Merge pull request #92765 from jmprieur/quickstart-v2-python-daemon

PMEds28 · web-flow · commit 62cc90b00d71 · 2019-10-23T11:19:11.000+01:00
Adding a Python daemon quickstart
diff --git a/articles/active-directory/develop/TOC.yml b/articles/active-directory/develop/TOC.yml
@@ -59,6 +59,8 @@
       items:
       - name: .NET Core console (daemon)
         href: quickstart-v2-netcore-daemon.md
+      - name: Python console daemon
+        href: quickstart-v2-python-daemon.md
       - name: ASP.NET daemon web app
         href: https://github.com/Azure-Samples/active-directory-dotnet-daemon-v2
   - name: Tutorials
diff --git a/articles/active-directory/develop/quickstart-v2-python-daemon.md b/articles/active-directory/develop/quickstart-v2-python-daemon.md
@@ -0,0 +1,240 @@
+---
+title: Microsoft identity platform Python daemon | Azure
+description: Learn how a Python process can get an access token and call an API protected by Microsoft identity platform endpoint, using the app's own identity
+services: active-directory
+documentationcenter: dev-center-name
+author: jmprieur
+manager: CelesteDG
+editor: ''
+
+ms.assetid: 820acdb7-d316-4c3b-8de9-79df48ba3b06
+ms.service: active-directory
+ms.subservice: develop
+ms.devlang: na
+ms.topic: quickstart
+ms.tgt_pltfrm: na
+ms.workload: identity
+ms.date: 10/22/2019
+ms.author: jmprieur
+ms.custom: aaddev, identityplatformtop40 
+#Customer intent: As an application developer, I want to learn how my Python app can get an access token and call an API that's protected by an Microsoft identity platform endpoint using client credentials flow.
+ms.collection: M365-identity-device-management
+---
+
+# Quickstart: Acquire a token and call Microsoft Graph API from a Python console app using app's identity
+
+In this quickstart, write a Python application that gets an accessing token using the app's identity, and then calls the Microsoft Graph API to display a [list of users](https://docs.microsoft.com/graph/api/user-list) in the directory. This scenario is useful for situations where headless, unattended job or a windows service needs to run with an application identity, instead of a user's identity.
+
+> [!div renderon="docs"]
+> ![Shows how the sample app generated by this quickstart works](media/quickstart-v2-netcore-daemon/netcore-daemon-intro.svg)
+
+## Prerequisites
+
+To run this sample, you need:
+
+- [Python 2.7+](https://www.python.org/downloads/release/python-2713) or [Python 3+](https://www.python.org/downloads/release/python-364/)
+- [MSAL Python](https://github.com/AzureAD/microsoft-authentication-library-for-python)
+
+> [!div renderon="docs"]
+> ## Register and download your quickstart app
+
+> [!div renderon="docs" class="sxs-lookup"]
+>
+> You have two options to start your quickstart application: Express (Option 1 below), and Manual (Option 2)
+>
+> ### Option 1: Register and auto configure your app and then download your code sample
+>
+> 1. Go to the new [Azure portal - App registrations](https://portal.azure.com/?Microsoft_AAD_RegisteredApps=true#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade/quickStartType/PythonDaemonQuickstartPage/sourceType/docs) pane.
+> 1. Enter a name for your application and select **Register**.
+> 1. Follow the instructions to download and automatically configure your new application with just one click.
+>
+> ### Option 2: Register and manually configure your application and code sample
+
+> [!div renderon="docs"]
+> #### Step 1: Register your application
+> To register your application and add the app's registration information to your solution manually, follow these steps:
+>
+> 1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+> 1. If your account gives you access to more than one tenant, select your account in the top right corner, and set your portal session to the desired Azure AD tenant.
+> 1. Navigate to the Microsoft identity platform for developers [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page.
+> 1. Select **New registration**.
+> 1. When the **Register an application** page appears, enter your application's registration information. 
+> 1. In the **Name** section, enter a meaningful application name that will be displayed to users of the app, for example `Daemon-console`, then select **Register** to create the application.
+> 1. Once registered, select the **Certificates & secrets** menu.
+> 1. Under **Client secrets**, select **+ New client secret**. Give it a name and select **Add**. Copy the secret on a safe location. You will need it to use in your code.
+> 1. Now, select the **API Permissions** menu, select **+ Add a permission** button, select **Microsoft Graph**.
