TechQA.

Microsoft MsGraph delegated access when Windows Login is synced with Azure/Entra Active Directory (Microsoft 365)

20 views Asked by At

I am developing a python app with msgraph SDK.

I want to list Sharepoint entries of the personal drive of the user that is logged in the local Windows OS with the organization Active Directory user account that is synced with Entra Active Directory and its Microsoft 365 License.

The usual situation is that when the user logs in the local system, it is already logged in Microsoft 365, so he goes with Edge to its sharepoint site and find them without login again.

My problem is that when I launch the program from CLI as the logged user I get:

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code ABC456GHI to authenticate.

I would like that msgraph connects to Microsoft server as it is the logged user.

I would like to provide a desktop app to the user so I want to use delegated access. I don't want to share the client_secret of my registered Entra App.

Is it possibile what I ask, or it is unfeasible and probably a security issue?

Below it is my code to list user's drives. It works but is asks the use to login:

import asyncio

from azure.identity.aio import DefaultAzureCredential, ClientSecretCredential
from azure.identity import DeviceCodeCredential
from kiota_authentication_azure.azure_identity_authentication_provider import AzureIdentityAuthenticationProvider
from kiota_abstractions.api_error import APIError

from msgraph.generated.models.o_data_errors.o_data_error import ODataError
from msgraph.generated.users.item.user_item_request_builder import UserItemRequestBuilder
from msgraph import GraphRequestAdapter, GraphServiceClient

class settings:
    MICROSOFT_AUTH_TENANT_ID = "<your tenant id>"
    MICROSOFT_AUTH_CLIENT_ID = "<your client id>"


class MSApiDealer:

    async def get_delegated_credentials(self):

        return DeviceCodeCredential(
                tenant_id=settings.MICROSOFT_AUTH_TENANT_ID,
                client_id=settings.MICROSOFT_AUTH_CLIENT_ID)

    async def alogin(self):

        credentials = await self.get_delegated_credentials()
        scopes = ['User.Read', 'Files.Read.All', 'Sites.Read.All']
        self.graph_client = GraphServiceClient(credentials=credentials, scopes=scopes)

    async def aget_sp_info(self):

        drive_info = await self.graph_client.me.drives.get()
        for el in drive_info.value:
            print(f"{el.id=}, {el.name=}")
        
    async def ado_the_job(self):
        await self.alogin()
        await self.aget_sp_info()


if __name__ == "__main__":

    msapi = MSApiDealer()
    asyncio.run(msapi.ado_the_job())
python authentication active-directory microsoft-graph-api office365api
Original Q&A
0

There are 0 answers

Related Questions in PYTHON

Related Questions in AUTHENTICATION

Related Questions in ACTIVE-DIRECTORY

Related Questions in MICROSOFT-GRAPH-API

Related Questions in OFFICE365API

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions