使用 python 的 Azure 共享点多重身份验证 [英] Azure sharepoint multi-factor authentication with python

问题描述

我正在尝试使用 python 下载托管在 sharepoint 中的 excel 文件，该共享点是 Microsoft Azure 平台 的一部分.共享点受密码保护，我有一个帐户和密码，可用于通过浏览器登录，

为了使用 python 脚本进行身份验证，我遵循了以下建议的方法:使用 python 进行共享点身份验证.它使用 O365 rest python 客户端库，如下所示:

 from office365.runtime.auth.authentication_context import AuthenticationContext从 office365.sharepoint.client_context 导入 ClientContexturl = 'https://organization.sharepoint.com/sites/something/somepage.aspx'用户名 = 'userx@organization.com'密码 = '假通行证'ctx_auth = AuthenticationContext(url)如果 ctx_auth.acquire_token_for_user(用户名，密码):ctx = ClientContext(url, ctx_auth)别的:打印(ctx_auth.get_last_error())

但我收到一条错误消息:

检索令牌时出错:AADSTS50076:由于配置您的管理员所做的更改，或者因为您搬到了一个新的位置，您必须使用多重身份验证才能访问 ''.

我确实从多个设备(浏览器)连接到此帐户，并且只有一次我被要求使用 MFA 登录(SMS 消息).有没有办法解决这个问题?请注意，我不是系统管理员.

解决方案

错误消息非常直观，用户凭据在启用多重身份验证 (MFA) 时不支持身份验证.

要避免此错误，SharePoint 应用- 只能使用流代替(由 Office365-REST 支持-Python-Client 库).

设置具有租户权限的仅应用程序主体 部分描述了如何配置它，概括起来包括两个步骤:

1. 注册应用程序主体(将其视为服务帐户")
2. 授予权限

一旦创建并同意应用主体，就可以使用它来访问 SharePoint 资源，如下所示:

from office365.sharepoint.client_context import ClientContext从 office365.runtime.auth.client_credential 导入 ClientCredentialsite_url = 'https://contoso.sharepoint.com/'app_principal = {'client_id': '--client-id-goes-here--','client_secret': '--client-secret-goes-here--',}凭证 = ClientCredential(app_principal['client_id'], app_principal['client_secret'])ctx = ClientContext(url).with_credentials(credentials)网络 = ctx.webctx.load(web)ctx.execute_query()打印(网站标题:{0}".format(web.properties['Title']))

---

以下是有关如何配置 SharePoint App-Only 流程的说明:

<块引用>

注意:app主体注册操作(步骤1到5)需要每个租户执行一次.虽然操作为可以为每个租户应用授予权限(步骤 6-9)或网站集:

• 按网站集授予的权限，需要网站集管理员(在提供的说明中，权限是每个网站集的授予者)
• 如果您更喜欢在租户级别授予权限，请访问租户管理站点，URL必须包含-admin才能访问
  租户管理站点，例如，
  https://{tenant}-admin.sharepoint.com/_layouts/15/appinv.aspx.那操作需要租户管理员权限

步骤:

1. 转到 SharePoint Online 网站中的 appregnew.aspx 页面.例如，https://{tenant}.sharepoint.com/_layouts/15/appregnew.aspx.
2. 在此页面上，点击客户端 ID 和客户端机密 字段旁边的生成按钮以生成它们的值.
3. 安全地存储客户端 ID 和客户端机密，因为这些凭据可用于读取或更新 SharePoint Online 环境中的所有数据.您还将使用它们在应用程序中配置 SharePoint Online 连接.
4. 在标题下，指定一个标题.例如，Python 控制台.在 App Domain 下，指定 localhost.在重定向 URI 下，指定 https://localhost.

<块引用>

注意:有时，如果您指定实际域，例如sharepoint.com 域在 App Domain 和 Redirect URI 字段中，而不是 localhost，错误消息 发生意外错误可能会遇到.检查 appregnew.aspx 页面并确保两个字段都包含正确的 localhost URI.

5. 点击创建.

6. 转到网站集上的 appinv.aspx 页面.例如，https://example.sharepoint.com/_layouts/15/appinv.aspx 授予站点范围权限.