+> 1. Select **Application permissions**.
+> 1. Under **User** node, select **User.Read.All**, then select **Add permissions**
+
+> [!div class="sxs-lookup" renderon="portal"]
+> ### Download and configure your quickstart app
+> 
+> #### Step 1: Configure your application in Azure portal
+> For the code sample for this quickstart to work, you need to create a client secret, and add Graph API's **User.Read.All** application permission.
+> > [!div renderon="portal" id="makechanges" class="nextstepaction"]
+> > [Make these changes for me]()
+>
+> > [!div id="appconfigured" class="alert alert-info"]
+> > ![Already configured](media/quickstart-v2-netcore-daemon/green-check.png) Your application is configured with these attributes.
+
+#### Step 2: Download your Python project
+
+[Download the Python daemon project](https://github.com/Azure-Samples/ms-identity-python-daemon/archive/master.zip)
+
+#### Step 3: Configure your Python project
+
+1. Extract the zip file to a local folder close to the root of the disk, for example, **C:\Azure-Samples**.
+1. Navigate to the sub folder **1-Call-MsGraph-WithSecret"**.
+1. Edit **parameters.json** and replace the values of the fields `authority`, `client_id`, and `secret` with the following snippet:
+
+    ```json
+    "authority": "https://login.microsoftonline.com/Enter_the_Tenant_Id_Here",
+    "client_id": "Enter_the_Application_Id_Here",
+    "secret": "Enter_the_Client_Secret_Here"
+    ```
+    > > [!div renderon="portal" id="certandsecretspage" class="sxs-lookup"]
+    > > [Generate a new client secret]()
+    
+    > [!div class="sxs-lookup" renderon="portal"]
+    > > [!NOTE]
+    > > This quickstart supports Enter_the_Supported_Account_Info_Here.
+    
+    > [!div renderon="docs"]
+    >> Where:
+    >> * `Enter_the_Application_Id_Here` - is the **Application (client) ID** for the application you registered.
+    >> * `Enter_the_Tenant_Id_Here` - replace this value with the **Tenant Id** or **Tenant name** (for example, contoso.microsoft.com)
+    >> * `Enter_the_Client_Secret_Here` - replace this value with the client secret created on step 1.
+
+    > [!div renderon="docs"]
+    > > [!TIP]
+    > > To find the values of **Application (client) ID**, **Directory (tenant) ID**, go to the app's **Overview** page in the Azure portal. To generate a new key, go to **Certificates & secrets** page.
+    
+#### Step 4: Admin consent
+
+If you try to run the application at this point, you'll receive *HTTP 403 - Forbidden* error: `Insufficient privileges to complete the operation`. This error happens because any *app-only permission* requires Admin consent: a global administrator of your directory must give consent to your application. Select one of the options below depending on your role:
+
+##### Global tenant administrator
+
+> [!div renderon="docs"]
+> If you are a global tenant administrator, go to **API Permissions** page in the Azure Portal's Application Registration (Preview) and select **Grant admin consent for {Tenant Name}** (Where {Tenant Name} is the name of your directory).
+
+> [!div renderon="portal" class="sxs-lookup"]
+> If you are a global administrator, go to **API Permissions** page select **Grant admin consent for Enter_the_Tenant_Name_Here**
+> > [!div id="apipermissionspage"]
+> > [Go to the API Permissions page]()
+
+##### Standard user
+
+If you're a standard user of your tenant, then you need to ask a global administrator to grant admin consent for your application. To do this, give the following URL to your administrator:
+
+```url
+https://login.microsoftonline.com/Enter_the_Tenant_Id_Here/adminconsent?client_id=Enter_the_Application_Id_Here
+```
+
+> [!div renderon="docs"]
+>> Where:
+>> * `Enter_the_Tenant_Id_Here` - replace this value with the **Tenant Id** or **Tenant name** (for example, contoso.microsoft.com)
+>> * `Enter_the_Application_Id_Here` - is the **Application (client) ID** for the application you registered.
+
+#### Step 5: Run the application
+
+You'll need to install MSAL Python once
+
+```console
+pip install msal
+```
+
+Then, run the application via command prompt or console:
+
+```console
+python confidential_client_secret_sample.py parameters.json
+```
+
+You should see on the console output some Json fragment representing a list of users in your Azure AD directory.
