Microsoft identity platform code samples

These code samples are built and maintained by Microsoft to demonstrate usage of our authentication libraries with the Microsoft identity platform. Common authentication and authorization scenarios are implemented in several application types, development languages, and frameworks.

• Sign in users to web applications and provide authorized access to protected web APIs.
• Protect a web API by requiring an access token to perform API operations.

Each code sample includes a README.md file describing how to build the project (if applicable) and run the sample application. Comments in the code help you understand how these libraries are used in the application to perform authentication and authorization by using the identity platform.

Single-page applications

These samples show how to write a single-page application secured with Microsoft identity platform. These samples use one of the flavors of MSAL.js.

Language/ Platform	Code sample(s) on GitHub	Auth libraries	Auth flow
Angular	• Sign in users • Sign in users (B2C) • Call Microsoft Graph • Call .NET Core web API • Call .NET Core web API (B2C) • Call Microsoft Graph via OBO • Use App Roles for access control • Use Security Groups for access control • Deploy to Azure Storage and App Service	MSAL Angular	• Authorization code with PKCE • On-behalf-of (OBO) • Continuous Access Evaluation (CAE)
Blazor WebAssembly	• Sign in users • Sign in users (B2C) • Call Microsoft Graph • Deploy to Azure App Service	MSAL.js	Implicit Flow
JavaScript	• Sign in users • Sign in users (B2C) • Call Microsoft Graph • Call Node.js web API • Call Node.js web API (B2C) • Call Microsoft Graph via OBO • Call Node.js web API via OBO and CA • Deploy to Azure Storage and App Service	MSAL.js	• Authorization code with PKCE • On-behalf-of (OBO) • Conditional Access
React	• Sign in users • Sign in users (B2C) • Sign-in users on both server and client side apps • Call Microsoft Graph • Call Azure REST API and Azure Storage • Call Node.js web API • Call Node.js web API (B2C) • Call Microsoft Graph via OBO • Use App Roles for access control • Use Security Groups for access control • Deploy to Azure Storage and App Service • Deploy to Azure Static Web Apps • Use step-up authentication to call Node.js web API	MSAL React	• Authorization code with PKCE • On-behalf-of (OBO) • Conditional Access (CA) • Conditional Access Auth Context (acrs) • Continuous Access Evaluation (CAE)

Web applications

The following samples illustrate web applications that sign in users. Some samples also demonstrate the application calling Microsoft Graph, or your own web API with the user's identity.

Language/ Platform	Code sample(s) on GitHub	Auth libraries	Auth flow
ASP.NET Core	ASP.NET Core Series • Sign in users • Sign in users (B2C) • Call Microsoft Graph • Customize token cache • Call Graph (multi-tenant) • Call Azure REST APIs • Protect web API • Protect web API (B2C) • Protect multi-tenant web API • Use App Roles for access control • Use Security Groups for access control • Deploy to Azure Storage and App Service	• MSAL.NET • Microsoft.Identity.Web	• OpenID connect • Authorization code • On-Behalf-Of
Blazor	Blazor Server Series • Sign in users • Sign in users (B2C) • Call Microsoft Graph • Call web API • Call web API (B2C)	MSAL.NET	Implicit/Hybrid flow
ASP.NET Core	Advanced Token Cache Scenarios	• MSAL.NET • Microsoft.Identity.Web	On-Behalf-Of (OBO)
ASP.NET Core	Use the Conditional Access auth context to perform step-up authentication	• MSAL.NET • Microsoft.Identity.Web	Authorization code
ASP.NET Core	Active Directory FS to Azure AD migration	MSAL.NET	• SAML • OpenID connect
ASP.NET	• Microsoft Graph Training Sample • Sign in users and call Microsoft Graph • Sign in users and call Microsoft Graph with admin restricted scope • Quickstart: Sign in users	MSAL.NET	• OpenID connect • Authorization code
Java Spring	Azure AD Spring Boot Starter Series • Sign in users • Sign in users (B2C) • Call Microsoft Graph • Use App Roles for access control • Use Groups for access control • Deploy to Azure App Service • Protect a web API	• MSAL Java • Azure AD Boot Starter	Authorization code
Java Servlets	Spring-less Servlet Series • Sign in users • Sign in users (B2C) • Call Microsoft Graph • Use App Roles for access control • Use Security Groups for access control • Deploy to Azure App Service	MSAL Java	Authorization code
Node.js Express	Express web app series • Sign in users • Sign in users (B2C) • Call Microsoft Graph • Deploy to Azure App Service • Use App Roles for access control • Use Security Groups for access control • Web app that sign in users	MSAL Node	Authorization code
Python Flask	Flask Series • Sign in users • Sign in users (B2C) • A template to sign in AAD or B2C users, and optionally call a downstream API (Microsoft Graph) • Call Microsoft Graph • Deploy to Azure App Service	MSAL Python	Authorization code
Python Django	Django Series • Sign in users • Sign in users (B2C) • Call Microsoft Graph • Deploy to Azure App Service	MSAL Python	Authorization code
Ruby	Graph Training • Sign in users and call Microsoft Graph	OmniAuth OAuth2	Authorization code

Web API

The following samples show how to protect a web API with the Microsoft identity platform, and how to call a downstream API from the web API.

Language/ Platform	Code sample(s) on GitHub	Auth libraries	Auth flow
ASP.NET	Call Microsoft Graph	MSAL.NET	On-Behalf-Of (OBO)
ASP.NET Core	Sign in users and call Microsoft Graph	MSAL.NET	On-Behalf-Of (OBO)
Java	Sign in users	MSAL Java	On-Behalf-Of (OBO)
Node.js	• Protect a Node.js web API • Protect a Node.js Web API with Azure AD B2C	MSAL Node	Authorization bearer

Desktop

The following samples show public client desktop applications that access the Microsoft Graph API, or your own web API in the name of the user. Apart from the Desktop (Console) with Web Authentication Manager (WAM) sample, all these client applications use the Microsoft Authentication Library (MSAL).

