Security News
Node.js Moves to Annual Major Releases Starting with Node 27
The project is retiring its odd/even release model in favor of a simpler annual cadence where every major version becomes LTS.
By Sarah Gooding - Mar 11, 2026
You're Invited:Meet the Socket Team at RSAC and BSidesSF 2026, March 23–26.RSVP →
@azure/msal-browser
Advanced tools
Microsoft Authentication Library for JavaScript (MSAL.js) for Browser-Based Single-Page Applications
| Getting Started | AAD Docs | Library Reference |
|---|
- About
- FAQ
- Changelog
- Roadmap
- Prerequisites
- Installation
- Usage
- Samples
- Build and Test
- Authorization Code vs Implicit
- Framework Wrappers
- Security Reporting
- License
- Code of Conduct
About
The MSAL library for JavaScript enables client-side JavaScript applications to authenticate users using Microsoft Entra ID work and school accounts (AAD), Microsoft personal accounts (MSA) and social identity providers like Facebook, Google, LinkedIn, Microsoft accounts, etc. through Azure AD B2C service. It also enables your app to get tokens to access Microsoft Cloud services such as Microsoft Graph.
The @azure/msal-browser package described by the code in this folder uses the @azure/msal-common package as a dependency to enable authentication in JavaScript Single-Page Applications without backend servers. This version of the library uses the OAuth 2.0 Authorization Code Flow with PKCE. To read more about this protocol, as well as the differences between implicit flow and authorization code flow, see the section below.
The @azure/msal-browser package does NOT support the implicit flow.
FAQ
See here.
Prerequisites
-
@azure/msal-browseris meant to be used in Single-Page Application scenarios. -
Before using
@azure/msal-browseryou will need to register a Single Page Application in Azure AD to get a validclientIdfor configuration, and to register the routes that your app will accept redirect traffic on.
Installation
CDN Deprecation
:warning: The
@azure/msal-browserCDN has been fully deprecated as of@azure/msal-browser@3.0.0and is no longer supported. App developers using the MSAL CDN must upgrade to the latest possible version and consume MSAL through a package manager or bundling tool of their choice. For more information on version support, consult the table in the project README.md.
Via NPM
npm install @azure/msal-browser
Via Yarn
yarn add @azure/msal-browser
Usage
Migrating from Previous MSAL Versions
Select the guide that matches your current MSAL version:
- Migrating from MSAL v4.x to MSAL v5.x
- Migrating from MSAL v3.x to MSAL v4.x
- Migrating from MSAL v2.x to MSAL v3.x
- Migrating from MSAL v1.x to MSAL v2.x
MSAL Basics
- Initialization
- Logging in a User
- Acquiring and Using an Access Token
- Managing Token Lifetimes
- Managing Accounts
- Logging Out a User
Advanced Topics
Samples
The msal-browser-samples folder contains sample applications for our libraries.
More advanced samples backed with a tutorial can be found in the Azure Samples space on GitHub:
- JavaScript SPA calling Express.js web API
- JavaScript SPA calling Microsoft Graph via Express.js web API using on-behalf-of flow
- Deployment tutorial for Azure App Service and Azure Storage
We also provide samples for addin/plugin scenarios:
Build and Test
See the contributing.md file for more information.
Building the package
To build the @azure/msal-browser library, you can do the following:
// Change to the msal-browser package directory
cd lib/msal-browser/
// To run build only for browser package
npm run build
To build both the @azure/msal-browser library and @azure/msal-common libraries, you can do the following:
// Change to the msal-browser package directory
cd lib/msal-browser/
// To run build for both browser and common packages
npm run build:all
Running Tests
@azure/msal-browser uses jest to run unit tests.
// To run tests
npm test
// To run tests with code coverage
npm run test:coverage
Authorization Code Flow with Proof Key for Code Exchange (PKCE)
@azure/msal-browser implements the OAuth 2.0 Authorization Code Flow with PKCE for browser-based applications.
The Authorization Code Flow with Proof Key for Code Exchange (PKCE) is the current industry standard for securing OAuth 2.0 authorization in public clients, including single-page applications (SPAs). Key benefits include:
- Enhanced Security: PKCE provides protection against authorization code interception attacks
- No Tokens in URLs: Tokens are never exposed in the browser's URL or history
- Refresh Token Support: Enables long-lived sessions through refresh tokens
- OIDC Compliance: Fully compliant with OpenID Connect standards
Framework Wrappers
If you are using a framework such as Angular or React you may be interested in using one of our wrapper libraries:
- Angular: @azure/msal-angular
- React: @azure/msal-react
Security Reporting
If you find a security issue with our libraries or services please report it to secure@microsoft.com with as much detail as possible. Your submission may be eligible for a bounty through the Microsoft Bounty program. Please do not post security issues to GitHub Issues or any other public site. We will contact you shortly upon receiving the information. We encourage you to get notifications of when security incidents occur by visiting this page and subscribing to Security Advisory Alerts.
License
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT License.
We Value and Adhere to the Microsoft Open Source Code of Conduct
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
Other packages similar to @azure/msal-browser
oidc-client
The oidc-client package is a low-level JavaScript library for implementing OpenID Connect (OIDC) clients in the browser. It provides more granular control over the authentication process compared to @azure/msal-browser but requires more setup and understanding of the OIDC protocol.
react-adal
The react-adal package is a React library that provides Azure Active Directory Authentication in ReactJS applications. It is specifically tailored for React applications and uses the ADAL.js library under the hood. It is less modern and feature-rich compared to @azure/msal-browser, which uses the newer MSAL.js library.
angular-auth-oidc-client
The angular-auth-oidc-client package is an Angular library for implementing OpenID Connect and OAuth2 in Angular applications. It is designed specifically for Angular and provides a similar feature set to @azure/msal-browser but is tailored to the Angular framework.
FAQs
Microsoft Authentication Library for js
The npm package @azure/msal-browser receives a total of 7,825,193 weekly downloads. As such, @azure/msal-browser popularity was classified as popular.
We found that @azure/msal-browser demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Package last updated on 11 Feb 2026
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
/Security News
5 Malicious Rust Crates Posed as Time Utilities to Exfiltrate .env Files
Published late February to early March 2026, these crates impersonate timeapi.io and POST .env secrets to a threat actor-controlled lookalike domain.
By Kirill Boychenko - Mar 10, 2026
Security News
OpenClaw Advisory Surge Highlights Gaps Between GHSA and CVE Tracking
A recent burst of security disclosures in the OpenClaw project is drawing attention to how vulnerability information flows across advisory and CVE systems.
By Sarah Gooding - Mar 10, 2026