0

I have a function app in azure that needs to read AAD group information. This function app has system assigned managed identity enabled and the MSI has Directory.ReadAll permission on Microsoft Graph.

I use this code to get list of AAD Groups:

    from azure.graphrbac import GraphRbacManagementClient
    from msrestazure.azure_active_directory import MSIAuthentication
    import logging

    MSI_credential = MSIAuthentication(resource="https://graph.windows.net") 
    graphrbac_client = GraphRbacManagementClient(credentials=MSI_credential, tenant_id='*****')
    groups = graphrbac_client.groups.list()
    for g in groups:
        logging.info(g.display_name)

This gives me the following error :

Retrying (Retry(total=3, connect=4, read=3, redirect=None, status=None)) after connection broken by 'ProtocolError('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer')

I have tried using this wrapper class as well, https://github.com/jongio/azidext/blob/master/python/azure_identity_credential_adapter.py but it gives the exact same error. What am I missing here? Could this be related to whitelisting "https://graph.windows.net" in the firewall?

John Hanley
  • 74,467
  • 6
  • 95
  • 159
Meenakshi
  • 33
  • 3
  • You can refer to similar issue on GitHub: [Authenticating with Azure Identity AzureCliCredential to interact with MS Graph (msgraph-sdk-python-core) does not work](https://github.com/Azure/azure-sdk-for-python/issues/20877) You can also open an issue on GitHub: [msgraph-sdk-python-core](https://github.com/microsoftgraph/msgraph-sdk-python-core/issues) – Ecstasy Dec 06 '21 at 10:46

2 Answers2

0

It was a firewall issue. Whitelisting https://graph.windows.net in the firewall resolved the issue. Also, in order to use graph.windows.net, the MSI associated with the app needs Azure active directory graph Directory.ReadAll access.

Meenakshi
  • 33
  • 3
  • What were the firewall settings previously? This answer is incomplete for most configurations. Edit your answer, show the previous configuration and the changes required to solve the problem. Before giving yourself the checkmark, wait to see if anyone else votes for your answer. – John Hanley Dec 14 '21 at 22:58
0

I faced a similar issue and switched to msal library and it worked quite well. This code was obatined from a Python Bites video on YouTube

  from msal import ConfidentialClientApplication
  import json
  import requests

  client_id = "e12345b-aaaa-9999-fgh4-zzzz222222"
  client_secret = "ckeejsdfhcvkjsdwedeefkgkdgvhsdkjshdgjh"
  tenant_id = "ffffff9999-aa11-aa11-bb22-gfhdghg27227"
  msal_authority = f"https://login.microsoftonline.com/{tenant_id}"
  msal_scope = ["https://graph.microsoft.com/.default"]

  msal_app = ConfidentialClientApplication(
     client_id= client_id,
     client_credential=client_secret,
     authority=msal_authority
  )

  result = msal_app.acquire_token_silent(scopes = msal_scope,account=None)

  if not result:
       result = msal_app.acquire_token_for_client(scopes=msal_scope)

  if "access_token" in result:
      access_token = result["access_token"]
  else:
      raise Exception("No access token found")

  print(access_token)
  headers = {
     "Authorization": f"Bearer {access_token}",
     "Content-Type": "application/json"
  }
  response  = requests.get(
     url= "https://graph.microsoft.com/v1.0/users", headers=headers,
  )

  print(json.dumps(response.json(), indent=4))
Werner
  • 21
  • 4