Language/ Platform	Code sample(s) on GitHub	Auth libraries	Auth flow
.NET Core	• Call Microsoft Graph • Call Microsoft Graph with token cache • Call Microsoft Graph with custom web UI HTML • Call Microsoft Graph with custom web browser • Sign in users with device code flow • Authenticate users with MSAL.NET in a WinUI desktop application	MSAL.NET	• Authorization code with PKCE • Device code
.NET	Invoke protected API with integrated Windows authentication	MSAL.NET	Integrated Windows authentication
Java	Call Microsoft Graph	MSAL Java	Integrated Windows authentication
Node.js	Sign in users	MSAL Node	Authorization code with PKCE
PowerShell	Call Microsoft Graph by signing in users using username/password	MSAL.NET	Resource owner password credentials
Python	Sign in users	MSAL Python	Resource owner password credentials
Universal Window Platform (UWP)	Call Microsoft Graph	MSAL.NET	Web account manager
Windows Presentation Foundation (WPF)	Sign in users and call Microsoft Graph	MSAL.NET	Authorization code with PKCE
XAML	• Sign in users and call ASP.NET core web API • Sign in users and call Microsoft Graph	MSAL.NET	Authorization code with PKCE

Mobile

The following samples show public client mobile applications that access the Microsoft Graph API. These client applications use the Microsoft Authentication Library (MSAL).

Language/ Platform	Code sample(s) on GitHub	Auth libraries	Auth flow
.NET Core	• Call Microsoft Graph using MAUI • Call Microsoft Graph using MAUI with broker • Call Active Directory B2C tenant using MAUI	MSAL MAUI	Authorization code with PKCE
iOS	• Call Microsoft Graph native • Call Microsoft Graph with Azure AD nxoauth	MSAL iOS	Authorization code with PKCE
Java	Sign in users and call Microsoft Graph	MSAL Android	Authorization code with PKCE
Kotlin	Sign in users and call Microsoft Graph	MSAL Android	Authorization code with PKCE
Xamarin	• Sign in users and call Microsoft Graph • Sign in users with broker and call Microsoft Graph	MSAL.NET	Authorization code with PKCE

Service / daemon

The following samples show an application that accesses the Microsoft Graph API with its own identity (with no user).

Language/ Platform	Code sample(s) on GitHub	Auth libraries	Auth flow
.NET Core	• Call Microsoft Graph • Call web API • Using managed identity and Azure key vault	MSAL.NET	Client credentials grant
ASP.NET	Multi-tenant with Microsoft identity platform endpoint	MSAL.NET	Client credentials grant
Java	• Call Microsoft Graph with Secret • Call Microsoft Graph with Certificate	MSAL Java	Client credentials grant
Node.js	Call Microsoft Graph with secret	MSAL Node	Client credentials grant
Python	• Call Microsoft Graph with secret • Call Microsoft Graph with certificate	MSAL Python	Client credentials grant

Azure Functions as web APIs

The following samples show how to protect an Azure Function using HttpTrigger and exposing a web API with the Microsoft identity platform, and how to call a downstream API from the web API.

Language/ Platform	Code sample(s) on GitHub	Auth libraries	Auth flow
.NET	.NET Azure function web API secured by Azure AD	MSAL.NET	Authorization code
Node.js	Node.js Azure function web API secured by Azure AD	MSAL Node	Authorization bearer
Node.js	Call Microsoft Graph API on behalf of a user	MSAL Node	On-Behalf-Of (OBO)
Python	Python Azure function web API secured by Azure AD	MSAL Python	Authorization code

Headless

The following sample shows a public client application running on a device without a web browser. The app can be a command-line tool, an app running on Linux or Mac, or an IoT application. The sample features an app accessing the Microsoft Graph API, in the name of a user who signs-in interactively on another device (such as a mobile phone). This client application uses the Microsoft Authentication Library (MSAL).

Language/ Platform	Code sample(s) on GitHub	Auth libraries	Auth flow
.NET core	Invoke protected API from text-only device	MSAL.NET	Device code
Java	Sign in users and invoke protected API from text-only device	MSAL Java	Device code
Python	Call Microsoft Graph	MSAL Python	Device code

Microsoft Teams applications

The following sample illustrates Microsoft Teams Tab application that signs in users. Additionally it demonstrates how to call Microsoft Graph API with the user's identity using the Microsoft Authentication Library (MSAL).

Language/ Platform	Code sample(s) on GitHub	Auth libraries	Auth flow
Node.js	Teams Tab app: single sign-on (SSO) and call Microsoft Graph	MSAL Node	On-Behalf-Of (OBO)

Multi-tenant SaaS

The following samples show how to configure your application to accept sign-ins from any Azure Active Directory (Azure AD) tenant. Configuring your application to be multi-tenant means that you can offer a Software as a Service (SaaS) application to many organizations, allowing their users to be able to sign-in to your application after providing consent.

Language/ Platform	Code sample(s) on GitHub	Auth libraries	Auth flow
ASP.NET Core	ASP.NET Core MVC web application calls Microsoft Graph API	MSAL.NET	OpenID connect
ASP.NET Core	ASP.NET Core MVC web application calls ASP.NET Core web API	MSAL.NET	Authorization code
Angular	Angular single-page application calls ASP.NET Core web API	MSAL Angular	Authorization code

Next steps

If you'd like to delve deeper into more sample code, see:

• Sign in users and call the Microsoft Graph API from an Angular
• Sign in users in a Node.js and Express web app
• Call the Microsoft Graph API from a Universal Windows Platform