Quickstart: Add sign-in with Microsoft to a Python web app

In this quickstart, you'll learn how to integrate a Python web application with the Microsoft identity platform. Your app will sign in a user, get an access token to call the Microsoft Graph API, and make a request to the Microsoft Graph API.

When you've completed the guide, your application will accept sign-ins of personal Microsoft accounts (including outlook.com, live.com, and others) and work or school accounts from any company or organization that uses Azure Active Directory. (See How the sample works for an illustration.)


To run this sample, you will need:

Register and download your quickstart app

You have two options to start your quickstart application: express (Option 1), and manual (Option 2)

Option 1: Register and auto configure your app and then download your code sample

  1. Go to the Azure portal - App registrations.
  2. Enter a name for your application and select Register.
  3. Follow the instructions to download and automatically configure your new application.

Option 2: Register and manually configure your application and code sample

Step 1: Register your application

To register your application and add the app's registration information to your solution manually, follow these steps:

  1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

  2. If your account gives you access to more than one tenant, select your account in the top right corner, and set your portal session to the desired Azure AD tenant.

  3. Navigate to the Microsoft identity platform for developers App registrations page.

  4. Select New registration.

  5. When the Register an application page appears, enter your application's registration information:

    • In the Name section, enter a meaningful application name that will be displayed to users of the app, for example python-webapp.
    • Under Supported account types, select Accounts in any organizational directory and personal Microsoft accounts.
    • Select Register.
    • On the app Overview page, note the Application (client) ID value for later use.
  6. Select the Authentication from the menu, and then add the following information:

    • Add the Web platform configuration. Add http://localhost:5000/getAToken as Redirect URIs.
    • Select Save.
  7. On the left hand menu, choose Certificates & secrets and click on New client secret in the Client Secrets section:

    • Type a key description (of instance app secret).
    • Select a key duration of In 1 year.
    • When you click on Add, the key value will be displayed.
    • Copy the value of the key. You will need it later.
  8. Select the API permissions section

    • Click the Add a permission button and then,
    • Ensure that the Microsoft APIs tab is selected
    • In the Commonly used Microsoft APIs section, click on Microsoft Graph
    • In the Delegated permissions section, ensure that the right permissions are checked: User.ReadBasic.All. Use the search box if necessary.
    • Select the Add permissions button

Step 1: Configure your application in Azure portal

For the code sample for this quickstart to work, you need to:

  1. Add a reply URL as http://localhost:5000/getAToken.
  2. Create a Client Secret.
  3. Add Microsoft Graph API's User.ReadBasic.All delegated permission.

Already configured Your application is configured with this attribute

Step 2: Download your project

Download the project and extract the zip file to a local folder closer to the root folder - for example, C:\Azure-Samples



Step 3: Configure the Application

  1. Extract the zip file to a local folder closer to the root folder - for example, C:\Azure-Samples
  2. If you use an integrated development environment, open the sample in your favorite IDE (optional).
  3. Open the app_config.py file, which can be found in the root folder and replace with the following code snippet:
CLIENT_ID = "Enter_the_Application_Id_here"
CLIENT_SECRET = "Enter_the_Client_Secret_Here"
AUTHORITY = "https://login.microsoftonline.com/Enter_the_Tenant_Name_Here"


  • Enter_the_Application_Id_here - is the Application Id for the application you registered.
  • Enter_the_Client_Secret_Here - is the Client Secret you created in Certificates & Secrets for the application you registered.
  • Enter_the_Tenant_Name_Here - is the Directory (tenant) ID value of the application you registered.

Step 3: Run the code sample

Step 4: Run the code sample

  1. You will need to install MSAL Python library, Flask framework, Flask-Sessions for server-side session management and requests using pip as follows:

    pip install -r requirements.txt
  2. Run app.py from shell or command line:

    python app.py


    This quickstart application uses a client secret to identify itself as confidential client. Because the client secret is added as a plain-text to your project files, for security reasons, it is recommended that you use a certificate instead of a client secret before considering the application as production application. For more information on how to use a certificate, see these instructions.

More information

How the sample works

Shows how the sample app generated by this quickstart works

Getting MSAL

MSAL is the library used to sign in users and request tokens used to access an API protected by the Microsoft identity Platform. You can add MSAL Python to your application using Pip.

pip install msal

MSAL initialization

You can add the reference to MSAL Python by adding the following code to the top of the file where you will be using MSAL:

import msal

Next steps

Learn more about web apps that sign in users, and then that calls web APIs:

Help and support

If you need help, want to report an issue, or would like to learn about your support options, see Help and support for developers.