Quickstart: Acquire a token and call Microsoft Graph from a Node.js console app
In this quickstart, you download and run a code sample that demonstrates how a Node.js console application can get an access token using the app's identity to call the Microsoft Graph API and display a list of users in the directory. The code sample demonstrates how an unattended job or Windows service can run with an application identity, instead of a user's identity.
This quickstart uses the Microsoft Authentication Library for Node.js (MSAL Node) with the client credentials grant.
Prerequisites
- Node.js
- Visual Studio Code or another code editor
Register and download the sample application
Follow the steps below to get started.
Step 1: Register the application
Tip
Steps in this article might vary slightly based on the portal you start from.
To register your application and add the app's registration information to your solution manually, follow these steps:
- Sign in to the Microsoft Entra admin center as at least an Application Administrator.
- Browse to Identity > Applications > App registrations.
- Select New registration.
- Enter a Name for your application, for example
msal-node-cli
. Users of your app might see this name, and you can change it later. - Select Register.
- Under Manage, select Certificates & secrets.
- Under Client secrets, select New client secret, enter a name, and then select Add. Record the secret value in a safe location for use in a later step.
- Under Manage, select API Permissions > Add a permission. Select Microsoft Graph.
- Select Application permissions.
- Under User node, select User.Read.All, then select Add permissions.
Step 2: Download the Node.js sample project
Step 3: Configure the Node.js sample project
Extract the zip file to a local folder close to the root of the disk, for example, C:/Azure-Samples.
Edit .env and replace the values of the fields
TENANT_ID
,CLIENT_ID
, andCLIENT_SECRET
with the following snippet:"TENANT_ID": "Enter_the_Tenant_Id_Here", "CLIENT_ID": "Enter_the_Application_Id_Here", "CLIENT_SECRET": "Enter_the_Client_Secret_Here"
Where:
Enter_the_Application_Id_Here
- is the Application (client) ID of the application you registered earlier. Find this ID on the app registration's Overview.Enter_the_Tenant_Id_Here
- replace this value with the Tenant ID or Tenant name (for example, contoso.microsoft.com). Find these values on the app registration's Overview.Enter_the_Client_Secret_Here
- replace this value with the client secret you created earlier. To generate a new key, use Certificates & secrets in the app registration settings.
Using a plaintext secret in the source code poses an increased security risk for your application. Although the sample in this quickstart uses a plaintext client secret, it's only for simplicity. We recommend using certificate credentials instead of client secrets in your confidential client applications, especially those apps you intend to deploy to production.
Edit .env and replace the Microsoft Entra ID and Microsoft Graph endpoints with the following values:
- For the Microsoft Entra endpoint, replace
Enter_the_Cloud_Instance_Id_Here
withhttps://login.microsoftonline.com
. - For the Microsoft Graph endpoint, replace
Enter_the_Graph_Endpoint_Here
withhttps://graph.microsoft.com/
.
- For the Microsoft Entra endpoint, replace
Step 4: Admin consent
If you try to run the application at this point, you'll receive HTTP 403 - Forbidden error: Insufficient privileges to complete the operation
. This error happens because any app-only permission requires admin consent: Someone assigned at least the Application Administrator role must give consent to your application. Select one of the options below depending on your role:
Administrators
If you're assigned at least the Application Administrator role, go to API Permissions page in the Azure portal's Application Registration and select Grant admin consent for {Tenant Name} (where {Tenant Name} is the name of your directory).
Standard users
If you're a standard user of your tenant, then you need to ask a Cloud Application Administrator to grant admin consent for your application. To do this, give the following URL to your administrator:
https://login.microsoftonline.com/Enter_the_Tenant_Id_Here/adminconsent?client_id=Enter_the_Application_Id_Here
Where:
Enter_the_Tenant_Id_Here
- replace this value with the Tenant Id or Tenant name (for example, contoso.microsoft.com)Enter_the_Application_Id_Here
- is the Application (client) ID for the application you registered.
Step 5: Run the application
Locate the sample's root folder (where package.json
resides) in a command prompt or console. You'll need to install the dependencies your sample app requires before running it for the first time:
npm install
Then, run the application via command prompt or console:
node . --op getUsers
You should see on the console output some JSON fragment representing a list of users in your Microsoft Entra directory.
About the code
Below, some of the important aspects of the sample application are discussed.
MSAL Node
MSAL Node is the library used to sign in users and request tokens used to access an API protected by Microsoft identity platform. As described, this quickstart requests tokens by application permissions (using the application's own identity) instead of delegated permissions. The authentication flow used in this case is known as OAuth 2.0 client credentials flow. For more information on how to use MSAL Node with daemon apps, see Scenario: Daemon application.
You can install MSAL Node by running the following npm command.
npm install @azure/msal-node --save
MSAL initialization
You can add the reference for MSAL by adding the following code:
const msal = require('@azure/msal-node');
Then, initialize MSAL using the following code:
const msalConfig = {
auth: {
clientId: "Enter_the_Application_Id_Here",
authority: "https://login.microsoftonline.com/Enter_the_Tenant_Id_Here",
clientSecret: "Enter_the_Client_Secret_Here",
}
};
const cca = new msal.ConfidentialClientApplication(msalConfig);
Where: | Description |
---|---|
clientId |
Is the Application (client) ID for the application registered in the Azure portal. You can find this value in the app's Overview page in the Azure portal. |
authority |
The STS endpoint for user to authenticate. Usually https://login.microsoftonline.com/{tenant} for public cloud, where {tenant} is the name of your tenant or your tenant ID. |
clientSecret |
Is the client secret created for the application in Azure portal. |
For more information, please see the reference documentation for ConfidentialClientApplication
Requesting tokens
To request a token using app's identity, use acquireTokenByClientCredential
method:
const tokenRequest = {
scopes: [ 'https://graph.microsoft.com/.default' ],
};
const tokenResponse = await cca.acquireTokenByClientCredential(tokenRequest);
Where: | Description |
---|---|
tokenRequest |
Contains the scopes requested. For confidential clients, this should use the format similar to {Application ID URI}/.default to indicate that the scopes being requested are the ones statically defined in the app object set in the Azure portal (for Microsoft Graph, {Application ID URI} points to https://graph.microsoft.com ). For custom web APIs, {Application ID URI} is defined under Expose an API section in Azure portal's Application Registration. |
tokenResponse |
The response contains an access token for the scopes requested. |
Help and support
If you need help, want to report an issue, or want to learn about your support options, see Help and support for developers.
Next steps
To learn more about daemon/console app development with MSAL Node, see the tutorial: