Platform	Code sample(s) on GitHub	Auth libraries	Auth flow
ASP.NET	Call Microsoft Graph	MSAL.NET	On-Behalf-Of (OBO)
ASP.NET Core	Sign in users and call Microsoft Graph	MSAL.NET	On-Behalf-Of (OBO)
Java	Sign in users	MSAL Java	On-Behalf-Of (OBO)
Node.js	• Protect a Node.js web API • Protect a Node.js Web API with Azure AD B2C	MSAL Node	Authorization bearer

Desktop

The following samples show public client desktop applications that access the Microsoft Graph API, or your own web API in the name of the user. Apart from the Desktop (Console) with Web Authentication Manager (WAM) sample, all these client applications use the Microsoft Authentication Library (MSAL).

Language/ Platform	Code sample(s) on GitHub	Auth libraries	Auth flow
.NET Core	• Call Microsoft Graph • Call Microsoft Graph with token cache • Call Microsoft Graph with custom web UI HTML • Call Microsoft Graph with custom web browser • Sign in users with device code flow • Authenticate users with MSAL.NET in a WinUI desktop application	MSAL.NET	• Authorization code with PKCE • Device code
.NET	Invoke protected API with integrated Windows authentication	MSAL.NET	Integrated Windows authentication
Java	Call Microsoft Graph	MSAL Java	Integrated Windows authentication
Node.js	Sign in users	MSAL Node	Authorization code with PKCE
.NET Core	Call Microsoft Graph by signing in users using username/password	MSAL.NET	Resource owner password credentials
Python	Sign in users	MSAL Python	Resource owner password credentials
Universal Window Platform (UWP)	Call Microsoft Graph	MSAL.NET	Web account manager
Windows Presentation Foundation (WPF)	Sign in users and call Microsoft Graph	MSAL.NET	Authorization code with PKCE
Windows Presentation Foundation (WPF)	• Sign in users and call ASP.NET Core web API • Sign in users and call Microsoft Graph	MSAL.NET	Authorization code with PKCE

Mobile

The following samples show public client mobile applications that access the Microsoft Graph API. These client applications use the Microsoft Authentication Library (MSAL).

Language/ Platform	Code sample(s) on GitHub	Auth libraries	Auth flow
.NET Core	• Call Microsoft Graph using MAUI • Call Microsoft Graph using MAUI with broker • Call Active Directory B2C tenant using MAUI	MSAL.NET	Authorization code with PKCE
iOS	• Call Microsoft Graph native • Call Microsoft Graph with Microsoft Entra nxoauth	MSAL iOS	Authorization code with PKCE
Java	Sign in users and call Microsoft Graph	MSAL Android	Authorization code with PKCE
Kotlin	Sign in users and call Microsoft Graph	MSAL Android	Authorization code with PKCE
Xamarin	• Sign in users and call Microsoft Graph • Sign in users with broker and call Microsoft Graph	MSAL.NET	Authorization code with PKCE

Service / daemon

The following samples show an application that accesses the Microsoft Graph API with its own identity (with no user).

Language/ Platform	Code sample(s) on GitHub	Auth libraries	Auth flow
.NET Core	• Call Microsoft Graph • Call web API • Using managed identity and Azure Key Vault	MSAL.NET	Client credentials grant
ASP.NET	Multi-tenant with Microsoft identity platform endpoint	MSAL.NET	Client credentials grant
Java	• Call Microsoft Graph with Secret • Call Microsoft Graph with Certificate	MSAL Java	Client credentials grant
Node.js	Call Microsoft Graph with secret	MSAL Node	Client credentials grant
Python	• Call Microsoft Graph with secret • Call Microsoft Graph with certificate	MSAL Python	Client credentials grant

Azure Functions as web APIs

The following samples show how to protect an Azure Function using HttpTrigger and exposing a web API with the Microsoft identity platform, and how to call a downstream API from the web API.

