| title | titleSuffix | description | services | author | manager | ms.service | ms.subservice | ms.topic | ms.workload | ms.date | ms.author | ms.custom |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
Quickstart: Add sign-in with Microsoft to a Python web app | Azure |
Microsoft identity platform |
In this quickstart, learn how a Python web app can sign in users, get an access token from the Microsoft identity platform, and call the Microsoft Graph API. |
active-directory |
abhidnya13 |
CelesteDG |
active-directory |
develop |
quickstart |
identity |
09/25/2019 |
abpati |
aaddev, devx-track-python, scenarios:getting-started, languages:Python |
In this quickstart, you download and run a code sample that demonstrates how a Python web application can sign in users and get an access token to call the Microsoft Graph API. Users with a personal Microsoft Account or an account in any Azure Active Directory (Azure AD) organization can sign into the application.
See How the sample works for an illustration.
- An Azure account with an active subscription. Create an account for free.
- Python 2.7+ or Python 3+
- Flask, Flask-Session, requests
- MSAL Python
[!div renderon="docs"]
You have two options to start your quickstart application: express (Option 1), and manual (Option 2)
- Go to the Azure portal - App registrations quickstart experience.
- Enter a name for your application and select Register.
- Follow the instructions to download and automatically configure your new application.
To register your application and add the app's registration information to your solution manually, follow these steps:
- Sign in to the Azure portal.
- If you have access to multiple tenants, use the Directory + subscription filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which you want to register an application.
- Under Manage, select App registrations > New registration.
- Enter a Name for your application, for example
python-webapp. Users of your app might see this name, and you can change it later.- Under Supported account types, select Accounts in any organizational directory and personal Microsoft accounts.
- Select Register.
- On the app Overview page, note the Application (client) ID value for later use.
- Under Manage, select Authentication.
- Select Add a platform > Web.
- Add
http://localhost:5000/getATokenas Redirect URIs.- Select Configure.
- Under Manage, select the Certificates & secrets and from the Client secrets section, select New client secret.
- Type a key description (for instance app secret), leave the default expiration, and select Add.
- Note the Value of the Client Secret for later use.
- Under Manage, select API permissions > Add a permission.
- Ensure that the Microsoft APIs tab is selected.
- From the Commonly used Microsoft APIs section, select Microsoft Graph.
- From the Delegated permissions section, ensure that the right permissions are checked: User.ReadBasic.All. Use the search box if necessary.
- Select the Add permissions button.
[!div class="sxs-lookup" renderon="portal"]
For the code sample in this quickstart to work:
- Add a reply URL as
http://localhost:5000/getAToken.- Create a Client Secret.
- Add Microsoft Graph API's User.ReadBasic.All delegated permission.
[!div renderon="portal" id="makechanges" class="nextstepaction"] Make these changes for me [!div id="appconfigured" class="alert alert-info"]
Your application is configured with this attribute
[!div renderon="docs"] Download the Code Sample
[!div class="sxs-lookup" renderon="portal"] Download the project and extract the zip file to a local folder closer to the root folder - for example, C:\Azure-Samples [!div class="sxs-lookup" renderon="portal" id="autoupdate" class="nextstepaction"] Download the code sample
[!div class="sxs-lookup" renderon="portal"]
[!NOTE]
Enter_the_Supported_Account_Info_Here
[!div renderon="docs"]
- Extract the zip file to a local folder closer to the root folder - for example, C:\Azure-Samples
- If you use an integrated development environment, open the sample in your favorite IDE (optional).
- Open the app_config.py file, which can be found in the root folder and replace with the following code snippet:
CLIENT_ID = "Enter_the_Application_Id_here" CLIENT_SECRET = "Enter_the_Client_Secret_Here" AUTHORITY = "https://login.microsoftonline.com/Enter_the_Tenant_Name_Here"Where:
Enter_the_Application_Id_here- is the Application Id for the application you registered.Enter_the_Client_Secret_Here- is the Client Secret you created in Certificates & Secrets for the application you registered.Enter_the_Tenant_Name_Here- is the Directory (tenant) ID value of the application you registered.
[!div class="sxs-lookup" renderon="portal"]
[!div renderon="docs"]
-
You will need to install MSAL Python library, Flask framework, Flask-Sessions for server-side session management and requests using pip as follows:
pip install -r requirements.txt
-
Run app.py from shell or command line:
python app.py
[!IMPORTANT] This quickstart application uses a client secret to identify itself as confidential client. Because the client secret is added as a plain-text to your project files, for security reasons, it is recommended that you use a certificate instead of a client secret before considering the application as production application. For more information on how to use a certificate, see these instructions.
MSAL is the library used to sign in users and request tokens used to access an API protected by the Microsoft identity Platform. You can add MSAL Python to your application using Pip.
pip install msalYou can add the reference to MSAL Python by adding the following code to the top of the file where you will be using MSAL:
import msal[!INCLUDE Help and support]
Learn more about web apps that sign in users in our multi-part scenario series.
[!div class="nextstepaction"] Scenario: Web app that signs in users