Accessing /me in MS Graph API via msgraph-sdk-python-core
Question
I'm trying to hit the /me endpoint in MS Graph API via the msgraph-sdk-python-core library. The request works via the Graph Explorer, but now I'd like to use code. I'm just trying to replicate the exact same request they show in that README.md:
from azure.identity import InteractiveBrowserCredential
from msgraph.core import GraphClient
browser_credential = InteractiveBrowserCredential(client_id='YOUR_CLIENT_ID')
client = GraphClient(credential=browser_credential)
result = client.get('/me')
However, instead of using the InteractiveBrowserCredential , I need to use something that is not interactive. The azure-identity library contains, for example, the UsernamePasswordCredential , OnBehalfOfCredential , etc. but I'm not sure which I should use.
I've tried a couple of different things, which have resulted in different errors. The underlying issue may ultimately be that the app has not been configured properly in Azure by IT. Perhaps they need to activate the app as a "public client" or similar. However, before I ask IT to continue messing around in Azure, I would like to confirm what my code should look like.
1 answers
solution1
0 2021-12-21 09:36:44
If you have MFA enabled in your Azure AD tenant then you can't use UsernamePasswordCredential or OnBehalfOfCredential , you will have to use ClientSecretCredential for a non interactive method but you can't call /me endpoint as you will be authenticating with your AzureAD App that you have configured for using to call the Graph API's and also you will need to provide the required permissions in API permissions Blade of your App Registration , the same way you provide in Graph Explorer.
If you don't have MFA enabled, then you can use the two non-interactive methods.
ClientSecretCredential:
I am testing to get the details of all the users, so I have provided Directory.ReadWrite.All to the above app and used the below code:
from azure.identity import ClientSecretCredential
from msgraph.core import GraphClient
credential = ClientSecretCredential(tenant_id='e186e64a-xxxx-xxxx-xxxx-xxxx',client_secret='L~I7Qxxxxxxxxxxxxxxx',client_id='1be5d8ab-xxxx-xxxx-xxxx-xxxx')
client = GraphClient(credential=credential)
result = client.get('/users')
print(result.json())
Output:
Note: In this method /Me can't be called, you will get the below error:
As UsernamePassowrdCredential is not recommended by Azure and you will have to use OnbehalfOfCredential . To set up the environment for OBO Flow in Python you can refer this Azure Sample .
OR
You can directly use Rest to the call Graph API's from python like the below:
import requests
import json
tenant_id='e186e64a-xxxxxxxxxxxxxxxxx'
client_secret='L~I7Q~xxxxxxxxxxxxxxxxxxxxxx'
client_id='1be5d8ab-1960-4508-93e4-b138b3295593'
username='admin@xxxxxxxxxxx.onmicrosoft.com'
password='xxxxxxxxxxx'
token_url = 'https://login.microsoftonline.com/<tenant_id>/oauth2/token'
token_data = {
'grant_type': 'password',
'client_id': client_id,
'client_secret': client_secret,
'resource': 'https://graph.microsoft.com',
'scope':'https://graph.microsoft.com',
'username':username, #Account with no 2MFA
'password':password,
}
token_r = requests.post(token_url, data=token_data)
token = token_r.json().get('access_token')
# Use the token using microsoft graph endpoints
users_url = 'https://graph.microsoft.com/v1.0/me'
headers = {
'Authorization': 'Bearer {}'.format(token)
}
user_response_data = json.loads(requests.get(users_url, headers=headers).text)
print(user_response_data)
Output:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.