I'm trying to use python to download an excel file that is hosted in a sharepoint which is part of the Microsoft Azure platform. The sharepoint is password protected, and I have an account and a password which I can use to login in via my browser,
In order to authenticate with a python script I followed the method suggested in: Sharepoint authentication with python. Which uses the O365 rest python client library and goes as follows:
from office365.runtime.auth.authentication_context import AuthenticationContext
from office365.sharepoint.client_context import ClientContext
url = 'https://organization.sharepoint.com/sites/something/somepage.aspx'
username = '[email protected]'
password = 'fakepass'
ctx_auth = AuthenticationContext(url)
if ctx_auth.acquire_token_for_user(username, password):
ctx = ClientContext(url, ctx_auth)
else:
print(ctx_auth.get_last_error())
But I'm getting an error message back:
An error occurred while retrieving token: AADSTS50076: Due to a configuration
change made by your administrator, or because you moved to a new location, you
must use multi-factor authentication to access ''.
I do connect to this account from multiple devices (browser), and just once I was required to use MFA to log in (SMS message). Is there a way to get around this? Note that I'm not the admin of the system.
The error message is pretty intuitive, user credentials auth is not supported when Multi-Factor Authentication (MFA) enabled.
To circumvent this error, SharePoint App-Only flow could be utilized instead (supported by Office365-REST-Python-Client
library).
Setting up an app-only principal with tenant permissions section describes how to configure it, to summarize it consist of two steps:
Once app principal is created and consented, it could be utilized to access SharePoint resource as demonstrated below:
from office365.sharepoint.client_context import ClientContext
from office365.runtime.auth.client_credential import ClientCredential
site_url = 'https://contoso.sharepoint.com/'
app_principal = {
'client_id': '--client-id-goes-here--',
'client_secret': '--client-secret-goes-here--',
}
credentials = ClientCredential(app_principal['client_id'], app_principal['client_secret'])
ctx = ClientContext(url).with_credentials(credentials)
web = ctx.web
ctx.load(web)
ctx.execute_query()
print("Web site title: {0}".format(web.properties['Title']))
Here is an instruction on how to configure SharePoint App-Only flow:
Note: app principal registration operation(steps
1
through5
) needs to be performed once per tenant. Although the operation for granting permissions ( steps6-9
) could be applied either per tenant or site collection:
- permissions granted per site collection and requires a site collection administrator (in the provided instruction the permissions are granter per site collection)
- If you prefer to grant permissions on tenant level, visit tenant administration site instead, the URL must include
-admin
to access
the tenant administration site, for example,https://{tenant}-admin.sharepoint.com/_layouts/15/appinv.aspx
. That operation requires a tenant administrator permissions
Steps:
appregnew.aspx
page in your SharePoint Online site. For example, https://{tenant}.sharepoint.com/_layouts/15/appregnew.aspx
.Python console
. Under App Domain, specify localhost
. Under Redirect URI, specify https://localhost
.Note: Sometimes, if you specify a actual domain, e.g.
sharepoint.com
domain in the App Domain and Redirect URI fields, instead oflocalhost
, the error messageAn unexpected error has occurred
might encounter. Check theappregnew.aspx
page and make sure both fields include the properlocalhost
URI.
Click Create.
Go to the appinv.aspx
page on the site collection. For example, https://example.sharepoint.com/_layouts/15/appinv.aspx
to grant site-scoped permissions.
Specify your client ID in the App Id field and click Lookup to find your app. To grant permissions to the app, copy the XML below to the App’s permission request XML field:
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
</AppPermissionRequests>
Note: For tenant level scope, permission request XML looks as follows:
<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" /> </AppPermissionRequests>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With