Sign in users and edit profile in a sample Node.js web app
This guide uses a sample Node.js web app to show you how to add sign in and edit profile in a web app. The sample web app uses Microsoft Authentication Library for Node (MSAL Node) and Microsoft Graph API to complete the sign in and edit profile operation.
Prerequisites
- Complete the steps in Sign in users in a sample Node.js web app article. This article shows you how to sign in users by using a sample Node.js web app.
Register and configure EditProfileService app
In this step, you register the EditProfileService app (the API app) app, which provides a mechanism to protect the edit profile operation by requiring MFA.
Register EditProfileService app
Sign in to the Microsoft Entra admin center as at least an Application Developer.
If you have access to multiple tenants, use the Settings icon
in the top menu to switch to your external tenant from the Directories + subscriptions menu.Browse to Identity > Applications > App registrations.
Select + New registration.
In the Register an application page that appears, enter your application's registration information:
In the Name section, enter a meaningful application name, for example edit-profile-service.
Under Supported account types, select Accounts in this organizational directory only.
Select Register to create the application.
The application's Overview pane is displayed when registration is complete. Record the Application (client) ID for use in your application source code.
Configure EditProfileService app API scopes
The EditProfileService app needs to expose permissions, which a client needs to acquire for calling the API:
An API needs to publish a minimum of one scope, also called Delegated Permission, for the client apps to obtain an access token for a user successfully. To publish a scope, follow these steps:
From the App registrations page, select the API application that you created (such as edit-profile-service) to open its Overview page.
Under Manage, select Expose an API.
At the top of the page, next to Application ID URI, select the Add link to generate a URI that is unique for this app.
Accept the proposed Application ID URI such as
api://{clientId}, and select Save. When your web application requests an access token for the web API, it adds the URI as the prefix for each scope that you define for the API.Under Scopes defined by this API, select Add a scope.
Enter the following values that define a read access to the API, then select Add scope to save your changes:
Property Value Scope name EditProfileService.ReadWrite Who can consent Admins only Admin consent display name Client edits profile through edit profile service Admin consent description The scope to allow client web app to edit profile through calling the edit profile service. State Enabled Under Manage, select Manifest to open the API manifest editor.
Set
accessTokenAcceptedVersionproperty to2.Select Save.
Add app client secret
Create a client secret for the registered application. The application uses the client secret to prove its identity when it requests for tokens.
- From the App registrations page, select the application that you created (such as edit-profile-service) to open its Overview page.
- Under Manage, select Certificates & secrets.
- Select New client secret.
- In the Description box, enter a description for the client secret (for example, edit-profile-service client secret).
- Under Expires, select a duration for which the secret is valid (per your organizations security rules), and then select Add.
- Record the secret's Value. You'll use this value for configuration in a later step. The secret value won't be displayed again, and isn't retrievable by any means, after you navigate away from the Certificates and secrets. Make sure you record it.
Grant User.ReadWrite permission to the EditProfileService app
User.ReadWrite is a Microsoft Graph API permission that enables a user to update their profile. To grant the User.ReadWrite permission to the EditProfileService app, use the following steps:
From the App registrations page, select the application that you created (such as edit-profile-service) to open its Overview page.
Under Manage, select API permissions.
Select the Microsoft APIs tab, then under Commonly used Microsoft APIs, select Microsoft Graph.
Select Delegated permissions, then search for, and select User.ReadWrite from the list of permissions.
Select the Add permissions button.
Grant admin consent
You've assigned the User.ReadWrite permissions correctly. However, since the tenant is an external tenant, the customer users themselves can't consent to these permissions. As the administrator of the tenant, you must consent to this permission on behalf of all the users in the tenant:
Select Grant admin consent for <your tenant name>, then select Yes.
Select Refresh, then verify that Granted for <your tenant name> appears under Status for both scopes.
Grant API permissions to the client web app
In this section, you grant API permissions to the client web app that you registered earlier (from the prerequisites).
Grant your client web app the EditProfileService.ReadWrite permission. This permission is exposed by the EditProfileService app, and it protects the update profile operation with MFA. To grant the EditProfileService.ReadWrite permission to client web app, use the following steps:
From the App registrations page, select the API application that you created (such as ciam-client-app) to open its Overview page.
