Updating samples to call MS graph

sample/confidential_client_certificate_sample.py

@@ -2,16 +2,25 @@
 The configuration file would look like this (sans those // comments):
 
 {
-    "authority": "https://login.microsoftonline.com/organizations",
+    "authority": "https://login.microsoftonline.com/Enter_the_Tenant_Name_Here",
     "client_id": "your_client_id",
     "scope": ["https://graph.microsoft.com/.default"],
-        // For more information about scopes for an app, refer:
-        // https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate"
+        // Specific to Client Credentials Grant i.e. acquire_token_for_client(),
+        // you don't specify, in the code, the individual scopes you want to access.
+        // Instead, you statically declared them when registering your application.
+        // Therefore the only possible scope is "resource/.default"
+        // (here "https://graph.microsoft.com/.default")
+        // which means "the static permissions defined in the application".
 
     "thumbprint": "790E... The thumbprint generated by AAD when you upload your public cert",
-    "private_key_file": "filename.pem"
+    "private_key_file": "filename.pem",
         // For information about generating thumbprint and private key file, refer:
         // https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Client-Credentials#client-credentials-with-certificate
+
+    "endpoint": "https://graph.microsoft.com/v1.0/users"
+        // For this resource to work, you need to visit Application Permissions
+        // page in portal, declare scope User.Read.All, which needs admin consent
+        // https://github.com/Azure-Samples/ms-identity-python-daemon/blob/master/2-Call-MsGraph-WithCertificate/README.md
 }
 
 You can then run this sample with a JSON configuration file:
@@ -23,6 +32,7 @@
 import json
 import logging
 
+import requests
 import msal
 
 
@@ -53,10 +63,11 @@
     result = app.acquire_token_for_client(scopes=config["scope"])
 
 if "access_token" in result:
-    print(result["access_token"])
-    print(result["token_type"])
-    print(result["expires_in"])  # You don't normally need to care about this.
-                                 # It will be good for at least 5 minutes.
+    # Calling graph using the access token
+    graph_data = requests.get(  # Use token to call downstream service
+        config["endpoint"],
+        headers={'Authorization': 'Bearer ' + result['access_token']},).json()
+    print("Graph API call result: " + str(graph_data))
 else:
     print(result.get("error"))
     print(result.get("error_description"))

sample/confidential_client_secret_sample.py

@@ -2,16 +2,24 @@
 The configuration file would look like this (sans those // comments):
 
 {
-    "authority": "https://login.microsoftonline.com/organizations",
+    "authority": "https://login.microsoftonline.com/Enter_the_Tenant_Name_Here",
     "client_id": "your_client_id",
     "scope": ["https://graph.microsoft.com/.default"],
-        // For more information about scopes for an app, refer:
-        // https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate"
-
-    "secret": "The secret generated by AAD during your confidential app registration"
+        // Specific to Client Credentials Grant i.e. acquire_token_for_client(),
+        // you don't specify, in the code, the individual scopes you want to access.
+        // Instead, you statically declared them when registering your application.
+        // Therefore the only possible scope is "resource/.default"
+        // (here "https://graph.microsoft.com/.default")
+        // which means "the static permissions defined in the application".
+
+    "secret": "The secret generated by AAD during your confidential app registration",
         // For information about generating client secret, refer:
         // https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Client-Credentials#registering-client-secrets-using-the-application-registration-portal
 
+    "endpoint": "https://graph.microsoft.com/v1.0/users"
+        // For this resource to work, you need to visit Application Permissions
+        // page in portal, declare scope User.Read.All, which needs admin consent
+        // https://github.com/Azure-Samples/ms-identity-python-daemon/blob/master/1-Call-MsGraph-WithSecret/README.md
 }
 
 You can then run this sample with a JSON configuration file:
@@ -23,6 +31,7 @@
 import json
 import logging
 
+import requests
 import msal
 
 
@@ -53,10 +62,12 @@
     result = app.acquire_token_for_client(scopes=config["scope"])
 
 if "access_token" in result:
-    print(result["access_token"])
-    print(result["token_type"])
-    print(result["expires_in"])  # You don't normally need to care about this.
-                                 # It will be good for at least 5 minutes.
+    # Calling graph using the access token
+    graph_data = requests.get(  # Use token to call downstream service
+        config["endpoint"],
+        headers={'Authorization': 'Bearer ' + result['access_token']},).json()
+    print("Graph API call result: " + str(graph_data))
+
 else:
     print(result.get("error"))
     print(result.get("error_description"))