Authenticating to Microsoft 365

Hong Ooi

Authentication

To authenticate with Azure Active Directory, simply call one of the Microsoft365R client functions.

get_personal_onedrive()
get_business_onedrive()
get_personal_outlook()
get_business_outlook()
get_sharepoint_site()
get_team()

Notice that you do not provide your username and password in the function call. Instead, Microsoft365R will use your Internet browser to obtain your credentials, in a similar manner to other web apps. You will get a dialog box asking for permission to access your information. Your login information is saved, so you should only have to authenticate once.

Using the device code flow

The default authentication method assumes that your R session can access the Internet via a browser. If this is not the case, for example if you are using Databricks or RStudio Server, you can switch to the device code flow by passing the auth_type="device_code" argument:

get_personal_onedrive(auth_type="device_code")

This will print an access code and URL on the screen. You login to the URL using a browser on another device, and type in the code. Once this is done, Microsoft365R will complete the authentication process. Again, you do not provide your username and password in the function call.

Specifying the tenant

When authenticating to the Microsoft 365 Business services, Microsoft365R will detect your Azure Active Directory tenant from your logged-in credentials in the browser. Sometimes this doesn’t work, in particular if you are logged in with a personal account that is also a guest account in a tenant. To solve this, specify your tenant name with the tenant argument:

get_business_onedrive(tenant="mytenant")
get_business_outlook(tenant="mytenant")
get_sharepoint_site("My site", tenant="mytenant")
get_team("My team", tenant="mytenant")

App registration and approvals

Microsoft365R comes with a default app registration for authenticating with AAD; depending on your organisation’s security policy, you may have to get an admin to grant it access to your tenant. See app_registration.md for details on the permissions that Microsoft365R requires.

Using your own app registration

Rather than getting the default app registration approved, you can also create your own registration for authentication. If this is for use in a local R session, it should have a mobile & desktop redirect URI of https://localhost:1410 (not a web or SPA redirect), and the “Allow native client” setting should be enabled. You can use the same permissions as the default app, or set your own: for example, if you know you don’t need to interact with Outlook, you can omit the Mail.Send and Mail.ReadWrite permissions.

Once the app has been registered, you can pass the app ID to Microsoft365R in a couple of ways.

If you want to use Microsoft365R outside a local R session, creating a custom app registration is required. In particular, this includes the following common scenarios:

See the vignettes “Using Microsoft365R in a Shiny app” and “Using Microsoft365R in an unattended script” for more on these use cases, including how to configure the app registration in Azure Active Directory.

Using other app registrations: last-resort workarounds

The above methods are the recommended solutions to dealing with access restrictions on Microsoft365R. If they are not feasible, it’s possible to work around these issues by piggybacking on other apps:

Be warned that these workarounds may draw the attention of your admin!

Authenticating with a token

In some circumstances, it may be desirable to carry out authentication/authorization as a separate step prior to making requests to the Microsoft 365 REST API. This holds in a Shiny app, for example, since only the UI part can talk to the browser while the server part does the rest of the work. Another scenario is if the refresh token lifetime set by your org is too short, so that the token expires in between R sessions. In this case, you can authenticate by obtaining a new token with AzureAuth::get_azure_token, and passing the token object to the client function.

When calling get_azure_token, the scopes you should use are those given in the scopes argument for each client function, and the API host is https://graph.microsoft.com/. The Microsoft365R internal app ID is d44a05d5-c6a5-4bbb-82d2-443123722380, while that for the CLI for Microsoft 365 is 31359c7f-bd7e-475c-86db-fdb8c937548e. As noted above, however, these app IDs only work for a local R session; you must create your own app registration if you want to use the package inside a Shiny app.

# authenticating separately to working with the MS365 API
scopes <- c(
    "https://graph.microsoft.com/Files.ReadWrite.All",
    "https://graph.microsoft.com/User.Read",
    "openid", "offline_access"
)
app <- "d44a05d5-c6a5-4bbb-82d2-443123722380" # for local use only
token <- AzureAuth::get_azure_token(scopes, "mytenant", app, version=2)
od <- get_business_onedrive(token=token)

Other issues

The AzureR packages save your login sessions so that you don’t need to reauthenticate each time. If you’re experiencing authentication failures, you can try clearing the saved data by running the following code:

AzureAuth::clean_token_directory()
AzureGraph::delete_graph_login(tenant="mytenant")

You can also consult the vignettes from the AzureAuth and AzureGraph packages for more information on this topic.