Under Manage, select API permissions.
Under Configured permissions, select Add a permission.
Select the APIs my organization uses tab.
In the list of APIs, select the API such as edit-profile-service.
Select Delegated permissions option.
From the permissions list, select EditProfileService.ReadWrite.
Select the Add permissions button.
From the Configured permissions list, select the EditProfileService.ReadWrite permission, then copy the permission's full URI for later use. The full permission URI looks something similar to
api://{clientId}/{EditProfileService.ReadWrite}.
Grant admin consent
You've assigned the *EditProfileService.ReadWrite permissions correctly. However, since the tenant is an external tenant, the customer users themselves can't consent to these permissions. As the administrator of the tenant, you must consent to this permission on behalf of all the users in the tenant:
Select Grant admin consent for <your tenant name>, then select Yes.
Select Refresh, then verify that Granted for <your tenant name> appears under Status for both scopes.
Create CA MFA policy
Your EditProfileService app that you registered earlier is the resource that you protect with MFA.
To create an MFA CA policy, use the steps in Add multifactor authentication to an app. Use the following settings when you create your policy:
- For the Name, use MFA policy.
- For the Target resources, select the EditProfileService app that you registered earlier, such as edit-profile-service.
Clone or download sample web app
To obtain the sample app, you can either clone it from GitHub or download it as a .zip file.
Download the .zip file or clone the sample web app from GitHub by running the following command:
git clone https://github.com/Azure-Samples/ms-identity-ciam-javascript-tutorial.git
Configure the sample web app
This code sample contains two apps, the client app and the service/API app. You need to update these apps to use your external tenant settings. To do so, use the following steps:
In your code editor, open
1-Authentication\7-edit-profile-with-mfa-express\App\authConfig.jsfile, then find the placeholder:graph_end_pointand replace it with the Microsoft Graph API endpoint, that'shttps://graph.microsoft.com/.Add_your_protected_scope_hereand replace it with the EditProfileService app scope. The value looks similar to api://{clientId}/EditProfileService.ReadWrite.{clientId}is the Application (client) ID value of the EditProfileService you registered earlier.
In your code editor, open
1-Authentication\7-edit-profile-with-mfa-express\Api\authConfig.jsfile, then find the placeholder:Enter_the_Tenant_Subdomain_Hereand replace it with Directory (tenant) subdomain. For example, if your tenant primary domain iscontoso.onmicrosoft.com, usecontoso. If you don't have your tenant name, learn how to read your tenant details.Enter_the_Tenant_ID_Hereand replace it with Tenant ID. If you don't have your Tenant ID, learn how to read your tenant details.Enter_the_Edit_Profile_Service_Application_Id_Hereand replace it with is the Application (client) ID value of the EditProfileService you registered earlier.Enter_the_Client_Secret_Hereand replace it with the EditProfileService app secret value you copied earlier.graph_end_pointand replace it with the Microsoft Graph API endpoint, that'shttps://graph.microsoft.com/.
Install project dependencies and run app
To test your app, install project dependencies for both the client app and the service/API app, then run them.
To run the client app, open your terminal window, then run the following commands:
cd 1-Authentication\7-edit-profile-with-mfa-express\App npm install npm startTo run the edit service/API app, change directory to the edit service/API app, 1-Authentication\7-edit-profile-with-mfa-express\Api, then run the following commands:
npm install npm startOpen your browser, then go to http://localhost:3000. If you experience SSL certificate errors, create a
.envfile, then add the following configuration:# Use this variable only in the development environment. # Remove the variable when you move the app to the production environment. NODE_TLS_REJECT_UNAUTHORIZED='0'Select the Sign In button, then you sign in.
On the sign-in page, type your Email address, select Next, type your Password, then select Sign in. If you don't have an account, select No account? Create one link, which starts the sign-up flow.
To update profile, select the Profile editing link. You see a page similar to the following screenshot:
To edit profile, select the Edit Profile button. If you haven't already done so, the app prompts you to complete an MFA challenge.
Make changes to any of the profile details, then select Save button.