Implementing Microsoft SSO with passport-azure-ad and without msal

I want to implement SSO sign up/sign in for Microsoft Azure AD B2C in NodeJS however, I want to create the user using Graph API. I'm using passport-azure-ad strategy. The process has to be custom because based on the user's info, a QR code is to be generated. So I just need the user object and the token.

I have passport strategy like this:

    ssoOptions = {
      identityMetadata: `${this.TENANT_ID}/${this.VERSION}/.well-known/openid-configuration`,
      clientID: this.TENANT_ID,
      clientSecret: this.TENANT_SECRET,
      redirectUrl: this.TENANT_REDIRECT_URL,
      validateIssuer: true,
      isB2C: true,
      loggingLevel: 'warn',
      responseMode: 'form_post',
      responseType: 'code id_token',
      passReqToCallback: true,
      scope: ['openid', 'profile', 'email']

    passport.use('oidc-strategy', new OIDCStrategy(ssoOptions, (req: any, iss: any, profile: any, accessToken: any, refreshToken: any, done: any) => {
      try {
      const userProfile = {
        oid: profile.oid,
        displayName: profile.displayName,
        email: profile._json.preferred_username,
      return done(null, userProfile)
    } catch (error) {
      console.error('ERROR', error);
      return done (error);

And I have this route in my route.ts: but it gives me 401: Unauthorized

    api.get('/ssoSignUp/authenticate', passport.authenticate('oidc-strategy', { session: false }), (req, res) => {

And in my Azure AD B2C App Manifest, I have this:

    "signInAudience": "AzureADandPersonalMicrosoftAccount",
  1. When testing the OAuth2 process in Postman, I see the Microsoft SSO Screen and when I enter my creds it says:
AADSTS50020: User account '' from identity provider '' does not exist in tenant 'AppName' and cannot access the application '123123'(AppName) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
  1. I also want to see both SignIn and SignUp in the SSO screen, right now I only see SignIn and get that above error.

My Postman options look like this: Auth URL

Access Token URL

Callback URL


ClientID: someID ClientSecret: someSecret scope: openid profile email

After some tinkering, I can now get the access_token from Postman: My Auth URL is now this:

But, I don't know what to do next with this. Basically, I want to create the user using graphAPI if it does not exist and update the azure id etc if it exists.

For my React App (just to test), these are my msalConfigs:

export const msalConfig = {
    auth: {
        clientId: '<clientID>',
        authority: `https://<tentantName><tentantName><policyName>/v2.0/`,
        redirectUri: 'http://localhost:3000',
        knownAuthorities: ['<tentantName>'],

export const loginRequest = {
    scopes: ['openid', 'profile', 'User.Read'],


  • The error you are facing is because you are passing invalid Auth URL and Access Token URL.

    To resolve the error, you need to pass valid Auth URL and Access Token URL like below:

    Auth URL :<policy-name>/oauth2/v2.0/authorize

    Access Token URL :<policy-name>/oauth2/v2.0/token

    Created an Azure AD B2C application:

    Generate the token:

    Auth URL :
    Token URL:
    Callback URL: Redirect URL
    Client ID: xxx
    Client Secret: xxx
    Scope: openid profile email

    Note that: Only the ID token will be generated, to generate access token in Azure AD B2C you need to pass scope which is meant for the application.

    Refer this SO Thread: Scope User.Read.All not works for azure b2c for more in detail for calling Microsoft Graph API