Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: Workforce tenants
External tenants (learn more)
This tutorial is part 1 of a series that demonstrates building a Node.js command line interface (CLI) app and preparing it for authentication using the Microsoft Entra admin center. The client application you build uses the OAuth 2.0 Authorization Code Flow with Proof Key for Code Exchange (PKCE) for secure user authentication.
In this tutorial, you:
- Create a new Node.js application project
- Install app dependencies
- Create the MSAL configuration object
Prerequisites
- Register a new app in the Microsoft Entra admin center, configured for Accounts in this organizational directory only. Refer to Register an application for more details. Record the following values from the application Overview page for later use:
- Application (client) ID
- Directory (tenant) ID
- Add the following redirect URIs using the Mobile and desktop applications platform configuration. Refer to How to add a redirect URI in your application for more details.
- Redirect URI:
http://localhost
- Redirect URI:
- Associate your app with a user flow in the Microsoft Entra admin center. This user flow can be used across multiple applications. For more information, see Create self-service sign-up user flows for apps in external tenants and Add your application to the user flow.
- Although any integrated development environment (IDE) that supports React applications can be used, this tutorial uses Visual Studio Code.
- Node.js.
Enable public client flow
To identify your app as a public client, follow these steps:
Under Manage, select Authentication.
Under Advanced settings, for Allow public client flows, select Yes.
Select Save to save your changes.
Create a new Node.js application project
Here, you build a new Node.js CLI app from scratch. If you prefer using a completed code sample for learning, download the sample Node.js CLI application from GitHub.
To build the Node.js CLI application from scratch, follow these steps:
Create a folder to host your application and give it a name, such as ciam-sign-in-node-cli-app.
In your terminal, navigate to your project directory, such as
cd ciam-sign-in-node-cli-app
and initialize your project usingnpm init
. This creates a package.json file in your project folder, which contains references to all npm packages.In your project root directory, create two files, then name them authConfig.js and index.js. The authConfig.js file contains the authentication configuration parameters while index.js holds the app's authentication logic.
After you create the files, you should achieve the following project structure:
ciam-sign-in-node-cli-app/
├── authConfig.js
└── index.js
└── package.json
Install app dependencies
The application you build uses MSAL Node to sign in users. To install the MSAL Node package as a dependency in your project, open the terminal in your project directory and run the following command.
npm install @azure/msal-node
You'll also install the open
package that allows your Node.js app to open URLs in the web browser.
npm install open
Create the MSAL configuration object
In your code editor, open authConfig.js, which holds the MSAL object configuration parameters, and add the following code:
const { LogLevel } = require('@azure/msal-node');
const msalConfig = {
auth: {
clientId: 'Enter_the_Application_Id_Here',
authority: `https://Enter_the_Tenant_Subdomain_Here.ciamlogin.com/`,
},
system: {
loggerOptions: {
loggerCallback(loglevel, message, containsPii) {
// console.log(message);
},
piiLoggingEnabled: false,
logLevel: LogLevel.Verbose,
},
},
};
The msalConfig
object contains a set of configuration options that can be used to customize the behavior of your authentication flows. This configuration object is passed into the instance of our public client application upon creation. In your authConfig.js file, find the placeholders:
Enter_the_Application_Id_Here
and replace it with the Application (client) ID of the app you registered earlier.Enter_the_Tenant_Subdomain_Here
and replace it with the Directory (tenant) subdomain. For instance, if your tenant primary domain iscontoso.onmicrosoft.com
, usecontoso
. If you don't have your tenant domain name, learn how to read your tenant details.
In the configuration object, you also add LoggerOptions
, which contains two options:
loggerCallback
- A callback function that handles the logging of MSAL statementspiiLoggingEnabled
- A config option that when set to true, enables logging of personally identifiable information (PII). For our app, we set this option to false.
After creating the msalConfig
object, add a loginRequest
object that contains the scopes our application requires. Scopes define the level of access that the application has to user resources. Although the scopes array in the example snippet has no values, MSAL by default adds the OIDC scopes (openid, profile, email) to any login request. Users are asked to consent to these scopes during sign in. To create the loginRequest
object, add the following code in authConfig.js.
const loginRequest = {
scopes: [],
};
In authcConfig.js, export the msalConfig
and loginRequest
objects to make them accessible when required by adding the following code:
module.exports = {
msalConfig: msalConfig,
loginRequest: loginRequest,
};
Use a custom domain to fully brand the authentication URL. From a user perspective, users remain on your domain during the authentication process, rather than being redirected to ciamlogin.com domain name.
Use the following steps to use a custom domain:
Use the steps in Enable custom URL domains for apps in external tenants to enable custom URL domain for your external tenant.
In your authConfig.js file, locate then
auth
object, then:- Update the value of the
authority
property to https://Enter_the_Custom_Domain_Here/Enter_the_Tenant_ID_Here. ReplaceEnter_the_Custom_Domain_Here
with your custom URL domain andEnter_the_Tenant_ID_Here
with your tenant ID. If you don't have your tenant ID, learn how to read your tenant details. - Add
knownAuthorities
property with a value [Enter_the_Custom_Domain_Here].
- Update the value of the
After you make the changes to your authConfig.js file, if your custom URL domain is login.contoso.com, and your tenant ID is aaaabbbb-0000-cccc-1111-dddd2222eeee, then your file should look similar to the following snippet:
//...
const msalConfig = {
auth: {
authority: process.env.AUTHORITY || 'https://login.contoso.com/aaaabbbb-0000-cccc-1111-dddd2222eeee',
knownAuthorities: ["login.contoso.com"],
//Other properties
},
//...
};
Next step
Learn how to add sign-in support to a Node.js CLI application: