Quickstart: Sign in users and call the Microsoft Graph API from a Node.js web application using MSAL Node

In this quickstart, you download and run a code sample that demonstrates how a Node.js web app can sign in users by using the authorization code flow. The code sample also demonstrates how to get an access token to call the Microsoft Graph API.

See How the sample works for an illustration.

This quickstart uses the Microsoft Authentication Library for Node.js (MSAL Node) with the authorization code flow.

Prerequisites

Register and download your quickstart application

Step 1: Register your application

Tip

Steps in this article might vary slightly based on the portal you start from.

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to the tenant in which you want to register the application from the Directories + subscriptions menu.
  3. Browse to Identity > Applications > App registrations and select New registration.
  4. Enter a Name for your application. Users of your app might see this name, and you can change it later.
  5. Under Supported account types, select Accounts in this organizational directory only.
  6. Set the Redirect URI type to Web and value to http://localhost:3000/auth/redirect.
  7. Select Register.
  8. On the app Overview page, note the Application (client) ID value for later use.
  9. Under Manage, select Certificates & secrets > Client secrets > New client secret. Leave the description blank and default expiration, and then select Add.
  10. Note the value of Client secret for later use.

Step 2: Download the project

To run the project with a web server by using Node.js, download the core project files.

Step 3: Configure your Node app

Extract the project, open the ms-identity-node-main folder, and then open the .env file under the App folder. Replace the values above as follows:

Variable Description Example(s)
Enter_the_Cloud_Instance_Id_Here The Azure cloud instance in which your application is registered https://login.partner.microsoftonline.cn/ (include the trailing forward-slash)
Enter_the_Tenant_Info_here Tenant ID or Primary domain contoso.microsoft.com or aaaabbbb-0000-cccc-1111-dddd2222eeee
Enter_the_Application_Id_Here Client ID of the application you registered 00001111-aaaa-2222-bbbb-3333cccc4444
Enter_the_Client_Secret_Here Client secret of the application you registered A1b-C2d_E3f.H4i,J5k?L6m!N7o-P8q_R9s.T0u
Enter_the_Graph_Endpoint_Here The Microsoft Graph API cloud instance that your app will call https://microsoftgraph.chinacloudapi.cn/ (include the trailing forward-slash)
Enter_the_Express_Session_Secret_Here A random string of characters used to sign the Express session cookie A1b-C2d_E3f.H4...

Your file should look similar to below:

CLOUD_INSTANCE=https://login.partner.microsoftonline.cn/
TENANT_ID=aaaabbbb-0000-cccc-1111-dddd2222eeee
CLIENT_ID=00001111-aaaa-2222-bbbb-3333cccc4444
CLIENT_SECRET=A1b-C2d_E3f.H4...

REDIRECT_URI=http://localhost:3000/auth/redirect
POST_LOGOUT_REDIRECT_URI=http://localhost:3000

GRAPH_API_ENDPOINT=https://microsoftgraph.chinacloudapi.cn/

EXPRESS_SESSION_SECRET=6DP6v09eLiW7f1E65B8k

Step 4: Run the project

Run the project by using Node.js.

  1. To start the server, run the following commands from within the project directory:

    cd App
    npm install
    npm start
    
  2. Go to http://localhost:3000/.

  3. Select Sign in to start the sign-in process.

    The first time you sign in, you're prompted to provide your consent to allow the application to sign you in and access your profile. After you're signed in successfully, you'll be redirected back to the application home page.

More information

How the sample works

The sample hosts a web server on localhost, port 3000. When a web browser accesses this address, the app renders the home page. Once the user selects Sign in, the app redirects the browser to Microsoft Entra sign-in screen, via the URL generated by the MSAL Node library. After user consents, the browser redirects the user back to the application home page, along with an ID and access token.

MSAL Node

The MSAL Node library signs in users and requests the tokens that are used to access an API that's protected by Microsoft identity platform. You can download the latest version by using the Node.js Package Manager (npm):

npm install @azure/msal-node

Next steps

Learn more by building an ASP.NET Core web app that signs in users in the following multi-part tutorial series: