Outlook Python Azure/MSgraph API get access token error possible admin problem using work account login for link

Nicolas Calder 0 Reputation points
2024-11-29T03:28:18.97+00:00

Hello i am following a tutorial on outlook python api automation and which the original code works using authority='https://login.microsoftonline.com/consumers/' but our situation is my mom is the boss of the company i work for (so i also have full access on her behalf for her logins along with mine) and her account must be the main overall admin user and underneath if i understand correctly is me and the other employees correct me if i'm wrong and i believe it's a work account, i also believe using the tenant id (actual id in replace of tenantid) like authority='https://login.microsoftonline.com/{tenant id}/' worked at first but then kept giving the error 

PS C:\Users\Nicolas\tutorial-outlook-api-crash-course> & c:/Users/Nicolas/tutorial-outlook-api-crash-course/Scripts/python.exe "c:/Users/Nicolas/tutorial-outlook-api-crash-course/ms_graph ((3 gpt))original - Copy added main.py"

APPLICATION_ID: hidden

CLIENT_SECRET: hidden

Attempting to get access token...

Error: Failed to acquire access token: {'error': 'invalid_grant', 'error_description': "AADSTS65001: The user or administrator has not consented to use the application with ID 'hidden' named 'azure app for api python'. Send an interactive authorization request for this user and resource. Trace ID: hidden Correlation ID: hidden Timestamp: 2024-11-29 02:49:38Z", 'error_codes': [65001], 'timestamp': '2024-11-29 02:49:38Z', 'trace_id': 'hidden', 'correlation_id': 'hidden', 'suberror': 'consent_required'}

PS C:\Users\Nicolas\tutorial-outlook-api-crash-course> 

Here is the full code 

import os

import webbrowser

import msal

from dotenv import load_dotenv

MS_GRAPH_BASE_URL = 'https://graph.microsoft.com/v1.0'

def get_access_token(application_id, client_secret, scopes):

    client = msal.ConfidentialClientApplication(

        client_id=application_id,

        client_credential=client_secret,

        authority='https://login.microsoftonline.com/(hidden-tenantID#usedhere)'

    )

    # Check if there is a refresh token stored

    refresh_token = None

    if os.path.exists('refresh_token.txt'):

        with open('refresh_token.txt', 'r') as file:

            refresh_token = file.read().strip()

    if refresh_token:

        # Try to acquire a new access token using the refresh token

        token_response = client.acquire_token_by_refresh_token(refresh_token, scopes=scopes)

    else:

        # No refresh token, proceed with the authorization code flow

        auth_request_url = client.get_authorization_request_url(scopes)

        webbrowser.open(auth_request_url)

        authorization_code = input('Enter the authorization code: ')

        if not authorization_code:

            raise ValueError("Authorization code is empty")

        token_response = client.acquire_token_by_authorization_code(

            code=authorization_code,

            scopes=scopes

        )

    if 'access_token' in token_response:

        # Store the refresh token securely

        if 'refresh_token' in token_response:

            with open('refresh_token.txt', 'w') as file:

                file.write(token_response['refresh_token'])

        return token_response['access_token']

    else:

        raise Exception('Failed to acquire access token: ' + str(token_response))

def main():

    load_dotenv()

   

    # Check if the environment variables are loaded correctly

    APPLICATION_ID = os.getenv('APPLICATION_ID')

    CLIENT_SECRET = os.getenv('CLIENT_SECRET')

    print(f"APPLICATION_ID: {APPLICATION_ID}")  # Debug: Check if environment variable loaded correctly

    print(f"CLIENT_SECRET: {CLIENT_SECRET}")  # Debug: Check if environment variable loaded correctly

   

    SCOPES = ['User.Read', 'Mail.ReadWrite', 'Mail.Send']

add print for scopes

    try:

        print("Attempting to get access token...")  # Debug

        access_token = get_access_token(application_id=APPLICATION_ID, client_secret=CLIENT_SECRET, scopes=SCOPES)

        print(f"Access Token: {access_token}")  # Debug to show if token was retrieved

        headers = {

            'Authorization' : 'Bearer ' + access_token

        }

        print(f"Headers: {headers}")  # Debug to show headers

    except Exception as e:

        print(f'Error: {e}')

   

if name == "main":

    main()

other steps i took 

I tried redoing the whole thing and the initial setup which is creating a python venv and azure app registration for client secret and application id variables in that venv using my moms (bosses) azure account 

from my moms account from azure which could be irrelevant as im still receiving the same error and not familiar with azure were (and which required me to activate my p2 subscription pls let me know if this is necessary)  were going into roles and admins> admin units and created an admin unit and also added myself as a user administrator inside that admin unit under that created admin user> roles and administrators> user administrator, i also tried adding API permissions like mail.readwrite and , male.send but msgraph not listed as available option where i looked and both of these other steps of which are only attempts at resolving and not sure are even irrelevant to my code / its error 

Outlook
Outlook
A family of Microsoft email and calendar products.
4,128 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,456 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,000 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. CarlZhao-MSFT 43,011 Reputation points
    2024-11-29T06:23:51.3433333+00:00

    Hi @Nicolas Calder

    This is because the above permissions have not been granted admin consent.

    Log in to MS Entra ID as a global admin > App registrations > find your app > API permissions > Grant admin consent for xxxxxx.

    Screenshot 2024-11-29 141956

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.


  2. Nicolas Calder 0 Reputation points
    2024-12-03T02:58:53.03+00:00

    0

    I believe i ended up having a mistyped redirect url on the azure application side of things, i also first went to developer.microsoft ms graphs graph explorer and enabled consent for permissions there, but that was one of many steps i took so i dont know exactly what before or after that was involved although those were the last things i did in that order

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.