Can run a query in Graph Explorer but not in Python (with msgraph)

Cha Suaysom 0 Reputation points Microsoft Employee
2024-09-30T18:48:02.4733333+00:00

I can run the following query in Graph Explorer

https://graph.microsoft.com/v1.0/sites/546b0d08-4866-40fb-aa62-874af1bdeb54/pages

User's image

and in Python with


from msgraph.graph_service_client import GraphServiceClient
import asyncio
from azure.identity import AzureCliCredential, ChainedTokenCredential, ManagedIdentityCredential

managed_identity = ManagedIdentityCredential()
azure_cli = AzureCliCredential()
credentials = ChainedTokenCredential(managed_identity, azure_cli)
credentials = azure_cli

scopes = ['https://graph.microsoft.com/.default']
graph_client = GraphServiceClient(credentials, scopes)

MAIDAP_site_ID = '546b0d08-4866-40fb-aa62-874af1bdeb54'

async def get_site(site_id):
    result = await graph_client.sites.by_site_id(site_id).get()
    if result:
        print(result)
    return result

#This function run without permission issue

result_site = asyncio.run(get_site(MAIDAP_site_ID))
print(result_site)

which gives

User's image

and that matches.

However, when running the following

https://graph.microsoft.com/v1.0/drives/b!CA1rVGZI-0CqYodK8b3rVM5NUPNuUDJBpF7SvBc5DZjZWxbIVPQ3SLHSrH4Y9T7E/items/01IXQQTLJO2NMT6LQSRJEKXVGXSZCXF4PM/children

User's image

and get the correct results, however, when run in python with

from msgraph.graph_service_client import GraphServiceClientimport asynciofrom azure.identity import AzureCliCredential, ChainedTokenCredential, ManagedIdentityCredential


managed_identity = ManagedIdentityCredential()
azure_cli = AzureCliCredential()
credentials = ChainedTokenCredential(managed_identity, azure_cli)
credentials = azure_cli

scopes = ['https://graph.microsoft.com/.default']

graph_client = GraphServiceClient(credentials, scopes)

managed_identity = ManagedIdentityCredential()
azure_cli = AzureCliCredential()
credentials = ChainedTokenCredential(managed_identity, azure_cli)
credentials = azure_cli

scopes = ['https://graph.microsoft.com/.default']

Document_drive_ID = 'b!CA1rVGZI-0CqYodK8b3rVM5NUPNuUDJBpF7SvBc5DZjZWxbIVPQ3SLHSrH4Y9T7E'
Folder_item_ID = '01IXQQTLJO2NMT6LQSRJEKXVGXSZCXF4PM'


async def get_drive_item_children(drive_id, drive_item_id):
    result = await graph_client.drives.by_drive_id(drive_id).items.by_drive_item_id(drive_item_id).children.get()
    if result:
        print(result)
    return result

#This function gives us permission error

result_children = asyncio.run(get_drive_item_children(Document_drive_ID,Folder_item_ID))
print(result_children)


shown as follow

so I do have a permission in Graph Explorer, but not in Python for this query. Just wondering what's the best way to fix this issue?

User's image

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,995 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Danstan Onyango 3,821 Reputation points Microsoft Employee
    2024-10-01T07:34:24.7033333+00:00

    The query in Graph Explorer might be similar to the python script you have but there is one thing that is very different. The Graph Explorer call is made on your behalf using Delegated permissions while the python script is using Application permissions due to 'https://graph.microsoft.com/.default' scope.

    To mitigate, decide whether the python script should use delegated permissions the follow the guide here.

    If you should be using the application as it seems you should, see that the relevant application in the client initialization for example https://graph.microsoft.com/Files.Read.All to allow reading as a confidential client or Grant the necessary application permissions to the service principal of the managed identity or Azure CLI.

    0 comments No comments

  2. CarlZhao-MSFT 41,941 Reputation points
    2024-10-02T11:48:18.5666667+00:00

    Hi @Cha Suaysom

    The delegated permissions you grant in the Graph Explorer app do not sync to the app you are using in Python.

    Additionally, I noticed that you are using the client credentials flow in Python, which only applies to application permissions. Therefore, you need to grant the corresponding application permissions for the app you are using in Python.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.