Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,673 questions
How to Authenticate from External Python Script with Azure AD (OAuth Flow for App Service)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 1%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKJ%3C/text%3E%3C/svg%3E)
Kim JaeYoung (VM/ETO3)
0
Reputation points
Hello, I am trying to access an internal API that is protected by Azure App Service Authentication . I understand that it uses Microsoft OAuth 2.0 flow and issues an "x-ms-token" when accessed through the browser. However, I would like to access this API using an external Python script. Since public client flows are not allowed in our tenant ("Public Client Flows = No"), flows like device code or ROPC are not available. I tried using the client credentials flow, but the x-ms-token is not included in the response. Could you please advise how to correctly authenticate from an external (non-browser) Python application when the API is protected by Azure App Service OAuth? Is there a recommended OAuth flow or configuration for this use case?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 15%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBN%3C/text%3E%3C/svg%3E)
Bhargavi Naragani 3,085 Reputation points Microsoft External Staff2025-04-14T07:39:05.5266667+00:00 To access an internal API protected by Azure App Service Authentication from an external Python script, the best approach is especially since your tenant doesn’t allow public client flows need to use the OAuth 2.0 client credentials flow. This flow is designed for apps that run without a user (like scripts or background services).
Here’s how it works:
- Make sure your app is registered properly and has the necessary API permissions granted. You’ll need the client ID and client secret for authentication.
- Use the client credentials flow to get an access token: This token represents your app and is what you'll use to prove your identity when calling the API. You can use Microsoft’s MSAL (Microsoft Authentication Library) for Python to do this easily.
- Send the token with your API request: Once you get the token, include it in your HTTP request using the
Authorizationheader like this:Authorization: Bearer <access_token> - That
x-ms-tokenyou’re used to seeing in browser sessions is something Azure App Service Authentication adds when a user signs in through the web. Since you’re using app-to-app communication via the client credentials flow, you won’t see or need that header. Instead, your script just uses the Bearer token. - Make sure the API is set up to accept your token: Double-check that your API is configured to trust tokens issued to your client app. If you’re still using Easy Auth (App Service Authentication), you might need to either:
- Disable it and handle token validation in your app code, or
- Configure it to allow Bearer tokens from trusted clients.
Refer to the below documentations for better understanding:
Microsoft identity platform and the OAuth 2.0 client credentials flowAuthentication flow support in the Microsoft Authentication Library (MSAL)
Concepts - Using Python to acquire an access token. | Microsoft Learn
Hope this helps, please let us know if you have any further queries.
-
Bhargavi Naragani 3,085 Reputation points Microsoft External Staff
2025-04-15T05:53:09.92+00:00 We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Sign in to comment
Sign in to answer