MSAL Authentication Challenge for Internal Microsoft Application Testing

[vrushti-mody]

We are developing Cypress E2E tests for an internal Microsoft application (Azure Aurora Fairbanks Frontend) that uses MSAL (Microsoft Authentication Library) for authentication. Our application has unique authentication requirements that make standard Cypress authentication approaches challenging users must authenticate through Microsoft's Azure AD, belong to specific security groups managed in Microsoft's Core Identity system, and have role-based access (ReadOnly, ReadWrite, Admin) that is dynamically fetched from backend APIs after authentication. The application immediately redirects to login.microsoftonline.com upon visiting localhost:3000, preventing any test execution. Additionally, the app implements workspace-based permissions where users can have different access levels in different workspaces. Since this is an internal Microsoft application, we cannot use typical OAuth testing approaches like creating test users with disabled MFA or using the Resource Owner Password Flow with client secrets, as these would require special permissions and security exceptions within Microsoft's corporate environment. We need guidance on the best approach to mock MSAL authentication in Cypress tests while maintaining the ability to test different user roles and permissions without actually authenticating against Microsoft's identity services. The ideal solution would allow us to bypass the initial MSAL redirect, inject mock user sessions with appropriate tokens and claims (including security group memberships), and intercept backend API calls that validate roles, all while keeping our test environment isolated from production authentication systems.