Skip to content Skip to sidebar Skip to footer
Home / Azure / Azure Active Directory / Azure Ad Graph Api / Oauth 2.0 / Python

Microsoft Graph Authentication

Post a Comment
I’m building an application in Python which can retrieve data from Azure AD. This data can require either Application permissions or Delegated permissions. I had a success retrie

Solution 1:

Assuming you have registered and configured (api permissions) your azure app and you have copied the apps "client id" and "client secret" you can define a class that holds your session. The following code works for my app:

import json
import requests
from requests_oauthlib import OAuth2Session
from oauthlib.oauth2 import BackendApplicationClient


classSharepointSession(object):
    """ Base Class without credentials, use real credentials in derived Classes
    or instances
    """
    api_uri = "https://graph.microsoft.com"
    api_version = "v1.0"
    scope = ["https://graph.microsoft.com/.default"]
    directory_id = ""# - tenant id
    token_url = "https://login.microsoftonline.com/{}/oauth2/v2.0/token"
    sites_url = "{}/{}/sites".format(api_uri, api_version)
    site = document_name = app_name = client_id = client_secret = ""
    site_id = None
    doc_id = Nonedef__init__(self):
        """  """defgetTokenizedSession(self):
        """
        OAuth2 to get access token
        First set up a backend client, mind to set grant_type
        build a OAuth2 Session with the client
        get access token

        Mind: python 3.x oauthlib requires scope params on more calls than py 2.x
        """
        client = BackendApplicationClient(
            client_id=self.client_id, scope=self.scope, grant_type="client_credentials")

        session = OAuth2Session(client=client, scope=self.scope)
        # fill access token
        token = session.fetch_token(token_url=self.token_url.format(self.directory_id),
                                    client_id=self.client_id,
                                    scope=self.scope,
                                    client_secret=self.client_secret)
        self.session = session
        self.token = token
        return session, token

    defgetSiteId(self):
        # get the site id
        ae = "{}/myonline.sharepoint.com:/sites/{}:".format(
            self.sites_url, self.site)
        rt = self.session.get(ae)
        response = json.loads(rt.text)
        self.site_id = response.get("id")
        return self.site_id

    defsomeOtherMethod(self):
        """         ...             """

Now you can instantiate the session class with the credentials copied from your azure app registration i.e. "directory id" (same as tenant id), "client id" and "client secret" like this:

mysp_session = SharepointSession()
mysp_session.directory_id = "XXXXXXXX-XXXX-YYYY-ZZZZ-XXXXXXXXX"
mysp_session.site = "MySitename"
mysp_session.document_name = "Testlist"
mysp_session.client_id = r"xxxxxxxxxxxxxxxxxxxxxxx"
mysp_session.client_secret = r"xxxxxxxxxxxxxxxxxxxxxxx"# connect 
session, token = mysp_session.getTokenizedSession()

# do your business logic
mysp_session.getSiteId()
....
mysp_session.someOtherMethod()

hope that helps

Solution 2:

Yes, this is possible - but keep in mind that there are two Azure AD endpoints for application registration!

Try registering an application on the AAD V2.0 endpoint (apps.dev.microsoft.com), and then use a 'password' grant_type in your request.

Here are the steps you need:

  • Register your app on the AAD v2.0 endpoint, and generate a password (take note of this)
  • Assign your required permissions (in this case, delegated)
  • As a callback URL I'd suggest using postman's Oauth2 callback URL first so you can debug what you're doing: https://www.getpostman.com/oauth2/callback
  • Important! If any of those permissions require admin consent, you MUST consent to them first to make the app available. This requires the admin user to sign in once.

Once consent has been given, here's a what your request needs to get a bearer token as a prototype:

    POST https://login.microsoftonline.com/common/oauth2/token
    Request body (application/x-www-form-urlencoded): 
    grant_type=[password]
    username=[user email address]
    password=[user password]
    resource=https://graph.microsoft.com
    client_id=[your newly registered application ID] 
    client_secret=[application password you noted during registration]

If successful, you'll get the bearer & refresh token as a response.

Successful password grant authentication response Hope this helps,

Ben

Solution 3:

You need an Azure AD application to be able to authenticate with Graph API. A native Azure AD app and the flow and considerations described here work for ADAL.net. I use it to provision Microsoft Teams unattended: http://www.cloudidentity.com/blog/2014/07/08/using-adal-net-to-authenticate-users-via-usernamepassword/

I guess for Python you should have a look at ADAL for Python: https://github.com/introp-software/azure-activedirectory-library-for-python-old/blob/master/README.md

I think that the username/password auth is only possible with a native Azure AD app and not the web/web api types.

You may like these posts

Post a Comment for "Microsoft Graph Authentication"