+
+> [!IMPORTANT]
+> This quickstart application uses a client secret to identify itself as confidential client. Because the client secret is added as a plain-text to your project files, for security reasons, it is recommended that you use a certificate instead of a client secret before considering the application as production application. For more information on how to use a certificate, see [these instructions](https://github.com/Azure-Samples/ms-identity-python-daemon/blob/master/2-Call-MsGraph-WithCertificate/README.md) in the same GitHub repository for this sample, but in the second folder **2-Call-MsGraph-WithCertificate**
+
+## More information
+
+### MSAL Python
+
+[MSAL Python](https://github.com/AzureAD/microsoft-authentication-library-for-python) is the library used to sign in users and request tokens used to access an API protected by Microsoft identity platform. As described, this quickstart requests tokens by using the application own identity instead of delegated permissions. The authentication flow used in this case is known as *[client credentials oauth flow](v2-oauth2-client-creds-grant-flow.md)*. For more information on how to use MSAL Python with daemon apps, see [this article](scenario-daemon-overview.md).
+
+ You can install MSAL Python by running the following pip command.
+
+```powershell
+pip install -r requirements.txt
+```
+
+### MSAL initialization
+
+You can add the reference for MSAL by adding the following code:
+
+```Python
+import msal
+```
+
+Then, initialize MSAL using the following code:
+
+```Python
+app = msal.ConfidentialClientApplication(
+    config["client_id"], authority=config["authority"],
+    client_credential=config["secret"])
+```
+
+> | Where: ||
+> |---------|---------|
+> | `config["secret"]` | Is the client secret created for the application in Azure Portal. |
+> | `config["client_id"]` | Is the **Application (client) ID** for the application registered in the Azure portal. You can find this value in the app's **Overview** page in the Azure portal. |
+> | `config["authority"]`    | The STS endpoint for user to authenticate. Usually <https://login.microsoftonline.com/{tenant}> for public cloud, where {tenant} is the name of your tenant or your tenant Id.|
+
+For more information, please see the [reference documentation for `ConfidentialClientApplication`](https://msal-python.readthedocs.io/en/latest/#confidentialclientapplication)
+
+### Requesting tokens
+
+To request a token using app's identity, use `AcquireTokenForClient` method:
+
+```Python
+result = None
+result = app.acquire_token_silent(config["scope"], account=None)
+
+if not result:
+    logging.info("No suitable token exists in cache. Let's get a new one from AAD.")
+    result = app.acquire_token_for_client(scopes=config["scope"])
+```
+
+> |Where:| |
+> |---------|---------|
+> | `config["scope"]` | Contains the scopes requested. For confidential clients, this should use the format similar to `{Application ID URI}/.default` to indicate that the scopes being requested are the ones statically defined in the app object set in the Azure Portal (for Microsoft Graph, `{Application ID URI}` points to `https://graph.microsoft.com`). For custom Web APIs, `{Application ID URI}` is defined under **Expose an API** section in Azure Portal's Application Registration (Preview). |
+
+For more information, please see the [reference documentation for `AcquireTokenForClient`](https://msal-python.readthedocs.io/en/latest/#msal.ConfidentialClientApplication.acquire_token_for_client)
+
+[!INCLUDE [Help and support](../../../includes/active-directory-develop-help-support-include.md)]
+
+## Next steps
+
+To learn more about daemon applications, see the scenario landing page
+
+> [!div class="nextstepaction"]
+> [Daemon application that calls web APIs](scenario-daemon-overview.md)
+
+For the daemon application tutorial, see:
+
+> [!div class="nextstepaction"]
+> [Daemon Python console tutorial](https://github.com/Azure-Samples/ms-identity-python-daemon)
+
+Learn more about permissions and consent:
+
+> [!div class="nextstepaction"]
+> [Permissions and Consent](v2-permissions-and-consent.md)
+
+To know more about the auth flow for this scenario, see the Oauth 2.0 client credentials flow:
+
+> [!div class="nextstepaction"]
+> [Client credentials Oauth flow](v2-oauth2-client-creds-grant-flow.md)
+
+Help us improve the Microsoft identity platform. Tell us what you think by completing a short two-question survey.
+
+> [!div class="nextstepaction"]
+> [Microsoft identity platform survey](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbRyKrNDMV_xBIiPGgSvnbQZdUQjFIUUFGUE1SMEVFTkdaVU5YT0EyOEtJVi4u)
