For MSAL with Python and Delegated Permissions see this post. For MSAL with Python and Certificate Authentication see this post.
The Microsoft Authentication Libraries (MSAL) started to become generally available in May 2019 and I’ve previously written numerous posts on leveraging the .NET MSAL library via the MSAL.PS module here. More recently I’ve been developing a few projects in Python that require integration with Microsoft Graph. It has been almost a year since the Python MSAL library became generally available (stable release), and since then it has seen frequent updates and releases. As of the time of this post the most recent release is 1.6.0. In this post I show how to authenticate and query Microsoft Graph using MSAL with Python, for those that aren’t as proficient with Python like myself. That is, those of us going from I can do it in PowerShell like this, so how do I do the same in Python.
This post assumes you have Python installed and configured as well as PIP on your local host. Ideally you should also be using VSCode along with the Microsoft Python extension for VSCode.
You will also need to have registered an Azure AD Application that uses a Client Secret.
The example in this post will use the ClientID from your AAD registered application and the secret you generated for it. Future posts will detail using Certificates and Delegated Authentication.
Your registered application will require Application (not delegated) permissions. Application permissions Directory.Read.All will provide the necessary access for the example to read in Users from Azure AD via Microsoft Graph.
Just as PowerShell uses Modules to provide functionality Python uses Packages. The packages I’m using for integration with Microsoft Graph are:
- MSAL (simplifies authentication and access token refresh with Microsoft Graph)
- PyJWT (we will be using this to decode the Microsoft Graph Access Token)
- JSON (for manipulation of the results from Microsoft Graph queries)
- REQUESTS (for REST requests to Microsoft Graph)
- DATETIME (to convert access token expiry from a Unix timestamp)
- PANDAS (to load our request results into a dataframe)
Python includes some of these packages. The rest can be quickly installed using PIP.
Note: In the screenshot below, I already have all the packages installed.
pip install msal pyjwt==1.7.1 requests pandas datetime
Authenticate to Microsoft Graph with MSAL and Python
With the package dependencies sorted, here is a quick Python Function to use the MSAL package and authenticate.
The script contains two functions:
- this function authenticates to Microsoft Graph using the registered Azure AD Application and obtains an Access Token with authorization for the Application level scopes configured on the registered application
- it will also decode and output the details of the access token
- the expiry time of the access token is displayed after being converted from a Unix timestamp
- this function makes requests to Microsoft Graph with results returned in JSON format
You will need to update the msgraph_auth function in the script (full script further below) to insert your TenantId (tenant GUID) or Tenant Name (mytenant.onmicrosoft.com), your registered AAD Application Client ID and Secret. For simplicity in the example I’ve defined them statically. You can update the function to provide them as parameters.
The script will call the msgraph_auth function and then make a request to Microsoft Graph (using the msgraph_request function) to return the first page of users from Azure AD.
Finally, it will put the results in a Dataframe.
Here is the script. Don’t forget to install the packages and update the tenant, clientID and clientSecret before executing it.
The screenshot below shows the execution and output from the script. An access token is received and decoded and the expiry date and time displayed. The results of the Microsoft Graph query are put into a dataframe.
An example to get you started using Python with the MSAL library. Authenticate and query Microsoft Graph using a registered Azure AD Application with Application level permissions.
The example is easily extendable to utilize the tokenExpiry object (datetime format) for long running requests to determine when the access token will expire and make another call to the msgraph_auth function to refresh the access token.
Queries against the returned results from the dataframe is also easily performed using any of the many documented pandas dataframe query examples.
I’ll be writing additional posts on MSAL with Python using certificate based authentication and another using delegated permissions.