7. 在应用 ID 字段中指定您的客户 ID，然后点击查找以查找您的应用.要向应用授予权限，请将下面的 XML 复制到应用的权限请求 XML 字段:

<AppPermissionRequest Scope="http://sharepoint/content/sitecollection";右=完全控制"/></AppPermissionRequests>

<块引用>

注意:对于租户级别范围，权限请求 XML 如下所示:

<AppPermissionRequest Scope="http://sharepoint/content/tenant";右=完全控制"/></AppPermissionRequests>

8. 点击创建.
9. 在确认对话框中，点击信任以授予权限.

I'm trying to use python to download an excel file that is hosted in a sharepoint which is part of the Microsoft Azure platform. The sharepoint is password protected, and I have an account and a password which I can use to login in via my browser,

In order to authenticate with a python script I followed the method suggested in: Sharepoint authentication with python. Which uses the O365 rest python client library and goes as follows:

from office365.runtime.auth.authentication_context import AuthenticationContext
from office365.sharepoint.client_context import ClientContext


url = 'https://organization.sharepoint.com/sites/something/somepage.aspx'
username = 'userx@organization.com'
password = 'fakepass'

ctx_auth = AuthenticationContext(url)
if ctx_auth.acquire_token_for_user(username, password):
    ctx = ClientContext(url, ctx_auth)

else:
    print(ctx_auth.get_last_error())

But I'm getting an error message back:

An error occurred while retrieving token: AADSTS50076: Due to a configuration
change made by your administrator, or because you moved to a new location, you
must use multi-factor authentication to access ''.

I do connect to this account from multiple devices (browser), and just once I was required to use MFA to log in (SMS message). Is there a way to get around this? Note that I'm not the admin of the system.

解决方案

The error message is pretty intuitive, user credentials auth is not supported when Multi-Factor Authentication (MFA) enabled.

To circumvent this error, SharePoint App-Only flow could be utilized instead (supported by Office365-REST-Python-Client library).

Setting up an app-only principal with tenant permissions section describes how to configure it, to summarize it consist of two steps:

1. register App principal (think of it as a "service account")
2. grant a permissions

Once app principal is created and consented, it could be utilized to access SharePoint resource as demonstrated below:

from office365.sharepoint.client_context import ClientContext
from office365.runtime.auth.client_credential import ClientCredential

site_url = 'https://contoso.sharepoint.com/'
app_principal = {
    'client_id': '--client-id-goes-here--',
    'client_secret': '--client-secret-goes-here--',
}

credentials = ClientCredential(app_principal['client_id'], app_principal['client_secret'])
ctx = ClientContext(url).with_credentials(credentials)

web = ctx.web
ctx.load(web)
ctx.execute_query()
print("Web site title: {0}".format(web.properties['Title']))

---

Here is an instruction on how to configure SharePoint App-Only flow:

Note: app principal registration operation(steps 1 through 5) needs to be performed once per tenant. Although the operation for granting permissions ( steps 6-9) could be applied either per tenant or site collection:

• permissions granted per site collection and requires a site collection administrator (in the provided instruction the permissions are granter per site collection)
• If you prefer to grant permissions on tenant level, visit tenant administration site instead, the URL must include -admin to access
  the tenant administration site, for example,
  https://{tenant}-admin.sharepoint.com/_layouts/15/appinv.aspx. That operation requires a tenant administrator permissions

Steps:

1. Go to the appregnew.aspx page in your SharePoint Online site. For example, https://{tenant}.sharepoint.com/_layouts/15/appregnew.aspx.
2. On this page, click the Generate buttons next to the Client ID and Client Secret fields to generate their values.
3. Store the client ID and client secret securely as these credentials can be used to read or update all data in your SharePoint Online environment. You will also use them to configure the SharePoint Online connection in application.
4. Under Title, specify a title. For example, Python console. Under App Domain, specify localhost. Under Redirect URI, specify https://localhost.

Note: Sometimes, if you specify a actual domain, e.g. sharepoint.com domain in the App Domain and Redirect URI fields, instead of localhost, the error message An unexpected error has occurred might encounter. Check the appregnew.aspx page and make sure both fields include the proper localhost URI.

5. Click Create.

6. Go to the appinv.aspx page on the site collection. For example, https://example.sharepoint.com/_layouts/15/appinv.aspx to grant site-scoped permissions.

7. Specify your client ID in the App Id field and click Lookup to find your app. To grant permissions to the app, copy the XML below to the App’s permission request XML field:

<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
</AppPermissionRequests>

Note: For tenant level scope, permission request XML looks as follows:

<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>

8. Click Create.
9. On the confirmation dialog, click Trust It to grant the permissions.

这篇关于使用 python 的 Azure 共享点多重身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！