Query MS Graph API in Python
Get started with Microsoft 365 data in your Python project using client ID and secret
Introduction
Working with clients whose IT ecosystems are built around the Microsoft platform, I have many times faced the need to connect to the underlying data for various data analysis or automation purposes. In this article I will share a step-by-step guide how to connect to the Microsoft Graph API using client ID and secret to authenticate and load the data into a Python project.
Creating an Azure AD app registration
To authorize our calls to the API, we will need an Azure AD app registration. Login to the Azure portal at https://portal.azure.com/ using an account with the global admin permissions.
If you don’t have the global admin permissions, you can later ask someone else who has the rights in your organisation to grant admin consent to your app.
Open the App Registrations service either by searching for it in the search field at the top of the screen, or by using the left-hand-side portal navigation to go to Azure Active Directory → App Registrations.
Click on New registration.
Choose a name for the app registration, supported account type and redirect URI. Then click on the Register button.
After the application is successfully registered, you will see it’s overview. Notice the Application (client) ID and Directory (tenant) ID and copy their values, we will need these later on.
Now, let’s generate a secret that will be needed when requesting an access token. Go to Certificates & secrets and click on New client secret.
You can change the description and expiration of the secret in the Add a client secret pane. Then click on Add. Note that after the secret expires, you will need to generate a new one.
Make sure to copy the entire secret value by clicking on the Copy to clipboard button. The secret is only visible immediately after creation.
Now, let’s configure permissions for the app registration. Go to API permissions and click on Add a permission.
Select Microsoft Graph → Application permissions. Then find the permissions needed for your application, select them and click on Add permissions. In this example we will query members of an Azure AD group, for this we need the Group.Read.All and User.Read.All permissions.
Using an account with global admin rights click on the Grant admin consent for … button. If you don’t have the rights, ask someone from your organisation who can grant the admin consent to your application.
When done, you should see a green tick next to all the permissions.
And that’s it! The app registration is now configured and we can use the client ID and secret to authorize our requests to the Microsoft Graph API.
Obtaining access token
When sending requests to the MS Graph API, we need to provide an access token in the request header. In this article we will obtain the token using the msal library for Python.
The code implementation is quite straightforward. Don’t forget to update the client_id , client_secret and authority variables with the values from your Azure AD app registration.
After running the code, you should see similar result (the actual token will be different):
When you run the code starting at line 16 again (for example in a jupyter notebook), you should see that the access token was loaded from cache and the actual token should be the same as before.
We will refactor the code a bit later. Now let’s make our first call to the MS Graph API!
Querying MS Graph using client_id and secret
To get data from the MS Graph API, we will make a GET request with the requests library in Python.
If the request is successful, you should see the first page (usually the first 100 items) of the results printed out in JSON format. Information about the groups is stored in the array value. In the screenshot, the JSON output is already prettified.
Pagination
Notice the @odata.nextLink property at the second line of the response. This indicates that the returned data are incomplete and we need to loop through multiple pages to retrieve all the data.
Luckily for us, the MS Graph API makes it really easy to do so. The @odata.nextLink property is only available when there is a next page with more data. What we need to do is check for this property in the response and as long as it’s there, change the endpoint URL to it’s value.
In Python, it could look something like this:
Refactoring and wrap-up
We went through all the important steps of querying Microsoft Graph API to get data into our Python project. Last step is to refactor the code. Let’s create a make_graph_call function that takes care of acquiring an access token, getting data from the API and returning them in JSON format. The function takes two parameters — url (the Graph API endpoint we are calling) and pagination (optional parameter that allows querying only the first page of results if set to False).
I hope you enjoyed this tutorial! Please share your feedback in the comments.
