Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

MSAL Authentication with Python Showing Unauthorized Client?

Tags:

python

azure

azure-active-directory

microsoft-graph-api

azure-ad-msal

I am trying to authenticate an Azure app that has application-level permissions. All the permissions have been granted by an admin, and the app has both a client id and a client secret. I'm running the following code based on the Daemon-api documentation from Microsoft graph:

import msal

config = {
    "authority": "https://login.microsoftonline.com/organizations",
    "client_id": CLIENT_ID,
    "scope": ["https://graph.microsoft.com/.default"],
    "redirect_uri": REDIRECT_URI,
    "client_secret": CLIENT_SECRET
}

app = msal.ConfidentialClientApplication(
    config["client_id"], authority=config["authority"],
    client_credential=config["client_secret"] )

result = app.acquire_token_silent(config["scope"], account=None)

import logging

if not result:
    logging.info("No suitable token exists in cache. Let's get a new one from AAD.")
    result = app.acquire_token_for_client(scopes=config["scope"])

If I print result though, it says the following:

{'error': 'unauthorized_client',
 'error_description': "AADSTS700016: Application with identifier [IDENTIFIER] was not found in the directory 'microsoft.com'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: [TRACE ID]\r\nCorrelation ID: [CORRELATION ID]\r\nTimestamp: 2019-08-28 17:14:39Z",
 'error_codes': [700016],
 'timestamp': '2019-08-28 17:14:39Z',
 'trace_id': [TRACE ID],
 'correlation_id': [CORRELATION ID],
 'error_uri': 'https://login.microsoftonline.com/error?code=700016'}

The app has existed for several days and as I've mentioned, it has had all its permissions authorized by an admin. How come I'm still getting an "unauthorized" error? I check my id and secret, they're correct.

I wonder if it might have something to do with the fact that the error message says it's being sent to the microsoft.com directory? But the only microsoft information I provide is in authority and scope which the api says is needed as-is. I don't see anywhere to provide a directory id. Could that be the issue? If so, how would I rectify it?

like image 939
Elliptica Avatar asked Jun 25 '26 02:06

Elliptica

1 Answers

Authority field in your config should be 

https://login.microsoftonline.com/<directory_id>
like image 130
Adam Marczak Avatar answered Jun 27 '26 17:06

Adam Marczak
Sign in to Comment

Related questions

Reducing an axis with numpy
Autocomplete with readline in python3
Is it possible to detect if the mouse is held down with python
Why can't Python print an integer and string together without converting it?
Remove nested column in PySpark
Convert StringType Column To ArrayType In PySpark
PIP3 associated with the wrong python version
Python: For every 2 items in list? [duplicate]
CI/CD tests involving pyspark - JAVA_HOME is not set
Pandas not finding elements in Columns

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!