Quickstart: Sign in users and call the Microsoft Graph API from a Python web app

In this quickstart, you download and run a code sample that demonstrates how a Python web application can sign in users and call the Microsoft Graph API. Users with a personal Microsoft Account or an account in any Microsoft Entra organization can sign into the application.

The following diagram displays how the sample app works:

Diagram that shows how the sample app generated by this quickstart works.

  1. The application uses the identity package to obtain an access token from the Microsoft identity platform.
  2. The access token is used as a bearer token to authenticate the user when calling the Microsoft Graph API.


Step 1: Register your application


Steps in this article might vary slightly based on the portal you start from.

Follow these steps to register your application in the Microsoft Entra admin center:

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to the tenant in which you want to register the application from the Directories + subscriptions menu.
  3. Browse to Identity > Applications > App registrations and select New registration.
  4. Enter a Name for your application, for example python-webapp.
  5. Under Supported account types, select Accounts in any organizational directory and personal Microsoft accounts.
  6. Under Redirect URIs, select Web for the platform.
  7. Enter a redirect URI of http://localhost:5000/getAToken. This can be changed later.
  8. Select Register.

Step 2: Add a client secret

  1. On the app Overview page, note the Application (client) ID value for later use.
  2. Under Manage, select the Certificates & secrets and from the Client secrets section, select New client secret.
  3. Enter a description for the client secret, leave the default expiration, and select Add.
  4. Save the Value of the Client Secret in a safe location. You'll need it to configure the code, and you can't retrieve it later.

Step 3: Add a scope

  1. Under Manage, select API permissions > Add a permission.
  2. Ensure that the Microsoft APIs tab is selected.
  3. From the Commonly used Microsoft APIs section, select Microsoft Graph.
  4. From the Delegated permissions section, ensure that User.ReadBasic.All is selected. Use the search box if necessary.
  5. Select Add permissions.

Step 4: Download the sample app

Download the Python code sample or clone the repository:

git clone https://github.com/Azure-Samples/ms-identity-python-webapp.git

You can also use an integrated development environment to open the folder.

Step 5: Configure the sample app

  1. Go to the application folder.

  2. Create an .env file in the root folder of the project using .env.sample as a guide.

    CLIENT_ID=<client id>
    CLIENT_SECRET=<client secret>
    # The AUTHORITY variable expects a full authority URL.
    # If you are using an AAD tenent, configure it as
    # "https://login.microsoftonline.com/TENANT_GUID"
    # or "https://login.microsoftonline.com/subdomain.onmicrosoft.com".
    # If you are using a CIAM tenant, configure it as "https://subdomain.ciamlogin.com"
    # Alternatively, leave it undefined if you are building a multi-tenant app in world-wide cloud
    #AUTHORITY=<authority url>
    • Set the value of CLIENT_ID to the Application (client) ID for the registered application, available on the overview page.
    • Set the value of CLIENT_SECRET to the client secret you created in Certificates & Secrets for the registered application.
    • Set the value of AUTHORITY to a URL that includes Directory (tenant) ID of the registered application. That ID is also available on the overview page.

    The environment variables are referenced in app_config.py, and are kept in a separate .env file to keep them out of source control. The provided .gitignore file prevents the .env file from being checked in.

Step 6: Run the sample app

  1. Create a virtual environment for the app:

    py -m venv .venv
  2. Install the requirements using pip:

    python3 -m pip install -r requirements.txt
  3. Run the app from the command line, specifying the host and port to match the redirect URI:

    python3 -m flask run --debug --host=localhost --port=5000


    This quickstart application uses a client secret to identify itself as confidential client. Because the client secret is added as a plain-text to your project files, for security reasons, it is recommended that you use a certificate instead of a client secret before considering the application as production application. For more information on how to use a certificate, see these instructions.

Help and support

If you need help, want to report an issue, or want to learn about your support options, see Help and support for developers.

Next steps

Learn more by building an ASP.NET Core web app that signs in users in the following multi-part tutorial series: