Overview of the Microsoft Authentication Library (MSAL)
Article
The Microsoft Authentication Library (MSAL) enables developers to acquire security tokens from the Microsoft identity platform to authenticate users and access secured web APIs. It can be used to provide secure access to Microsoft Graph, Microsoft APIs, third-party web APIs, or your own web API. MSAL supports different application architectures and platforms, including .NET, JavaScript, Java, Python, Android, and iOS.
MSAL is a token acquisition library that offers several ways to get tokens, with a consistent API for supported platforms. Using MSAL provides the following benefits:
No need to directly write applications against the OAuth protocol. The plumbing is handled by the library.
Can acquire tokens on behalf of a user or application (when applicable to the platform).
The library maintains a token cache and refreshes tokens for you when they're about to expire. You don't need to handle token expiration on your own.
Helps you specify which audience you want your application to sign in. The sign in audience can include personal Microsoft accounts, social identities with Microsoft Entra External ID organizations, work, school, or users in sovereign and national clouds.
Helps you set up your application from configuration files.
Helps you troubleshoot your app by exposing actionable exceptions, logging, and telemetry.
Application types and scenarios
Using MSAL, a token can be acquired for many application types: web applications, web APIs, single-page apps (JavaScript), mobile and native applications, as well as daemons and server-side applications.
MSAL can be used in several application scenarios, including the following:
Single page applications (JavaScript)
Web application signing in users
Web application signing in a user and calling a web API on behalf of the user
Web API authentication, ensuring that only authenticated users can access it
Web API calling another downstream web API on behalf of the signed-in user
Desktop application calling a web API on behalf of the signed-in user
Mobile application calling a web API on behalf of the user who's signed-in interactively
Desktop/service daemon application calling web API on behalf of itself