Recently I’ve posted about accessing Microsoft Graph using MicroSoft Authentication Libraries (MSAL) with Python and using MSAL with Python and Delegated Permissions. This is the final post in the series where I give an example and script for accessing Microsoft Graph using MSAL with Python and Certificate Authentication.
This post assumes you have Python installed and configured as well as PIP on your local host. Ideally you should also be using VSCode along with the Microsoft Python extension for VSCode.
You will also need to have registered an Azure AD Application with Application Permissions.
The Python packages I am using for integration with Microsoft Graph are:
Python includes some of these packages. Install them using PIP.
Note: In the screenshot below, I already have all the packages installed.
pip install msal json pyjwt==1.7.1 requests datetime
The process is similar to using PowerShell for certificate based authentication.
To generate a self-signed certificate I’m using OpenSSL in Ubuntu via WSL (Windows Subsystem for Linux) that I previously wrote about a few years ago in this post. Subsequently WSL2 has become available, and Thomas has a great installation guide here. Using OpenSSL in Ubuntu we can generate a self-signed certificate by:
The following OpenSSL command will generate a 2048-bit RSA Key.
openssl genrsa -out aadappcert.pem 2048
Then we can generate a Certificate Signing Request.
openssl req -new -key aadappcert.pem -out aadappcert.csr
And finally generate our self-signed certificate.
openssl x509 -req -days 365 -in aadappcert.csr -signkey aadappcert.pem -out aadappcert.crt
With our self-signed certificate generated we can then upload it to our Azure AD Registered Application.
Once uploaded record the thumbprint. We will need this for our Python authentication script.
You will need to update the following variables near the top of the script below.
To make this example reusable for future scripts I’ve created three functions.
Here is the script. Do not forget to install the dependency packages and update the tenantID, clientID, scope(s), queryUser, certificate thumbprint and file name/location before executing it. In the example script below the path (.\\filename.pem) of the certificate file is for the same directory as the script.
It will load the local certificate and use it for authentication to Azure AD using the registered Azure AD Application, display the Access Token and its expiry time before querying Microsoft Graph for an Azure AD User.
In this post I have shown how to configure an Azure AD Application with Application Permissions, generate a self-signed certificate and assign it as a secret on an Azure AD App and use Python and the Microsoft Authentication Libraries (MSAL) with Certificate Authentication.
Recently under the experimental Azure Functions build Microsoft Developer Advocates have shown enabling Azure Functions…
Today, I’m super excited to finally announce the Beta release of EntraPulse Lite – a…
I'm excited to share some significant authentication enhancements I've contributed to the Lokka MCP Server…
Last month I had the pleasure of speaking at the Sydney event for Global Azure.…
Model Context Protocol (MCP) is a powerful framework that extends AI clients like Claude and…
I've just completed participating in the Azure AI Developer Hackathon that was looking to provide…
This website uses cookies.
View Comments