使用Python的Azure Sharepoint多因素身份验证 [英] Azure sharepoint multi-factor authentication with python
问题描述
我正在尝试使用python下载在共享点中托管的excel文件,该共享点是 Microsoft Azure平台的一部分.共享点受密码保护,我有一个帐户和一个密码,可用于通过浏览器登录,
I'm trying to use python to download an excel file that is hosted in a sharepoint which is part of the Microsoft Azure platform. The sharepoint is password protected, and I have an account and a password which I can use to login in via my browser,
为了使用python脚本进行身份验证,我遵循了以下建议的方法:使用python进行SharePoint身份验证.它使用 O365 rest python客户端库,操作如下:
In order to authenticate with a python script I followed the method suggested in: Sharepoint authentication with python. Which uses the O365 rest python client library and goes as follows:
from office365.runtime.auth.authentication_context import AuthenticationContext
from office365.sharepoint.client_context import ClientContext
url = 'https://organization.sharepoint.com/sites/something/somepage.aspx'
username = 'userx@organization.com'
password = 'fakepass'
ctx_auth = AuthenticationContext(url)
if ctx_auth.acquire_token_for_user(username, password):
ctx = ClientContext(url, ctx_auth)
else:
print(ctx_auth.get_last_error())
但是我收到一条错误消息:
But I'm getting an error message back:
An error occurred while retrieving token: AADSTS50076: Due to a configuration
change made by your administrator, or because you moved to a new location, you
must use multi-factor authentication to access ''.
我确实从多个设备(浏览器)连接到该帐户,仅一次需要使用MFA登录(SMS消息).有办法解决这个问题吗?请注意,我不是系统管理员.
I do connect to this account from multiple devices (browser), and just once I was required to use MFA to log in (SMS message). Is there a way to get around this? Note that I'm not the admin of the system.
推荐答案
错误消息非常直观,启用了多重身份验证(MFA)时不支持用户凭据 auth.
The error message is pretty intuitive, user credentials auth is not supported when Multi-Factor Authentication (MFA) enabled.
为避免此错误,请 SharePoint应用-仅可以使用流代替(由 Office365-REST支持-Python-Client
库).
To circumvent this error, SharePoint App-Only flow could be utilized instead (supported by Office365-REST-Python-Client
library).
Setting up an app-only principal with tenant permissions section describes how to configure it, to summarize it consist of two steps:
- 注册App主体(将其视为服务帐户")
- 授予权限
一旦创建并同意了应用程序主体,就可以使用它来访问SharePoint资源,如下所示:
Once app principal is created and consented, it could be utilized to access SharePoint resource as demonstrated below:
from office365.sharepoint.client_context import ClientContext
from office365.runtime.auth.client_credential import ClientCredential
site_url = 'https://contoso.sharepoint.com/'
app_principal = {
'client_id': '--client-id-goes-here--',
'client_secret': '--client-secret-goes-here--',
}
credentials = ClientCredential(app_principal['client_id'], app_principal['client_secret'])
ctx = ClientContext(url).with_credentials(credentials)
web = ctx.web
ctx.load(web)
ctx.execute_query()
print("Web site title: {0}".format(web.properties['Title']))
以下是有关如何配置仅SharePoint应用程序流的说明:
Here is an instruction on how to configure SharePoint App-Only flow:
注意:应用程序主体注册操作(步骤
1
至5
)需要每个租户执行一次 .虽然操作为每个租户都可以应用授予权限(步骤6-9
)或网站集:
Note: app principal registration operation(steps
1
through5
) needs to be performed once per tenant. Although the operation for granting permissions ( steps6-9
) could be applied either per tenant or site collection:
- 每个网站集授予
- 权限,并且需要网站集管理员(在提供的说明中具有权限)是每个网站集的授予者)
- 如果您希望授予 tenant 级别的权限,请访问租户管理网站,该URL必须包含
-admin
来访问
租户管理站点,例如,https://{tenant} -admin.sharepoint.com/_layouts/15/appinv.aspx
.那操作需要租户管理员权限
- permissions granted per site collection and requires a site collection administrator (in the provided instruction the permissions are granter per site collection)
- If you prefer to grant permissions on tenant level, visit tenant administration site instead, the URL must include
-admin
to access
the tenant administration site, for example,
https://{tenant}-admin.sharepoint.com/_layouts/15/appinv.aspx
. That operation requires a tenant administrator permissions
步骤:
- 转到SharePoint Online网站中的
appregnew.aspx
页.例如,https://{tenant} .sharepoint.com/_layouts/15/appregnew.aspx
. - 在此页面上,单击客户端ID 和客户端密钥字段旁边的生成按钮以生成其值.
- 安全地存储客户端ID和客户端机密,因为这些凭据可用于读取或更新SharePoint Online环境中的所有数据.您还将使用它们在应用程序中配置SharePoint Online连接.
- 在标题下,指定标题.例如,
Python控制台
.在应用程序域下,指定localhost
.在重定向URI 下,指定https://localhost
.
- Go to the
appregnew.aspx
page in your SharePoint Online site. For example,https://{tenant}.sharepoint.com/_layouts/15/appregnew.aspx
. - On this page, click the Generate buttons next to the Client ID and Client Secret fields to generate their values.
- Store the client ID and client secret securely as these credentials can be used to read or update all data in your SharePoint Online environment. You will also use them to configure the SharePoint Online connection in application.
- Under Title, specify a title. For example,
Python console
. Under App Domain, specifylocalhost
. Under Redirect URI, specifyhttps://localhost
.
注意:有时,如果您指定实际域,例如错误消息
应用程序域和重定向URI 字段中的
.检查sharepoint.com
域,而不是localhost
,而不是localhost
>可能会发生意外错误appregnew.aspx
页,并确保两个字段都包含正确的localhost
URI.
Note: Sometimes, if you specify a actual domain, e.g.
sharepoint.com
domain in the App Domain and Redirect URI fields, instead oflocalhost
, the error messageAn unexpected error has occurred
might encounter. Check theappregnew.aspx
page and make sure both fields include the properlocalhost
URI.
-
点击创建.
转到网站集上的<code> appinv.aspx 页面.例如, https://example.sharepoint.com/_layouts/15/appinv.aspx
授予站点范围权限.
Go to the appinv.aspx
page on the site collection. For example, https://example.sharepoint.com/_layouts/15/appinv.aspx
to grant site-scoped permissions.
在应用ID 字段中指定您的客户端ID ,然后单击查找"以找到您的应用.要向该应用授予权限,请将下面的XML复制到该应用的许可请求XML字段中:
Specify your client ID in the App Id field and click Lookup to find your app. To grant permissions to the app, copy the XML below to the App’s permission request XML field:
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
</AppPermissionRequests>
注意:对于承租人级别范围,权限请求XML如下所示:
Note: For tenant level scope, permission request XML looks as follows:
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>
- 点击创建.
- 在确认对话框中,单击信任,以授予权限.
- Click Create.
- On the confirmation dialog, click Trust It to grant the permissions.
这篇关于使用Python的Azure Sharepoint多因素身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!