Azure sharepoint multi-factor authentication with python

Question

I'm trying to use python to download an excel file that is hosted in a sharepoint which is part of the Microsoft Azure platform. The sharepoint is password protected, and I have an account and a password which I can use to login in via my browser,

In order to authenticate with a python script I followed the method suggested in: Sharepoint authentication with python. Which uses the O365 rest python client library and goes as follows:

from office365.runtime.auth.authentication_context import AuthenticationContext
from office365.sharepoint.client_context import ClientContext


url = 'https://organization.sharepoint.com/sites/something/somepage.aspx'
username = '[email protected]'
password = 'fakepass'

ctx_auth = AuthenticationContext(url)
if ctx_auth.acquire_token_for_user(username, password):
    ctx = ClientContext(url, ctx_auth)

else:
    print(ctx_auth.get_last_error())

But I'm getting an error message back:

An error occurred while retrieving token: AADSTS50076: Due to a configuration
change made by your administrator, or because you moved to a new location, you
must use multi-factor authentication to access ''.

I do connect to this account from multiple devices (browser), and just once I was required to use MFA to log in (SMS message). Is there a way to get around this? Note that I'm not the admin of the system.

Answer 1

The error message is pretty intuitive, user credentials auth is not supported when Multi-Factor Authentication (MFA) enabled.

To circumvent this error, SharePoint App-Only flow could be utilized instead (supported by Office365-REST-Python-Client library).

Setting up an app-only principal with tenant permissions section describes how to configure it, to summarize it consist of two steps:

1. register App principal (think of it as a "service account")
2. grant a permissions

Once app principal is created and consented, it could be utilized to access SharePoint resource as demonstrated below:

from office365.sharepoint.client_context import ClientContext
from office365.runtime.auth.client_credential import ClientCredential

site_url = 'https://contoso.sharepoint.com/'
app_principal = {
    'client_id': '--client-id-goes-here--',
    'client_secret': '--client-secret-goes-here--',
}

credentials = ClientCredential(app_principal['client_id'], app_principal['client_secret'])
ctx = ClientContext(url).with_credentials(credentials)

web = ctx.web
ctx.load(web)
ctx.execute_query()
print("Web site title: {0}".format(web.properties['Title']))

---

Here is an instruction on how to configure SharePoint App-Only flow:

Note: app principal registration operation(steps 1 through 5) needs to be performed once per tenant. Although the operation for granting permissions ( steps 6-9) could be applied either per tenant or site collection:

• permissions granted per site collection and requires a site collection administrator (in the provided instruction the permissions are granter per site collection)
• If you prefer to grant permissions on tenant level, visit tenant administration site instead, the URL must include -admin to access
  the tenant administration site, for example,
  https://{tenant}-admin.sharepoint.com/_layouts/15/appinv.aspx. That operation requires a tenant administrator permissions

Steps:

1. Go to the appregnew.aspx page in your SharePoint Online site. For example, https://{tenant}.sharepoint.com/_layouts/15/appregnew.aspx.
2. On this page, click the Generate buttons next to the Client ID and Client Secret fields to generate their values.
3. Store the client ID and client secret securely as these credentials can be used to read or update all data in your SharePoint Online environment. You will also use them to configure the SharePoint Online connection in application.
4. Under Title, specify a title. For example, Python console. Under App Domain, specify localhost. Under Redirect URI, specify https://localhost.

Note: Sometimes, if you specify a actual domain, e.g. sharepoint.com domain in the App Domain and Redirect URI fields, instead of localhost, the error message An unexpected error has occurred might encounter. Check the appregnew.aspx page and make sure both fields include the proper localhost URI.

5. Click Create.

6. Go to the appinv.aspx page on the site collection. For example, https://example.sharepoint.com/_layouts/15/appinv.aspx to grant site-scoped permissions.

7. Specify your client ID in the App Id field and click Lookup to find your app. To grant permissions to the app, copy the XML below to the App’s permission request XML field:

<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
</AppPermissionRequests>

Note: For tenant level scope, permission request XML looks as follows:

<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>

8. Click Create.
9. On the confirmation dialog, click Trust It to grant the permissions.