Quickstart: Sign in users and call the Microsoft Graph API from a Node.js web application using MSAL Node
In this quickstart, you download and run a code sample that demonstrates how a Node.js web app can sign in users by using the authorization code flow. The code sample also demonstrates how to get an access token to call the Microsoft Graph API.
See How the sample works for an illustration.
This quickstart uses the Microsoft Authentication Library for Node.js (MSAL Node) with the authorization code flow.
- An Azure subscription. Create an Azure subscription for free.
- Visual Studio Code or another code editor
Register and download your quickstart application
Step 1: Register your application
Steps in this article may vary slightly based on the portal you start from.
- Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
- If you have access to multiple tenants, use the Settings icon in the top menu to switch to the tenant in which you want to register the application from the Directories + subscriptions menu.
- Browse to Identity > Applications > App registrations and select New registration.
- Enter a Name for your application. Users of your app might see this name, and you can change it later.
- Under Supported account types, select Accounts in this organizational directory only.
- Set the Redirect URI type to Web and value to
- Select Register.
- On the app Overview page, note the Application (client) ID value for later use.
- Under Manage, select Certificates & secrets > Client secrets > New client secret. Leave the description blank and default expiration, and then select Add.
- Note the value of Client secret for later use.
Step 2: Download the project
To run the project with a web server by using Node.js, download the core project files.
Step 3: Configure your Node app
Extract the project, open the ms-identity-node-main folder, and then open the .env file under the App folder. Replace the values above as follows:
||The Azure cloud instance in which your application is registered||
||Tenant ID or Primary domain||
||Client ID of the application you registered||
||Client secret of the application you registered||
||The Microsoft Graph API cloud instance that your app will call||
||A random string of characters used to sign the Express session cookie||
Your file should look similar to below:
CLOUD_INSTANCE=https://login.microsoftonline.com/ TENANT_ID=cbe899ec-5f5c-4efe-b7a0-599505d3d54f CLIENT_ID=fa29b4c9-7675-4b61-8a0a-bf7b2b4fda91 CLIENT_SECRET=WxvhStRfDXoEiZQj1qCy REDIRECT_URI=http://localhost:3000/auth/redirect POST_LOGOUT_REDIRECT_URI=http://localhost:3000 GRAPH_API_ENDPOINT=https://graph.microsoft.com/ EXPRESS_SESSION_SECRET=6DP6v09eLiW7f1E65B8k
Step 4: Run the project
Run the project by using Node.js.
To start the server, run the following commands from within the project directory:
cd App npm install npm start
Select Sign in to start the sign-in process.
The first time you sign in, you're prompted to provide your consent to allow the application to sign you in and access your profile. After you're signed in successfully, you'll be redirected back to the application home page.
How the sample works
The sample hosts a web server on localhost, port 3000. When a web browser accesses this address, the app renders the home page. Once the user selects Sign in, the app redirects the browser to Microsoft Entra sign-in screen, via the URL generated by the MSAL Node library. After user consents, the browser redirects the user back to the application home page, along with an ID and access token.
The MSAL Node library signs in users and requests the tokens that are used to access an API that's protected by Microsoft identity platform. You can download the latest version by using the Node.js Package Manager (npm):
npm install @azure/msal-node
Learn more about the web app scenario that the Microsoft identity platform supports: