Before you start here, make sure you understand how to initialize an app object.
The MSAL library has a set of configuration options that can be used to customize the behavior of your authentication flows. These options can be set either in the constructor of the PublicClientApplication object or as part of the request APIs. Here we describe the configuration object that can be passed into the PublicClientApplication constructor.
Using the config object
The configuration object has the following structure, and can be passed into the PublicClientApplication constructor. The only required config parameter is the client ID of the application. Everything else is optional, but may be required depending on your tenant and application model.
const msalConfig = {
auth: {
clientId: "enter_client_id_here",
authority: "https://login.microsoftonline.com/common",
knownAuthorities: [],
cloudDiscoveryMetadata: "",
redirectUri: "enter_redirect_uri_here",
postLogoutRedirectUri: "enter_postlogout_uri_here",
navigateToLoginRequestUrl: true,
clientCapabilities: ["CP1"],
},
cache: {
cacheLocation: "sessionStorage",
},
system: {
loggerOptions: {
loggerCallback: (
level: LogLevel,
message: string,
containsPii: boolean
): void => {
if (containsPii) {
return;
}
switch (level) {
case LogLevel.Error:
console.error(message);
return;
case LogLevel.Info:
console.info(message);
return;
case LogLevel.Verbose:
console.debug(message);
return;
case LogLevel.Warning:
console.warn(message);
return;
}
},
piiLoggingEnabled: false,
},
windowHashTimeout: 60000,
iframeHashTimeout: 6000,
loadFrameTimeout: 0,
protocolMode: "AAD"
},
telemetry: {
application: {
appName: "My Application",
appVersion: "1.0.0",
},
},
};
const msalInstance = new PublicClientApplication(msalConfig);
Configuration Options
Auth Config Options
| Option | Description | Format | Default Value |
|---|---|---|---|
clientId |
App ID of your application. Can be found in your Azure Portal app registration pane | UUID/GUID | None. This parameter is required in order for MSAL to perform any actions. |
authority |
URI of the tenant to authenticate and authorize with. Usually takes the form of https://{uri}/{tenantid} |
String in URI format with tenant - https://{uri}/{tenantid} |
https://login.microsoftonline.com/common |
knownAuthorities |
An array of URIs that are known to be valid. Used in B2C scenarios. | Array of strings in URI format | Empty array [] |
cloudDiscoveryMetadata |
A string containing the cloud discovery response. Used in Microsoft Entra scenarios. | string | Empty string "" |
authorityMetadata |
A string containing the .well-known/openid-configuration endpoint response. | string | Empty string "" |
redirectUri |
URI where the authorization code response is sent back to. Whatever location is specified here must have the MSAL library available to handle the response. | String in absolute or relative URI format | Login request page (window.location.href of page which made auth request) |
postLogoutRedirectUri |
URI that is redirected to after a logout() call is made. | String in absolute or relative URI format. Pass null to disable post logout redirect. |
Login request page (window.location.href of page which made auth request) |
navigateToLoginRequestUrl |
If true, will navigate back to the original request location before processing the authorization code response. If the redirectUri is the same as the original request location, this flag should be set to false. |
boolean | true |
clientCapabilities |
Array of capabilities to be added to all network requests as part of the xms_cc claims request |
Array of strings | [] |
azureCloudOptions |
A defined set of azure cloud options for developers to default to their specific cloud authorities. | AzureCloudOptions | AzureCloudInstance.None |
skipAuthorityMetadataCache |
A flag to choose whether to use the local metadata cache during authority initialization. The metadata cache is used if no authority metadata is provided and before a network call for metadata has been made. | boolean | false |
onRedirectNavigate |
A callback that's passed the URL MSAL will navigate to in redirect flows. Returning false in the callback stops navigation. |
Function - (url: string) => boolean \| void |
undefined |
instanceAware |
A flag indicating whether the STS should send back additional parameters to specify where tokens should be retrieved from. | boolean | false |
isMcp |
If true, a resource parameter is required on all token requests. Used for Model Context Protocol (MCP) flows. |
boolean | false |
Cache Config Options
| Option | Description | Format | Default Value |
|---|---|---|---|
cacheLocation |
Location of token cache in browser. | String value that must be one of the following: "sessionStorage", "localStorage", "memoryStorage" |
sessionStorage |
temporaryCacheLocation |
(Deprecated) Location of temporary cache in browser. This option should only be changed for specific edge cases. For more information, see caching. | String value that must be one of the following: "sessionStorage", "localStorage", "memoryStorage" |
sessionStorage |
storeAuthStateInCookie |
(Deprecated) If true, stores cache items in cookies as well as browser cache. Was previously used for Internet Explorer compatibility. | boolean | false |
secureCookies |
(Deprecated) If true and storeAuthStateInCookie is also enabled, MSAL adds the Secure flag to the browser cookie so it can only be sent over HTTPS. |
boolean | false |
cacheMigrationEnabled |
If true, cache entries from older versions of MSAL are updated to conform to the latest cache schema on startup. If your application hasn't been recently updated to a new version of MSAL.js, you can safely turn this off. If old cache entries aren't migrated, it may result in a cache miss when attempting to retrieve accounts or tokens, and affected users may need to reauthenticate to get up to date. | boolean | true when using localStorage, false otherwise |
claimsBasedCachingEnabled |
If true, access tokens are cached under a key containing the hash of the requested claims string, resulting in a cache miss and new network token request when the same token request is made with different or missing claims. If set to false, tokens are cached without claims, but all requests containing claims go to the network and overwrite any previously cached token with the same scopes. |
boolean | false |
Note
The temporaryCacheLocation option has been deprecated in recent versions of MSAL Browser and may be removed in a future major release. You shouldn't rely on this option for new implementations.
Note
The storeAuthStateInCookie and secureCookies options have been deprecated in recent versions of MSAL Browser. These options were primarily used for Internet Explorer compatibility, which is no longer supported. They may be removed in a future major release.
See Caching in MSAL for more.
System Config Options
| Option | Description | Format | Default Value |
|---|---|---|---|
loggerOptions |
Config object for logger. | See below. | See below. |
windowHashTimeout |
Timeout in milliseconds to wait for popup operations to resolve. | integer (milliseconds) | 60000 |
iframeHashTimeout |
Timeout in milliseconds to wait for iframe operations to resolve. | integer (milliseconds) | 6000 |
loadFrameTimeout |
Timeout in milliseconds to wait for iframe/popup operations resolve. If provided, will set default values for windowHashTimeout and iframeHashTimeout. |
integer (milliseconds) | undefined |
navigateFrameWait |
Delay in milliseconds to wait for the iframe to load in the window. | integer (milliseconds) | In IE or Edge: 500, in all other browsers: 0 |
asyncPopups |
(Deprecated — use navigatePopups instead.) Sets whether popups are opened asynchronously. When set to false, blank popups are opened before anything else happens. When set to true, popups are opened when making the network request. |
boolean | false |
navigatePopups |
Sets whether popups are opened and navigated to later. When set to true, blank popups are opened and then navigate to the login domain. When set to false, popups are opened directly to the login domain. This can be set to false for scenarios where about:blank isn't supported, such as desktop apps or progressive web apps. |
boolean | true |
allowRedirectInIframe |
By default, MSAL doesn't allow redirect operations to be initiated when the application is inside an iframe. Set this flag to true to remove this check. |
boolean | false |
cryptoOptions |
Config object for crypto operations in the browser. | See Crypto Config Options | See Crypto Config Options |
pollIntervalMilliseconds |
Interval of time in milliseconds between polls of popup URL hash during authentication. | integer (milliseconds) | 30 |
protocolMode |
Enum representing the protocol mode to use. If "AAD", MSAL functions on the OIDC-compliant AAD v2 endpoints; if "OIDC", it functions on other OIDC-compliant endpoints. |
string | "AAD" |
Logger Config Options
| Option | Description | Format | Default Value |
|---|---|---|---|
loggerCallback |
Callback function which handles the logging of MSAL statements. | Function - loggerCallback: (level: LogLevel, message: string, containsPii: boolean): void |
See above. |
piiLoggingEnabled |
If true, personally identifiable information (PII) is included in logs. | boolean | false |
Crypto Config Options
| Option | Description | Format | Default Value |
|---|---|---|---|
useMsrCrypto |
Whether to use MSR Crypto if available in the browser (and other crypto interfaces aren't available). | boolean | false |
entropy |
Cryptographically strong random values used to seed MSR Crypto (e.g. crypto.randomBytes(48) from Node). 48 bits of entropy is recommended. Required if useMsrCrypto is enabled. |
Uint8Array |
undefined |
Telemetry Config Options
| Option | Description | Format | Default Value |
|---|---|---|---|
application |
Telemetry options for applications using MSAL.js | See below | See below |
client |
Telemetry performance client instance | IPerformanceClient | StubPerformanceClient |
Application Telemetry
| Option | Description | Format | Default Value |
|---|---|---|---|
appName |
Unique string name of an application | string | Empty string "" |
appVersion |
Version of the application using MSAL | string | Empty string "" |