title | description | ROBOTS | author | manager | ms.author | ms.custom | ms.date | ms.service | ms.topic |
---|---|---|---|---|---|---|---|---|---|
Quickstart: Call Microsoft Graph from a Python daemon |
In this quickstart, you learn how a Python process can get an access token and call an API protected by Microsoft identity platform, using the app's own identity |
NOINDEX |
OwenRichards1 |
CelesteDG |
owenrichards |
devx-track-python, scenarios:getting-started, "languages:Python", mode-api |
08/22/2022 |
identity-platform |
concept-article |
Quickstart: Acquire a token and call Microsoft Graph API from a Python console app using app's identity
[!div renderon="docs"] Welcome! This probably isn't the page you were expecting. While we work on a fix, this link should take you to the right article:
Quickstart: Acquire a token and call Microsoft Graph from a Python daemon app
We apologize for the inconvenience and appreciate your patience while we work to get this resolved.
[!div renderon="portal" id="display-on-portal" class="sxs-lookup"]
Quickstart: Acquire a token and call Microsoft Graph API from a Python console app using app's identity
In this quickstart, you download and run a code sample that demonstrates how a Python application can get an access token using the app's identity to call the Microsoft Graph API and display a list of users in the directory. The code sample demonstrates how an unattended job or Windows service can run with an application identity, instead of a user's identity.
To run this sample, you need:
[!div class="sxs-lookup"]
For the code sample in this quickstart to work, create a client secret and add Graph API's User.Read.All application permission.
Make these changes for me
[!div id="appconfigured" class="alert alert-info"] Your application is configured with these attributes.
[!div class="nextstepaction"] Download the code sample
[!div class="sxs-lookup"]
[!NOTE]
Enter_the_Supported_Account_Info_Here
If you try to run the application at this point, you'll receive HTTP 403 - Forbidden error:
Insufficient privileges to complete the operation
. This error happens because any app-only permission requires Admin consent: a Global Administrator of your directory must give consent to your application. Select one of the options below depending on your role:If you are a Global Administrator, go to API Permissions page select Grant admin consent for Enter_the_Tenant_Name_Here.
[!div id="apipermissionspage"] Go to the API Permissions page
If you're a standard user of your tenant, ask a Global Administrator to grant admin consent for your application. To do this, give the following URL to your administrator:
https://login.microsoftonline.com/Enter_the_Tenant_Id_Here/adminconsent?client_id=Enter_the_Application_Id_Here
You'll need to install the dependencies of this sample once.
pip install -r requirements.txt
Then, run the application via command prompt or console:
python confidential_client_secret_sample.py parameters.json
You should see on the console output some Json fragment representing a list of users in your Microsoft Entra directory.
[!IMPORTANT] This quickstart application uses a client secret to identify itself as confidential client. Because the client secret is added as a plain-text to your project files, for security reasons, it is recommended that you use a certificate instead of a client secret before considering the application as production application. For more information on how to use a certificate, see these instructions in the same GitHub repository for this sample, but in the second folder 2-Call-MsGraph-WithCertificate.
MSAL Python is the library used to sign in users and request tokens used to access an API protected by Microsoft identity platform. As described, this quickstart requests tokens by using the application own identity instead of delegated permissions. The authentication flow used in this case is known as client credentials oauth flow. For more information on how to use MSAL Python with daemon apps, see this article.
You can install MSAL Python by running the following pip command.
pip install msalYou can add the reference for MSAL by adding the following code:
import msalThen, initialize MSAL using the following code:
app = msal.ConfidentialClientApplication( config["client_id"], authority=config["authority"], client_credential=config["secret"])
Where: Description config["secret"]
Is the client secret created for the application in Azure portal. config["client_id"]
Is the Application (client) ID for the application registered in the Azure portal. You can find this value in the app's Overview page in the Azure portal. config["authority"]
The STS endpoint for user to authenticate. Usually https://login.microsoftonline.com/{tenant}
for public cloud, where {tenant} is the name of your tenant or your tenant Id.For more information, please see the reference documentation for
ConfidentialClientApplication
.To request a token using app's identity, use
AcquireTokenForClient
method:result = None result = app.acquire_token_silent(config["scope"], account=None) if not result: logging.info("No suitable token exists in cache. Let's get a new one from Azure AD.") result = app.acquire_token_for_client(scopes=config["scope"])
Where: Description config["scope"]
Contains the scopes requested. For confidential clients, this should use the format similar to {Application ID URI}/.default
to indicate that the scopes being requested are the ones statically defined in the app object set in the Azure portal (for Microsoft Graph,{Application ID URI}
points tohttps://graph.microsoft.com
). For custom web APIs,{Application ID URI}
is defined under the Expose an API section in App registrations in the Azure portal.For more information, please see the reference documentation for
AcquireTokenForClient
.[!INCLUDE Help and support]
To learn more about daemon applications, see the scenario landing page.
[!div class="nextstepaction"] Daemon application that calls web APIs