Language/ Platform	Code sample(s) on GitHub	Auth libraries	Auth flow
.NET	.NET Azure function web API secured by Microsoft Entra ID	MSAL.NET	Authorization code
Python	Python Azure function web API secured by Microsoft Entra ID	MSAL Python	Authorization code

Browserless (Headless)

The following sample shows a public client application running on a device without a web browser. The app can be a command-line tool, an app running on Linux or Mac, or an IoT application. The sample features an app accessing the Microsoft Graph API, in the name of a user who signs-in interactively on another device (such as a mobile phone). This client application uses the Microsoft Authentication Library (MSAL).

Language/ Platform	Code sample(s) on GitHub	Auth libraries	Auth flow
.NET Core	Invoke protected API from text-only device	MSAL.NET	Device code
Java	Sign in users and invoke protected API from text-only device	MSAL Java	Device code
Python	Call Microsoft Graph	MSAL Python	Device code

Microsoft Teams applications

The following sample illustrates Microsoft Teams Tab application that signs in users. Additionally it demonstrates how to call Microsoft Graph API with the user's identity using the Microsoft Authentication Library (MSAL).

Language/ Platform	Code sample(s) on GitHub	Auth libraries	Auth flow
Node.js	Teams Tab app: single sign-on (SSO) and call Microsoft Graph	MSAL Node	On-Behalf-Of (OBO)

Multi-tenant SaaS

The following samples show how to configure your application to accept sign-ins from any Microsoft Entra tenant. Configuring your application to be multi-tenant means that you can offer a Software as a Service (SaaS) application to many organizations, allowing their users to be able to sign-in to your application after providing consent.

Language/ Platform	Code sample(s) on GitHub	Auth libraries	Auth flow
ASP.NET Core	ASP.NET Core MVC web application calls Microsoft Graph API	MSAL.NET	OpenID connect
ASP.NET Core	ASP.NET Core MVC web application calls ASP.NET Core web API	MSAL.NET	Authorization code
Angular	Angular single-page application calls ASP.NET Core web API	MSAL Angular	Authorization code

C#

The following samples show how to build applications using the C# language and frameworks

.NET

App type	Code sample(s) on GitHub	Auth libraries	Auth flow
Desktop	Invoke protected API with integrated Windows authentication	MSAL.NET	Integrated Windows authentication
Headless	.NET Azure function web API secured by Microsoft Entra ID	MSAL.NET	Authorization code

.NET Core

App type	Code sample(s) on GitHub	Auth libraries	Auth flow
Desktop	• Call Microsoft Graph • Call Microsoft Graph with token cache • Call Microsoft Graph with custom web UI HTML • Call Microsoft Graph with custom web browser • Sign in users with device code flow • Authenticate users with MSAL.NET in a WinUI desktop application	MSAL.NET	• Authorization code with PKCE • Device code
Mobile	• Call Microsoft Graph using MAUI • Call Microsoft Graph using MAUI with broker • Call Active Directory B2C tenant using MAUI	MSAL.NET	Authorization code with PKCE
Headless	Invoke protected API from text-only device	MSAL.NET	Device code
Service/daemon	• Call Microsoft Graph • Call web API • Using managed identity and Azure key vault	MSAL.NET	Client credentials grant

ASP.NET

App type	Code sample(s) on GitHub	Auth libraries	Auth flow
Web application	• Microsoft Graph Training Sample • Sign in users and call Microsoft Graph • Sign in users and call Microsoft Graph with admin restricted scope • Quickstart: Sign in users	MSAL.NET	• OpenID connect • Authorization code
Web API	Call Microsoft Graph	MSAL.NET	On-Behalf-Of (OBO)
Service/ daemon	Multi-tenant with Microsoft identity platform endpoint	MSAL.NET	Client credentials grant

