Quickstart: Sign in users and call the Microsoft Graph API from a Node.js web application using MSAL Node

In this quickstart, you download and run a code sample that demonstrates how a Node.js web app can sign in users by using the authorization code flow. The code sample also demonstrates how to get an access token to call the Microsoft Graph API.

See How the sample works for an illustration.

This quickstart uses the Microsoft Authentication Library for Node.js (MSAL Node) with the authorization code flow.

Prerequisites

• An Azure subscription. Create an Azure subscription.
• Node.js
• Visual Studio Code or another code editor

Register and download your quickstart application

Step 1: Register your application

1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to the tenant in which you want to register the application from the Directories + subscriptions menu.
3. Browse to Identity > Applications > App registrations and select New registration.
4. Enter a Name for your application. Users of your app might see this name, and you can change it later.
5. Under Supported account types, select Accounts in this organizational directory only.
6. Set the Redirect URI type to Web and value to http://localhost:3000/auth/redirect.
7. Select Register.
8. On the app Overview page, note the Application (client) ID value for later use.
9. Under Manage, select Certificates & secrets > Client secrets > New client secret. Leave the description blank and default expiration, and then select Add.
10. Note the value of Client secret for later use.

Step 2: Download the project

To run the project with a web server by using Node.js, download the core project files.

Step 3: Configure your Node app

Extract the project, open the ms-identity-node-main folder, and then open the .env file under the App folder. Replace the values above as follows:

Your file should look similar to below:

CLOUD_INSTANCE=https://login.partner.microsoftonline.cn/
TENANT_ID=aaaabbbb-0000-cccc-1111-dddd2222eeee
CLIENT_ID=00001111-aaaa-2222-bbbb-3333cccc4444
CLIENT_SECRET=A1b-C2d_E3f.H4...

REDIRECT_URI=http://localhost:3000/auth/redirect
POST_LOGOUT_REDIRECT_URI=http://localhost:3000

GRAPH_API_ENDPOINT=https://microsoftgraph.chinacloudapi.cn/

EXPRESS_SESSION_SECRET=6DP6v09eLiW7f1E65B8k

Step 4: Run the project

Run the project by using Node.js.

1. To start the server, run the following commands from within the project directory:

   cd App
   npm install
   npm start
   

2. Go to http://localhost:3000/.

3. Select Sign in to start the sign-in process.

   The first time you sign in, you're prompted to provide your consent to allow the application to sign you in and access your profile. After you're signed in successfully, you'll be redirected back to the application home page.

More information

How the sample works

The sample hosts a web server on localhost, port 3000. When a web browser accesses this address, the app renders the home page. Once the user selects Sign in, the app redirects the browser to Microsoft Entra sign-in screen, via the URL generated by the MSAL Node library. After user consents, the browser redirects the user back to the application home page, along with an ID and access token.

MSAL Node

The MSAL Node library signs in users and requests the tokens that are used to access an API that's protected by Microsoft identity platform. You can download the latest version by using the Node.js Package Manager (npm):

npm install @azure/msal-node

Next steps

Learn more by building an ASP.NET Core web app that signs in users in the following multi-part tutorial series: