Split delegated and app-only into separate projects

Author: jasonjoh

.gitattributes

@@ -0,0 +1,2 @@
+# Auto detect text files and perform LF normalization
+* text=auto

.vscode/launch.json

@@ -8,8 +8,17 @@
             "name": "Python: main",
             "type": "python",
             "request": "launch",
-            "program": "${workspaceFolder}/demo/graphtutorial/main.py",
-            "cwd": "${workspaceFolder}/demo/graphtutorial",
+            "program": "${workspaceFolder}/user-auth/graphtutorial/main.py",
+            "cwd": "${workspaceFolder}/user-auth/graphtutorial",
+            "console": "integratedTerminal",
+            "justMyCode": true
+        },
+        {
+            "name": "Python: main (app-only)",
+            "type": "python",
+            "request": "launch",
+            "program": "${workspaceFolder}/app-auth/graphapponlytutorial/main.py",
+            "cwd": "${workspaceFolder}/app-auth/graphapponlytutorial",
             "console": "integratedTerminal",
             "justMyCode": true
         }

.vscode/settings.json

@@ -0,0 +1,6 @@
+{
+    "cSpell.words": [
+        "graphtutorial",
+        "Pylint"
+    ]
+}

README.md

@@ -2,11 +2,13 @@
 
 [![Pylint](https://github.com/microsoftgraph/msgraph-training-python/actions/workflows/pylint.yml/badge.svg)](https://github.com/microsoftgraph/msgraph-training-python/actions/workflows/pylint.yml)
 
-This sample will introduce you to working with the Microsoft Graph SDK to access data in Microsoft 365 from Python applications. This code is the result of completing the [Python Microsoft Graph tutorial](https://docs.microsoft.com/graph/tutorials/python).
+This sample will introduce you to working with the Microsoft Graph SDK to access data in Microsoft 365 from Python applications. This code is the result of completing the [Python Microsoft Graph tutorial](https://docs.microsoft.com/graph/tutorials/python) and the [Python Microsoft Graph app-only tutorial](https://docs.microsoft.com/graph/tutorials/python-app-only).
 
 ## Running the sample
 
-The code for this sample is in the [demo](demo) folder. Instructions to configure and run the sample can be found in the [README](demo/README.md) in that folder.
+The code for the delegated user authentication sample is in the [user-auth](user-auth) folder. Instructions to configure and run the sample can be found in the [README](user-auth/README.md) in that folder.
+
+The code for the app-only authentication sample is in the [app-auth](app-auth) folder. Instructions to configure and run the sample can be found in the [README](app-auth/README.md) in that folder.
 
 ## Code of conduct
 
@@ -15,4 +17,3 @@ This project has adopted the [Microsoft Open Source Code of Conduct](https://ope
 ## Disclaimer
 