ASP.NET Core

App type	Code sample(s) on GitHub	Auth libraries	Auth flow
Web application	• Sign in users • Sign in users (B2C) • Call Microsoft Graph • Customize token cache • Call Graph (multi-tenant) • Call Azure REST APIs • Protect web API • Protect web API (B2C) • Protect multi-tenant web API • Use App Roles for access control • Use Security Groups for access control • Deploy to Azure Storage and App Service	Microsoft.Identity.Web	• OpenID connect • Authorization code • On-Behalf-Of
Web application	Advanced Token Cache Scenarios	Microsoft.Identity.Web	On-Behalf-Of (OBO)
Web application	Use the Conditional Access auth context to perform step-up authentication	Microsoft.Identity.Web	Authorization code
Web application	Active Directory FS to Microsoft Entra migration	MSAL.NET	• SAML • OpenID connect
Web API	Sign in users and call Microsoft Graph	MSAL.NET	On-Behalf-Of (OBO)
Multi-tenant SaaS	ASP.NET Core MVC web application calls Microsoft Graph API	MSAL.NET	OpenID connect
Multi-tenant SaaS	ASP.NET Core MVC web application calls ASP.NET Core web API	MSAL.NET	Authorization code

Blazor

App type	Code sample(s) on GitHub	Auth libraries	Auth flow
Single-page application	• Sign in users • Sign in users (B2C) • Call Microsoft Graph • Deploy to Azure App Service	MSAL.js	Implicit Flow
Web application	• Sign in users • Sign in users (B2C) • Call Microsoft Graph • Call web API • Call web API (B2C)	MSAL.NET	Implicit/Hybrid flow

Xamarin

The following samples show how to build applications for the Xamarin platform.

App type	Code sample(s) on GitHub	Auth libraries	Auth flow
Mobile	• Sign in users and call Microsoft Graph • Sign in users with broker and call Microsoft Graph	MSAL.NET	Authorization code with PKCE

iOS

The following samples show how to build applications for the iOS platform.

App type	Code sample(s) on GitHub	Auth libraries	Auth flow
Mobile	• Call Microsoft Graph native • Call Microsoft Graph with Microsoft Entra nxoauth	MSAL iOS	Authorization code with PKCE

JavaScript

The following samples show how to build applications for the JavaScript language and platform.

App type Code sample(s)
on GitHub Auth
libraries Auth flow

Single-page application • Sign in users
• Sign in users (B2C)
• Call Microsoft Graph
• Call Node.js web API
• Call Node.js web API (B2C)
• Deploy to Azure Storage and App Service MSAL.js • Authorization code with PKCE
• On-behalf-of (OBO)
• Conditional Access

App type	Code sample(s) on GitHub	Auth libraries	Auth flow
Single-page application	• Sign in users • Sign in users (B2C) • Call Microsoft Graph • Call Node.js web API • Call Node.js web API (B2C) • Deploy to Azure Storage and App Service	MSAL.js	• Authorization code with PKCE • On-behalf-of (OBO) • Conditional Access

Angular

App type	Code sample(s) on GitHub	Auth libraries	Auth flow
Single-page application	• Sign in users • Sign in users (B2C) • Call Microsoft Graph • Call .NET Core web API • Call .NET Core web API (B2C) • Call Microsoft Graph via OBO • Use App Roles for access control • Use Security Groups for access control • Deploy to Azure Storage and App Service	MSAL Angular	• Authorization code with PKCE • On-behalf-of (OBO) • Continuous Access Evaluation (CAE)
Multi-tenant SaaS	Angular single-page application calls ASP.NET Core web API	MSAL Angular	Authorization code

Node.js

App type	Code sample(s) on GitHub	Auth libraries	Auth flow
Web API	• Protect a Node.js web API • Protect a Node.js Web API with Azure AD B2C	MSAL Node	Authorization bearer
Desktop	Sign in users	MSAL Node	Authorization code with PKCE
Service, daemon	Call Microsoft Graph with secret	MSAL Node	Client credentials grant
Microsoft Teams applications	Teams Tab app: single sign-on (SSO) and call Microsoft Graph	MSAL Node	On-Behalf-Of (OBO)

Node.js (Express)

App type	Code sample(s) on GitHub	Auth libraries	Auth flow
Web application	• Sign in users • Sign in users (B2C) • Call Microsoft Graph • Deploy to Azure App Service • Use App Roles for access control • Use Security Groups for access control • Web app that sign in users	MSAL Node	Authorization code

React

App type	Code sample(s) on GitHub	Auth libraries	Auth flow
Single-page application	• Sign in users • Sign in users (B2C) • Sign-in users on both server and client side apps • Call Microsoft Graph • Call Azure REST API and Azure Storage • Call Node.js web API • Call Node.js web API (B2C) • Call Microsoft Graph via OBO • Use App Roles for access control • Use Security Groups for access control • Deploy to Azure Static Web Apps • Use step-up authentication to call Node.js web API	MSAL React	• Authorization code with PKCE • On-behalf-of (OBO) • Conditional Access • Conditional Access Auth Context (acrs) • Continuous Access Evaluation (CAE)

Java

The following samples show how to build applications for the Java language and platform.

