Acquire Azure AD token with username & password using python MSAL

Question

Acquire Azure AD token with username & password using python MSAL

Mohammed Sohail 66

Getting Error
ValueError: Unsupported soap action: None. Contact your administrator to check your ADFS's MEX settings. when trying to acquire token from Azure Active Directory using MSAL

The following is the snippet used to get token

client_id='xxxxx10e6-xxx-456d-xxx-xxxxae7e60xxx'
scope = ['https://graph.microsoft.com/.default']
authority_url = 'https://login.microsoftonline.com/' + tenant_id

import msal
app = msal.ConfidentialClientApplication(client_id=client_id,authority=authority_url)
msal_token = app.acquire_token_by_username_password(username='xxxxxx@xxxxxx .com',password='xxxxxxxx', scopes=scope)
print(msal_token)

Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2022-11-10T03:21:31.667+00:00

Hi @Mohammed Sohail ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,
Shweta

Accepted answer

0 additional answers

Your answer

Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2022-11-10T03:21:31.667+00:00

Hi @Mohammed Sohail ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,
Shweta

Answer 1

Shweta Mathur 30,296 Microsoft Employee Moderator

Hi @Mohammed Sohail ,

Thanks for reaching out.

I understand you are trying to get access token through Resource Owner Password Credential (ROPC) flow using Confidential client application class but getting the error.

I have never come across this error before. Are you migrating your application from ADAL to MSAL?

But based on the snippet you mentioned, you are using confident client with ROPC flow which is technically supported but not by any of the official SDK's.

If you wish to use the confidential client, then it must be included the client_secret which is missing in above snippet and scope should be passed as space separated list of permissions.

Sample code using public client application with ROPC flow: https://github.com/Azure-Samples/ms-identity-python-desktop/blob/master/1-Call-MsGraph-WithUsernamePassword/username_password_sample.py

ROPC flow with required parameters: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc#authorization-request

Hope this will help.

Thanks,
Shweta

-----------------------------------

Please remember to "Accept Answer" if answer helped you.

Mohammed Sohail 66 Reputation points

2022-11-01T09:13:30.43+00:00

Hi @Shweta Mathur

Thanks for your reply and I appreciate your time

Logically the sample is similar to the code which i have written, But I still tried the following as well and getting same error
Sample code using public client application with ROPC flow: https://github.com/Azure-Samples/ms-identity-python-desktop/blob/master/1-Call-MsGraph-WithUsernamePassword/username_password_sample.py

It seems like Active Directory Federation Service is blocking to Authenticate not sure how to Enable those settings of MEX in ADFS or at least if there is something which can bypass the Redirection to ADFS and get token.

Just for your Information I have tried acquiring of Access Token using SPN with both ADAL & MSAL libraries, that worked for me, As trying with user identity unable to do so and getting ADFS error and somewhere in Microsoft documentation I have read that MSAL is recommended to use instead of ADAL.
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2022-11-02T11:44:26.043+00:00

From the above error, it seems authentication request is going to ADFS Server, do you have access to ADFS server to check whether MEX endpoint is enabled or not ?

Is it possible to use another account where authentication is managed within Azure AD ?

Also if you have access to ADFS environment, you can run this command to check what endpoints are enabled
Get-AdfsEndpoint | ft -AutoSize

AD FS provides various endpoints for different functionalities and scenarios. Not all endpoints are enabled by default. To check if a particular endpoint is enabled / disabled:

Log-in to the AD FS server
Open AD FS Management
In the left navigation pane, select Service > Endpoints

Thanks,
Shweta
Mohammed Sohail 66 Reputation points

2022-11-05T07:08:02.583+00:00

Thanks much @Shweta Mathur .This Makes sense for me, However I have tried to Authenticate with Azure AD which is not connected to OnPrem AD and that worked for me using MSAL. But just curious to know is there any possibility to Bypass ADFS and get token from Azure AD directly
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2022-11-08T06:11:36.043+00:00

To bypass ADFS, we need to understand how authentication is configured in your environment, just for one or few accounts its not feasible, bypassing ADFS needs lot of decision making in terms of authentication.

Refer to this https://learn.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn which helps understanding kind of authentication method to choose whether federated/managed depending on organization requirements.
What is federation - https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed

Refer to these videos for more information related to authentication with ADFS/Azure AD -
https://www.youtube.com/watch?v=--KiPF5_ZSo
https://www.youtube.com/watch?v=CjarTgjKcX8

Thanks,
Shweta

---------------------------------------------

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

Share via

Acquire Azure AD token with username & password using python MSAL

0 additional answers

Your answer