使用Python的Azure Sharepoint多因素身份验证 [英] Azure sharepoint multi-factor authentication with python

问题描述

我正在尝试使用python下载在共享点中托管的excel文件，该共享点是 Microsoft Azure平台的一部分.共享点受密码保护，我有一个帐户和一个密码，可用于通过浏览器登录，

I'm trying to use python to download an excel file that is hosted in a sharepoint which is part of the Microsoft Azure platform. The sharepoint is password protected, and I have an account and a password which I can use to login in via my browser,

为了使用python脚本进行身份验证，我遵循了以下建议的方法:使用python进行SharePoint身份验证.它使用 O365 rest python客户端库，操作如下:

In order to authenticate with a python script I followed the method suggested in: Sharepoint authentication with python. Which uses the O365 rest python client library and goes as follows:

from office365.runtime.auth.authentication_context import AuthenticationContext
from office365.sharepoint.client_context import ClientContext


url = 'https://organization.sharepoint.com/sites/something/somepage.aspx'
username = 'userx@organization.com'
password = 'fakepass'

ctx_auth = AuthenticationContext(url)
if ctx_auth.acquire_token_for_user(username, password):
    ctx = ClientContext(url, ctx_auth)

else:
    print(ctx_auth.get_last_error())

但是我收到一条错误消息:

But I'm getting an error message back:

An error occurred while retrieving token: AADSTS50076: Due to a configuration
change made by your administrator, or because you moved to a new location, you
must use multi-factor authentication to access ''.

我确实从多个设备(浏览器)连接到该帐户，仅一次需要使用MFA登录(SMS消息).有办法解决这个问题吗?请注意，我不是系统管理员.

I do connect to this account from multiple devices (browser), and just once I was required to use MFA to log in (SMS message). Is there a way to get around this? Note that I'm not the admin of the system.

推荐答案

错误消息非常直观，启用了多重身份验证(MFA)时不支持用户凭据 auth.

The error message is pretty intuitive, user credentials auth is not supported when Multi-Factor Authentication (MFA) enabled.

为避免此错误，请 SharePoint应用-仅可以使用流代替(由 Office365-REST支持-Python-Client 库).

To circumvent this error, SharePoint App-Only flow could be utilized instead (supported by Office365-REST-Python-Client library).

Setting up an app-only principal with tenant permissions section describes how to configure it, to summarize it consist of two steps:

1. 注册App主体(将其视为服务帐户")
2. 授予权限

一旦创建并同意了应用程序主体，就可以使用它来访问SharePoint资源，如下所示:

Once app principal is created and consented, it could be utilized to access SharePoint resource as demonstrated below:

from office365.sharepoint.client_context import ClientContext
from office365.runtime.auth.client_credential import ClientCredential

site_url = 'https://contoso.sharepoint.com/'
app_principal = {
    'client_id': '--client-id-goes-here--',
    'client_secret': '--client-secret-goes-here--',
}

credentials = ClientCredential(app_principal['client_id'], app_principal['client_secret'])
ctx = ClientContext(url).with_credentials(credentials)

web = ctx.web
ctx.load(web)
ctx.execute_query()
print("Web site title: {0}".format(web.properties['Title']))

---

以下是有关如何配置仅SharePoint应用程序流的说明:

---

Here is an instruction on how to configure SharePoint App-Only flow:

注意:应用程序主体注册操作(步骤 1 至 5 )需要每个租户执行一次 .虽然操作为每个租户都可以应用授予权限(步骤 6-9 )或网站集:

Note: app principal registration operation(steps 1 through 5) needs to be performed once per tenant. Although the operation for granting permissions ( steps 6-9) could be applied either per tenant or site collection:

每个网站集授予
• 权限，并且需要网站集管理员(在提供的说明中具有权限)是每个网站集的授予者)
• 如果您希望授予 tenant 级别的权限，请访问租户管理网站，该URL必须包含 -admin 来访问
  租户管理站点，例如，
  https://{tenant} -admin.sharepoint.com/_layouts/15/appinv.aspx .那操作需要租户管理员权限

• permissions granted per site collection and requires a site collection administrator (in the provided instruction the permissions are granter per site collection)
• If you prefer to grant permissions on tenant level, visit tenant administration site instead, the URL must include -admin to access
  the tenant administration site, for example,
  https://{tenant}-admin.sharepoint.com/_layouts/15/appinv.aspx. That operation requires a tenant administrator permissions

步骤:

1. 转到SharePoint Online网站中的 appregnew.aspx 页.例如， https://{tenant} .sharepoint.com/_layouts/15/appregnew.aspx .
2. 在此页面上，单击客户端ID 和客户端密钥字段旁边的生成按钮以生成其值.
3. 安全地存储客户端ID和客户端机密，因为这些凭据可用于读取或更新SharePoint Online环境中的所有数据.您还将使用它们在应用程序中配置SharePoint Online连接.
4. 在标题下，指定标题.例如， Python控制台.在应用程序域下，指定 localhost .在重定向URI 下，指定 https://localhost .

1. Go to the appregnew.aspx page in your SharePoint Online site. For example, https://{tenant}.sharepoint.com/_layouts/15/appregnew.aspx.
2. On this page, click the Generate buttons next to the Client ID and Client Secret fields to generate their values.
3. Store the client ID and client secret securely as these credentials can be used to read or update all data in your SharePoint Online environment. You will also use them to configure the SharePoint Online connection in application.
4. Under Title, specify a title. For example, Python console. Under App Domain, specify localhost. Under Redirect URI, specify https://localhost.

注意:有时，如果您指定实际域，例如错误消息 应用程序域和重定向URI 字段中的 sharepoint.com 域，而不是 localhost ，而不是 localhost >可能会发生意外错误.检查 appregnew.aspx 页，并确保两个字段都包含正确的 localhost URI.

Note: Sometimes, if you specify a actual domain, e.g. sharepoint.com domain in the App Domain and Redirect URI fields, instead of localhost, the error message An unexpected error has occurred might encounter. Check the appregnew.aspx page and make sure both fields include the proper localhost URI.

1. 点击创建.

转到网站集上的<​​code> appinv.aspx 页面.例如， https://example.sharepoint.com/_layouts/15/appinv.aspx 授予站点范围权限.

Go to the appinv.aspx page on the site collection. For example, https://example.sharepoint.com/_layouts/15/appinv.aspx to grant site-scoped permissions.

在应用ID 字段中指定您的客户端ID ，然后单击查找"以找到您的应用.要向该应用授予权限，请将下面的XML复制到该应用的许可请求XML字段中:

Specify your client ID in the App Id field and click Lookup to find your app. To grant permissions to the app, copy the XML below to the App’s permission request XML field:

<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
</AppPermissionRequests>

注意:对于承租人级别范围，权限请求XML如下所示:

Note: For tenant level scope, permission request XML looks as follows:

<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>

1. 点击创建.
2. 在确认对话框中，单击信任，以授予权限.

1. Click Create.
2. On the confirmation dialog, click Trust It to grant the permissions.

这篇关于使用Python的Azure Sharepoint多因素身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！