question

Pravallika-4917 avatar image
0 Votes"
Pravallika-4917 asked Pravallika-1040 commented

MSAL - ConfidentialClient - acquire token by username and password

I am trying to access Sharepoint via API and download/upload files to a site

I created an application in Azure Portal. Created client secret. Gave delegated permissions to user.

I am using msal module. I am unable to get token when i m using username and password(Error: Authentication failed)

--Code
import msal
app = msal.ConfidentialClientApplication(client_id, client_credential=client_secret, authority='https://login.microsoftonline.com/{tenant}',validate_authority=True)
-- able to get access token with below. But since the application has only delegated access. This token will not be useful to authorize sharepoint
app.acquire_token_for_client(scopes=["https://{tenant}.sharepoint.com/.default"])


--authenticatication failed with below code
app.acquire_token_by_username_password(username, password, ["https://{tenant}.sharepoint.com/.default"])


Please help me

azure-ad-msal
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered Pravallika-1040 commented

Hi @Pravallika-4917 · Thank you for reaching out.

As documented here, for confidential clients, recommended authentication flows are Client_Credentials, On-behalf-of, and Authorization_code. As you want to acquire token under user context, I would suggest you to go with Authorization_code flow rather than Password (ROPC) flow.

Please refer to below code to acquire token using Authorization_code and call a web API, which you can replace with your SharePoint API.

https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-1-MyOrg


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @amanpreetsingh-msft
Thanks for your response

My usecase is not a webapp. It's a cron job that runs without user interaction and it runs from different machine for every request

What would be better approach for this scenario

Thanks in advance

0 Votes 0 ·

@Pravallika-1040 · For such scenarios, the recommendation is to use client_credentials flow or if possible, use Managed System Identity. Although, Password flow can be used but that is not a recommended approach.
Keep in mind when using client_credentials flow to acquire access token, you will need to use Application permissions and not Delegated permissions.

0 Votes 0 ·

Thank you. I will have to check with admin on application permissions

I got Delegated permissions.

Just one last question.. Even I am able to create application and give delegated used access. Is there a different between application created by user and admin?

0 Votes 0 ·
Show more comments