App type	Code sample(s) on GitHub	Auth libraries	Auth flow
Web API	Sign in users	MSAL Java	On-Behalf-Of (OBO)
Desktop	Call Microsoft Graph	MSAL Java	Integrated Windows authentication
Mobile	Sign in users and call Microsoft Graph	MSAL Android	Authorization code with PKCE
Headless	Sign in users and invoke protected API from text-only device	MSAL Java	Device code
Service/ daemon	• Call Microsoft Graph with Secret • Call Microsoft Graph with Certificate	MSAL Java	Client credentials grant

Java Spring

App type	Code sample(s) on GitHub	Auth libraries	Auth flow
Web application	Microsoft Entra Spring Boot Starter Series • Sign in users • Sign in users (B2C) • Call Microsoft Graph • Use App Roles for access control • Use Groups for access control • Deploy to Azure App Service • Protect a web API	• MSAL Java • Microsoft Entra ID Boot Starter	Authorization code

Java Servlet

App type	Code sample(s) on GitHub	Auth libraries	Auth flow
Web application	Spring-less Servlet Series • Sign in users • Sign in users (B2C) • Call Microsoft Graph • Use App Roles for access control • Use Security Groups for access control • Deploy to Azure App Service	MSAL Java	Authorization code

Python

The following samples show how to build applications for the Python language and platform.

App type	Code sample(s) on GitHub	Auth libraries	Auth flow
Azure Functions as web APIs	Python Azure function web API secured by Microsoft Entra ID	MSAL Python	Authorization code
Desktop	Sign in users	MSAL Python	Resource owner password credentials
Headless	Call Microsoft Graph	MSAL Python	Device code
Daemon	• Call Microsoft Graph with secret • Call Microsoft Graph with certificate	MSAL Python	Client credentials grant

Flask

App type	Code sample(s) on GitHub	Auth libraries	Auth flow
Web application	• Sign in users • Sign in users (B2C) • A template to sign in Microsoft Entra ID or Azure AD B2C users, and optionally call a downstream API (Microsoft Graph) • Call Microsoft Graph • Deploy to Azure App Service	MSAL Python	Authorization code

Django

App type	Code sample(s) on GitHub	Auth libraries	Auth flow
Web application	• Sign in users • Sign in users (B2C) • Call Microsoft Graph • Deploy to Azure App Service	MSAL Python	Authorization code

Kotlin

The following samples show how to build applications with Kotlin.

App type	Code sample(s) on GitHub	Auth libraries	Auth flow
Mobile	Sign in users and call Microsoft Graph	MSAL Android	Authorization code with PKCE

Ruby

The following samples show how to build applications with Ruby.

App type	Code sample(s) on GitHub	Auth libraries	Auth flow
Web application	Graph Training • Sign in users and call Microsoft Graph	OmniAuth OAuth2	Authorization code

Universal Windows Platform (UWP)

The following samples show how to build applications with Universal Windows Platform (UWP).

App type	Code sample(s) on GitHub	Auth libraries	Auth flow
Desktop	Call Microsoft Graph	MSAL.NET	Web account manager

Windows Presentation Foundation (WPF)

The following samples show how to build applications with Windows Presentation Foundation (WPF).

App type	Code sample(s) on GitHub	Auth libraries	Auth flow
Desktop	Sign in users and call Microsoft Graph	MSAL.NET	Authorization code with PKCE
Desktop	• Sign in users and call ASP.NET Core web API • Sign in users and call Microsoft Graph	MSAL.NET	Authorization code with PKCE

Next steps

If you'd like to delve deeper into more sample code, see: