I want to have access to a specific work user's OneDrive. I could register an application in Azure AD and assign one of two types of permission(delegated or application).
Based on the Microsoft Documentation if I register an app with the application-level access it could have access to all users' drive and based on this question in Stackoverflow there is no way to limit this access to a specific drive. So I ignored this approach.
On the other hand, based on the Microsoft Documentation if I want to assign delegate permissions to the defined app I have to manually approve the access list on the consent page. This is not desired for me as I'm looking for a code-base solution which runs behind the scene regular bases.
Is there any solution that I could have access to a specific OneDrive by python code?
- 389
- 1
- 2
- 14
-
If you want to connect with only 1 user's Onedrive you can use [ROPC flow](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc) which can work in your scenario. But this is not recommended by microsoft because of security concerns. – Shiva Keshav Varma Jan 29 '21 at 15:54
-
Did it helped you amir? – Shiva Keshav Varma Jan 30 '21 at 17:33
-
The issue is this solution will block multi-factor authentication required users. The current users that I'm working with are using MFA so I need to try this solution with a newly defined user. I will try and see how it works. – Amir Maleki Feb 01 '21 at 02:21
-
@ShivaKeshavVarma, I used the ROPC, and seems ok for my problem. I found a more detailed answer in this question: https://stackoverflow.com/questions/42624144/ms-graph-authentication-using-python – Amir Maleki Feb 01 '21 at 06:48
-
Glad that it worked for you @Amir, is it ok if I answer this in the answer box? – Shiva Keshav Varma Feb 01 '21 at 08:36
2 Answers
One of the good recommendations can be to use Graph API for OneDrive.
For example, one of the use case can be to Get current user's OneDrive:
The signed in user's drive (when using delegated authentication) can be accessed from the
mesingleton.If a user's OneDrive is not provisioned but the user has a license to use OneDrive, this request will automatically provision the user's drive, when using delegated authentication.
Http Request:
GET /me/drive
Resources that will help you to call Graph API from Python:
https://github.com/microsoftgraph/python-security-rest-sample
Edit:
Further, I have found a way in which you can disable user consent.
To configure user consent settings through the Azure portal:
- Sign in to the Azure portal as a Global Administrator.
- Select Azure Active Directory > Enterprise applications > Consent and permissions > User consent settings.
- Under User consent for applications, select Do not allow User Consent.
- Select Save to save your settings.
If you want consent permissions other than this, you can design your own Consent.
- 4,590
- 1
- 10
- 13
-
1As I mentioned I already have tested this approach and the issue is I have to manually approve the access to OneDrive. You could find this in the 'Get Admin consent to view Security data' section of your link. I'm looking for a solution that I could run the code regular basis without requiring to approve access manually. – Amir Maleki Jan 30 '21 at 04:51
-
Hey, you did not mention the same link. Let me find appropriate details – Harshita Singh Jan 30 '21 at 05:18
-
I didn't mention the same link but I did mention in the 2nd paragraph that I tried this solution and it's not working for me. Anyway, thanks for your time – Amir Maleki Feb 01 '21 at 02:22
-
Check updated response. Let me know if it answers your question. – Harshita Singh Feb 01 '21 at 07:40
-
If you want to connect with only 1 user's Onedrive you can use ROPC flow which can work in your scenario. But this is not recommended by microsoft because of security concerns. And yes, if you have MFA enabled, you cannot use it.
- 3,398
- 2
- 9
- 13