Search code examples
pythonazureonedrivemsal

Connect to OneDrive using Python (msal) and client secret

I'm trying to connect to OneDrive to read files shared with my account but I'm using client secret, so that the execution of the code can be scheduled. I set the permissions for the app I'm using to connect to the API as in the picture (API permissions), but I get error "Insufficient privileges to complete the operation". I'm a pretty intermediate user of Python, so need help on this one.

And here's example of the code I'm using to connect to OneDrive.

from msal import ConfidentialClientApplication
import requests

# App credentials
CLIENT_ID = "your_client_id"         # Application (Client) ID from Azure
CLIENT_SECRET = "your_client_secret" # Generated client secret
TENANT_ID = "your_tenant_id"         # Directory (Tenant) ID from Azure

# MSAL application
app = ConfidentialClientApplication(
    client_id=CLIENT_ID,
    client_credential=CLIENT_SECRET,
    authority=f"https://login.microsoftonline.com/{TENANT_ID}",
)

# Get a token for Microsoft Graph
SCOPES = ["https://graph.microsoft.com/.default"]  # Required for Client Credentials Flow
token_response = app.acquire_token_for_client(scopes=SCOPES)

# Check token response
if "access_token" in token_response:
    access_token = token_response["access_token"]
    print("Access token acquired.")

    # Use the token to call Microsoft Graph
    GRAPH_API_URL = "https://graph.microsoft.com/v1.0/users"
    headers = {"Authorization": f"Bearer {access_token}"}

    response = requests.get(GRAPH_API_URL, headers=headers)

    if response.status_code == 200:
        print("Graph API response:", response.json())
    else:
        print("Graph API error:", response.json())
else:
    print("Failed to acquire token:", token_response.get("error_description")
Solution

  • Note that: Client credential flow requires application type API permissions.

    • User interactive flow/delegated flow required delegated API permissions.

    The error "Insufficient privileges to complete the operation" usually occurs if the access token does not have required permissions to perform the actions.

    To resolve the error, assign User.Read.All application type API permission:

    enter image description here

    I am able to successfully retrieve users:

    from msal import ConfidentialClientApplication
import requests

# App credentials
CLIENT_ID = "ClientID"         # Application (Client) ID from Azure
CLIENT_SECRET = "Secret" # Generated client secret
TENANT_ID = "TenantID"         # Directory (Tenant) ID from Azure

# MSAL application
app = ConfidentialClientApplication(
    client_id=CLIENT_ID,
    client_credential=CLIENT_SECRET,
    authority=f"https://login.microsoftonline.com/{TENANT_ID}",
)

# Get a token for Microsoft Graph
SCOPES = ["https://graph.microsoft.com/.default"]  # Required for Client Credentials Flow
token_response = app.acquire_token_for_client(scopes=SCOPES)

# Check token response
if "access_token" in token_response:
    access_token = token_response["access_token"]
    print("Access token acquired.")

    # Use the token to call Microsoft Graph
    GRAPH_API_URL = "https://graph.microsoft.com/v1.0/users"
    headers = {"Authorization": f"Bearer {access_token}"}

    response = requests.get(GRAPH_API_URL, headers=headers)

    if response.status_code == 200:
        print("Graph API response:", response.json())
    else:
        print("Graph API error:", response.json())
else:
    print("Failed to acquire token:", token_response.get("error_description"))

    enter image description here

    If you want to access OneDrive grant OneDrive related application type API permission:

    enter image description here