 **THIS CODE IS PROVIDED _AS IS_ WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR NON-INFRINGEMENT.**
-

app-auth/README.md

@@ -0,0 +1,85 @@
+# How to run the completed project
+
+## Prerequisites
+
+To run the completed project in this folder, you need the following:
+
+- [Python](https://www.python.org/) and [pip](https://pip.pypa.io/en/stable/) installed on your development machine. (**Note:** This tutorial was written with Python version 3.10.4 and pip version 20.0.2. The steps in this guide may work with other versions, but that has not been tested.)
+- A Microsoft work or school account with the **Global administrator** role.
+
+If you don't have a Microsoft account, you can [sign up for the Microsoft 365 Developer Program](https://developer.microsoft.com/microsoft-365/dev-program) to get a free Microsoft 365 subscription.
+
+## Register an application
+
+You can register an application using the Azure Active Directory admin center, or by using the [Microsoft Graph PowerShell SDK](https://docs.microsoft.com/graph/powershell/get-started).
+
+### Azure Active Directory admin center
+
+1. Open a browser and navigate to the [Azure Active Directory admin center](https://aad.portal.azure.com) and login using a **personal account** (aka: Microsoft Account) or **Work or School Account**.
+
+1. Select **Azure Active Directory** in the left-hand navigation, then select **App registrations** under **Manage**.
+
+1. Select **New registration**. Enter a name for your application, for example, `Python Graph Tutorial`.
+
+1. Set **Supported account types** to **Accounts in this organizational directory only**.
+
+1. Leave **Redirect URI** empty.
+
+1. Select **Register**. On the application's **Overview** page, copy the value of the **Application (client) ID** and **Directory (tenant) ID** and save them, you will need these values in the next step.
+
+1. Select **API permissions** under **Manage**.
+
+1. Remove the default **User.Read** permission under **Configured permissions** by selecting the ellipses (**...**) in its row and selecting **Remove permission**.
+
+1. Select **Add a permission**, then **Microsoft Graph**.
+
+1. Select **Application permissions**.
+
+1. Select **User.Read.All**, then select **Add permissions**.
+
+1. Select **Grant admin consent for...**, then select **Yes** to provide admin consent for the selected permission.
+
+1. Select **Certificates and secrets** under **Manage**, then select **New client secret**.
+
+1. Enter a description, choose a duration, and select **Add**.
+
+1. Copy the secret from the **Value** column, you will need it in the next steps.
+
+### PowerShell
+
+To use PowerShell, you'll need the Microsoft Graph PowerShell SDK. If you do not have it, see [Install the Microsoft Graph PowerShell SDK](https://docs.microsoft.com/graph/powershell/installation) for installation instructions.
+
+1. Open PowerShell and run the [RegisterAppForAppOnlyAuth.ps1](RegisterAppForAppOnlyAuth.ps1) file with the following command.
+
+    ```powershell
+    .\RegisterAppForAppOnlyAuth.ps1 -AppName "Python App-Only Graph Tutorial" -GraphScopes "User.Read.All"
+    ```
+
+1. Copy the **Client ID**, **Tenant ID**, and **Client secret** values from the script output. You will need these values in the next step.
+
+    ```powershell
+    SUCCESS
+    Client ID: ae2386e6-799e-4f75-b191-855d7e691c75
+    Tenant ID: 5927c10a-91bd-4408-9c70-c50bce922b71
+    Client secret: ...
+    Secret expires: 10/28/2024 5:01:45 PM
+    ```
+
+## Configure the sample
+
+1. Update the values in [config.cfg](./graphtutorial/config.cfg) according to the following table.
+
+    | Setting | Value |
+    |---------|-------|
+    | `clientId` | The client ID of your app registration |
+    | `clientSecret` | The client secret of your app registration |
+    | `tenantId` | The tenant ID of your organization |
+
+## Build and run the sample
+
+In your command-line interface (CLI), navigate to the project directory and run the following command.
+
+```Shell
+python3 -m pip install -r requirements.txt
+python3 main.py
+```

demo/UpdateAppForAppOnlyAuth.ps1 app-auth/RegisterAppForAppOnlyAuth.ps1demo/UpdateAppForAppOnlyAuth.ps1 renamed to app-auth/RegisterAppForAppOnlyAuth.ps1

@@ -1,98 +1,113 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
-# Licensed under the MIT license.
-
-# <ScriptBody>
-param(
-  [Parameter(Mandatory=$true,
-  HelpMessage="The app ID of the app registration")]
-  [String]
-  $AppId,
-
-  [Parameter(Mandatory=$true,
-  HelpMessage="The application permission scopes to configure on the app registration")]
-  [String[]]
-  $GraphScopes,
-
-  [Parameter(Mandatory=$false)]
-  [Switch]
-  $StayConnected = $false
-)
-
-$graphAppId = "00000003-0000-0000-c000-000000000000"
-
-# Requires an admin
-Connect-MgGraph -Scopes "Application.ReadWrite.All AppRoleAssignment.ReadWrite.All User.Read" `
- -UseDeviceAuthentication -ErrorAction Stop
-
-# Get context for access to tenant ID
-$context = Get-MgContext -ErrorAction Stop
-
-# Get the application and service principal
-$appRegistration = Get-MgApplication -Filter ("appId eq '" + $AppId +"'") -ErrorAction Stop
-$appServicePrincipal = Get-MgServicePrincipal -Filter ("appId eq '" + $AppId + "'") -ErrorAction Stop
-
-# Lookup available Graph application permissions
-$graphServicePrincipal = Get-MgServicePrincipal -Filter ("appId eq '" + $graphAppId + "'") -ErrorAction Stop
-$graphAppPermissions = $graphServicePrincipal.AppRoles
-
-$resourceAccess = @()
-
-foreach($scope in $GraphScopes)
-{
-  $permission = $graphAppPermissions | Where-Object { $_.Value -eq $scope }
-  if ($permission)
-  {
-    $resourceAccess += @{ Id =  $permission.Id; Type = "Role"}
-  }
-  else
-  {
-    Write-Host -ForegroundColor Red "Invalid scope:" $scope
-    Exit
-  }
-}
-
-# Add the permissions to required resource access
-Update-MgApplication -ApplicationId $appRegistration.Id -RequiredResourceAccess `
- @{ ResourceAppId = $graphAppId; ResourceAccess = $resourceAccess } -ErrorAction Stop
-Write-Host -ForegroundColor Cyan "Added application permissions to app registration"
-
-# Add admin consent
-foreach ($appRole in $resourceAccess)
-{
-  New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $appServicePrincipal.Id `
-   -PrincipalId $appServicePrincipal.Id -ResourceId $graphServicePrincipal.Id `
-   -AppRoleId $appRole.Id -ErrorAction SilentlyContinue -ErrorVariable SPError | Out-Null
-  if ($SPError)
-  {
-    Write-Host -ForegroundColor Red "Admin consent for one of the requested scopes could not be added."
-    Write-Host -ForegroundColor Red $SPError
-    Exit
-  }
-}
-Write-Host -ForegroundColor Cyan "Added admin consent"
-
-# Add a client secret
-$clientSecret = Add-MgApplicationPassword -ApplicationId $appRegistration.Id -PasswordCredential `
- @{ DisplayName = "Added by PowerShell" } -ErrorAction Stop
-
-Write-Host
-Write-Host -ForegroundColor Green "SUCCESS"
-Write-Host -ForegroundColor Cyan -NoNewline "Tenant ID: "
-Write-Host -ForegroundColor Yellow $context.TenantId
-Write-Host -ForegroundColor Cyan -NoNewline "Client secret: "
-Write-Host -ForegroundColor Yellow $clientSecret.SecretText
-Write-Host -ForegroundColor Cyan -NoNewline "Secret expires: "
-Write-Host -ForegroundColor Yellow $clientSecret.EndDateTime
-
-if ($StayConnected -eq $false)
-{
-  Disconnect-MgGraph
-  Write-Host "Disconnected from Microsoft Graph"
-}
-else
-{
-  Write-Host
-  Write-Host -ForegroundColor Yellow `
-   "The connection to Microsoft Graph is still active. To disconnect, use Disconnect-MgGraph"
-}
-# </ScriptBody>
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT license.
+
+# <ScriptBody>
+param(
+  [Parameter(Mandatory=$true,
+  HelpMessage="The friendly name of the app registration")]
+  [String]
+  $AppName,
+
+  [Parameter(Mandatory=$true,
+  HelpMessage="The application permission scopes to configure on the app registration")]
+  [String[]]
+  $GraphScopes,
+
+  [Parameter(Mandatory=$false)]
+  [Switch]
+  $StayConnected = $false
+)
+
+$graphAppId = "00000003-0000-0000-c000-000000000000"
+
+# Requires an admin
+Connect-MgGraph -Scopes "Application.ReadWrite.All User.Read" -UseDeviceAuthentication -ErrorAction Stop
+
+# Get context for access to tenant ID
+$context = Get-MgContext -ErrorAction Stop
+$authTenant = $context.TenantId
+
+# Create app registration
+$appRegistration = New-MgApplication -DisplayName $AppName -SignInAudience "AzureADMyOrg" -ErrorAction Stop
+Write-Host -ForegroundColor Cyan "App registration created with app ID" $appRegistration.AppId
+
+# Create corresponding service principal
+$appServicePrincipal = New-MgServicePrincipal -AppId $appRegistration.AppId -ErrorAction SilentlyContinue `
+  -ErrorVariable SPError
+if ($SPError)
+{
+  Write-Host -ForegroundColor Red "A service principal for the app could not be created."
+  Write-Host -ForegroundColor Red $SPError
+  Exit
+}
+
+Write-Host -ForegroundColor Cyan "Service principal created"
+
+# Lookup available Graph application permissions
+$graphServicePrincipal = Get-MgServicePrincipal -Filter ("appId eq '" + $graphAppId + "'") -ErrorAction Stop
+$graphAppPermissions = $graphServicePrincipal.AppRoles
+
+$resourceAccess = @()
+
+foreach($scope in $GraphScopes)
+{
+  $permission = $graphAppPermissions | Where-Object { $_.Value -eq $scope }
+  if ($permission)
+  {
+    $resourceAccess += @{ Id =  $permission.Id; Type = "Role"}
+  }
+  else
+  {
+    Write-Host -ForegroundColor Red "Invalid scope:" $scope
+    Exit
+  }
+}
+
+# Add the permissions to required resource access
+Update-MgApplication -ApplicationId $appRegistration.Id -RequiredResourceAccess `
+ @{ ResourceAppId = $graphAppId; ResourceAccess = $resourceAccess } -ErrorAction Stop
+Write-Host -ForegroundColor Cyan "Added application permissions to app registration"
+
+# Add admin consent
+foreach ($appRole in $resourceAccess)
+{
+  $appServicePrincipal
+  New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $appServicePrincipal.Id `
+   -PrincipalId $appServicePrincipal.Id -ResourceId $graphServicePrincipal.Id `
+   -AppRoleId $appRole.Id -ErrorAction SilentlyContinue -ErrorVariable SPError | Out-Null
+  if ($SPError)
+  {
+    Write-Host -ForegroundColor Red "Admin consent for one of the requested scopes could not be added."
+    Write-Host -ForegroundColor Red $SPError
+    Exit
+  }
+}
+Write-Host -ForegroundColor Cyan "Added admin consent"
+
+# Add a client secret
+$clientSecret = Add-MgApplicationPassword -ApplicationId $appRegistration.Id -PasswordCredential `
+ @{ DisplayName = "Added by PowerShell" } -ErrorAction Stop
+
+Write-Host
+Write-Host -ForegroundColor Green "SUCCESS"
+Write-Host -ForegroundColor Cyan -NoNewline "Client ID: "
+Write-Host -ForegroundColor Yellow $appRegistration.AppId
+Write-Host -ForegroundColor Cyan -NoNewline "Tenant ID: "
+Write-Host -ForegroundColor Yellow $authTenant
+Write-Host -ForegroundColor Cyan -NoNewline "Client secret: "
+Write-Host -ForegroundColor Yellow $clientSecret.SecretText
+Write-Host -ForegroundColor Cyan -NoNewline "Secret expires: "
+Write-Host -ForegroundColor Yellow $clientSecret.EndDateTime
+
+if ($StayConnected -eq $false)
+{
+  Disconnect-MgGraph
+  Write-Host "Disconnected from Microsoft Graph"
+}
+else
+{
+  Write-Host
+  Write-Host -ForegroundColor Yellow `
+   "The connection to Microsoft Graph is still active. To disconnect, use Disconnect-MgGraph"
+}
+# </ScriptBody>

app-auth/graphapponlytutorial/config.cfg

@@ -0,0 +1,4 @@
+[azure]
+clientId = YOUR_CLIENT_ID_HERE
+clientSecret = YOUR_CLIENT_SECRET_HERE
+tenantId = YOUR_TENANT_ID_HERE