This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
There are two types of client credentials in MSAL Python:
During the registration of a confidential client application with Microsoft Entra ID, a client secret is generated (a kind of application password).
The management of client credentials happens in the certificates & secrets page for an application:
In MSAL Python client credentials are similar to what they are in ADAL Python, except that the client credentials are passed as a parameter at the application construction. In this case client secret is passed as an parameter. Then, once the confidential client application is constructed, acquire_token_for_client is called with scope as parameter.
When the application is registered with Microsoft Entra ID, it uploads the public key of a certificate. At application construction, thumbprint and private_key_file is passed as the client credential. When it wants to acquire a token, the client application will need to call the acquire_token_for_client method by passing the scope as parameter.
Steps to generate certificate and private key to be used when implementing the client credential flow are as follows:
Generate a key:
openssl genrsa -out server.pem 2048
Create a certificate request:
openssl req -new -key server.pem -out server.csr
Generate a certificate:
openssl x509 -req -days 365 -in server.csr -signkey server.pem -out server.crt
You will have to upload this certificate (server.crt) on Azure Portal in your application settings. Once you save this certificate, the portal will give you the thumbprint of this certificate which is needed in the acquire token call. The key will be the server.pem key you generated in the first step.
Now you can create the credential for the client credential flow using certificate in MSAL Python as follows:
client_credential = {
"thumbprint": <thumbprint of cert file>,
"private_key": <private key from the private_key_file>
}
Training
Module
Manage secrets in your server apps with Azure Key Vault - Training
Learn how to create an Azure Key Vault to store secret values and how to enable secure access to the vault.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.
Documentation
Acquire tokens for your app - Microsoft Authentication Library for Python
Learn how to acquire tokens for your Python application. You can acquire tokens silently or interactively through a web browser.
Get started with the Microsoft Authentication Library for Python to sign in users or apps with Microsoft identities."
You've seen that with MSAL Python you can quite simply acquire a token for a protected Web API. You also don't have to handle refreshing tokens yourself. However, to build robust, enterprise ready applications, you will need to do a bit more.