Cli-microsoft365: Authentication error

Hi,
Have you tried to change the "Default Client Type" to "yes" already?

br,
Patrick

Hi,
Have you tried to change the "Default Client Type" to "yes" already?

br,
Patrick

Yes, same error persists.

Oh wait, what is the reason of having Implicit Grant enabled? Not required in this case from my point of view.

Still no luck. The same error comes.

Edit: Update the steps for a better follow-up.

• Create the Azure AD app
• Assigned the desired API permissions (similarly as you did)
• Ensured that under authentication I have following settings enabled/disabled

• Before running the CLI specify the environment variables OFFICE365CLI_AADAPPID [Application (client) ID] and OFFICE365CLI_TENANT [Directory (tenant) ID]. You should pick the values that you see under "Overview" of your previously created Azure AD application
• Run the CLI once and execute the login command. Follow the steps and perform a successful authentication through the browser. It will also ask you to grant consent to your app to perform operations on your behalf.

Afterward, you do not have to authenticate against any CLI calls until you are not explicitly executing a logoff operation.

It would be interesting to understand what exactly you want to achieve. In theory, the steps above should be sufficient for command-line automation scenarios.

br,
Patrick

Hi @plamber,

• Specified before running the command line interface the environment variables: OFFICE365CLI_AADAPPID and assigned the app id of the Azure AD application I created
• Run the office365 CLI once and executed a the login command inside it (it will ask you to open a browser and log in with your credentials and grant the app permissions to perform operations on your behalf

Once that happened, you can just run the office365 cli without additional login prompts until you are not explicitly logging off.

I don't exactly follow this. I am not trying to run office365 cli. What I want to achieve is the ability to send out emails from my python application. For this, my understanding is that I need to first download the access token file by authenticating through the following steps:

from O365 import Account
credentials = (XXXX, YYYY)
scopes=['basic', 'message_all']
account = Account(credentials)
account.authenticate(scopes=scopes)

Is this not the way of generating the access token file?

Thanks,
Basil

I haven't tried it with Phyton. I am working in PowerShell. Nevertheless, the concept should be similar.

I installed the CLI on my host.
Now you have two options:

• Option 1: Create your dedicated Azure AD application and specify the desired permissions (as you did)
• Option 2: Use the Azure AD multi-tenant application the PNP group is providing to you (no actions needed)

Before running the CLI
Option 1:
if you follow this option, you need to tell the CLI to use the correct Azure AD application performs the necessary operations. I am specifying this specifying the environment variable "OFFICE365CLI_AADAPPID" with the appropriate application ID (the one that you created) and the environment variable "OFFICE365CLI_TENANT" with the appropriate tenant id.
Option 2:
if you just want to use the "standard" permissions, you do not have to specify the application ID

Authentication
With the CLI you can follow the device code flow for authentication. In a nutshell, you open the CLI once in your command prompt and you are then using the command login. The CLI will guide you in how to authorize the CLI to perform the operations on behalf of the user that is finalizing the login operation. This is an interactive operation.

Performing commands
After a successful login, you do not have to pass credentials after you are not explicitly logging out from the CLI. The necessary tokens to perform the operations on your behalf are stored in the device and are automatically refreshed by the cli. This is what I am usually doing when creating unattended scripts.

You can find an example on how to integrate the CLI in scripts here: https://blog.mastykarz.nl/building-scripts-office-365-cli/

At first glance, I do not see the requirement for you to try to get the token differently. Maybe, I misunderstood your requirements.

In addition to what @plamber mentioned:
For option 1, I think you also need to provide 'OFFICE365CLI_TENANT'
(See Login Documentation)

Ok, from what I understood from your comments, I did the following:

1. In Windows cmd:
   set OFFICE365CLI_AADAPPID=XXXX <application id>
set OFFICE365CLI_TENANT=ZZZZ <tenant id>

2. Installed office365:
   npm i -g @pnp/office365-cli

3. Login to office365
   office365
o365$ login
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code H65QY72ED to authenticate.

I went to https://microsoft.com/devicelogin and entered the code which then asked username and password. But when I provided the credentials, I was given this message:

Am I making any mistake?

Thanks,
Basil

Edit: with correct screenshots

If you do not have the "Suggested redirect URLs" enabled for public clients enabled, then a fake redirect URL und "Redirect URIs" solves your current issue. This is how I configured it in my application. On the other hand, if you change the settings as done in the screen below, this might be more appropriate for the CLI setup.

Hi,

Thanks @plamber. I was able to login successfully into office365 by giving credentials in https://microsoft.com/devicelogin.

But how do I send out emails from the authenticated account after this (using a Python script)? I am following the instructions given here: https://github.com/O365/python-o365#usage

from O365 import Account
credentials = (XXXX, YYYY)
scopes=['basic', 'message_all']
account = Account(credentials)
m = account.new_message()
m.to.add(<recepeint_email>)
m.subject = "Subject"
m.body = "Body"
m.send()

This produces the error:
HTTPError: 401 Client Error: Unauthorized for url: https://graph.microsoft.com/v1.0/me/sendMail | Error Message: Access token is empty.

Thanks,
Basil

Hi,
I do not see why you should use the current's project CLI in combination with the project that has been created by the other person. I am almost sure this will not work in combination.

From my point of view, you should either use the other project's methods or with the CLI presented here.

br,
Patrick

Ok got it. Thanks