MSAL (Microsoft Authentication Library) Process & OAuth 2.0
OAuth 2.0 This is an industry-standard protocol for authorization. Instead of creating apps that each maintain their username and password information, apps can delegate that responsibility to a centralized identity provider.
Azure AD is the centralized identity provider in the cloud that we’ll use to implement OAuth 2.0, or more specifically "Sign in with Microsoft".
The Microsoft Authentication Library (MSAL) is a Python library we’ll use to implement the “Sign in with Microsoft” functionality in an app. This makes use of the token to allow access to secure APIS.
In the basic workflow, the authorization process with MSAL is as follows:
Initially, when the user clicks the “Sign in with Microsoft” button in the app, a function of the app will be activated, which will cause a browser pop-up. The user signing in will request an authorization code, from the /oauth/v2.0/authorize endpoint.
The OAuth2 provider, Microsoft in this case, will return an authorization code and will redirect the user based on a URL you have provided within the application’s code.
At this point, the app will then need to request an access token. To do so, the user needs the authorization code that was received before, along with information like client ID and client secret, in the case of Azure Active Directory. It’s also likely user will be requesting a certain scope, such as USER.READ, which would allow you to read the user’s profile information (but not make changes to it). This will hit the /oauth/v2.0/token endpoint.
This will then return the access token for that user.
At this point, the access token itself is then used to actually hit some secure endpoint.
The endpoint must actually validate the token your app sent it, which is outside of your hands. It then will return the requested secure data, if the token is validated.
Please refer link for details - Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft identity platform | Microsoft Docs