refactor auth module: support for azure env in ClientContext

Author: vgrem

examples/auth/gcc_high.py

@@ -4,8 +4,7 @@
 Microsoft Graph for US Government L4: https://graph.microsoft.us
 """
 
-import msal
-
+from office365.azure_env import AzureEnvironment
 from office365.graph_client import GraphClient
 from tests import (
     test_client_id,
@@ -14,24 +13,7 @@
     test_user_principal_name,
 )
 
-
-def acquire_token():
-    authority_url = "https://login.microsoftonline.us/{0}".format(test_tenant)
-
-    app = msal.ConfidentialClientApplication(
-        authority=authority_url,
-        client_id=test_client_id,
-        client_credential=test_client_secret,
-    )
-    return app.acquire_token_for_client(scopes=["https://graph.microsoft.us/.default"])
-
-
-def construct_request(request):
-    request.url = request.url.replace(
-        "https://graph.microsoft.com", "https://graph.microsoft.us"
-    )
-
-
-client = GraphClient(acquire_token)
-client.pending_request().beforeExecute += construct_request
+client = GraphClient(
+    tenant=test_tenant, environment=AzureEnvironment.USGovernmentHigh
+).with_client_secret(test_client_id, test_client_secret)
 messages = client.users[test_user_principal_name].messages.get().execute_query()

examples/auth/sharepoint/register_apponly.py

@@ -16,9 +16,16 @@
 
 """
 
+from office365.directory.applications.app_ids import MsAppIds
 from office365.graph_client import GraphClient
-from tests import test_client_id, test_password, test_tenant, test_username
+from tests import test_client_id, test_client_secret, test_tenant
 
-admin_client = GraphClient(tenant=test_tenant).with_username_and_password(
-    test_client_id, test_username, test_password
+client = GraphClient(tenant=test_tenant).with_client_secret(
+    test_client_id, test_client_secret
 )
+# client = GraphClient(tenant=test_tenant).with_token_interactive(test_client_id)
+resource = client.service_principals.get_by_app_id(
+    MsAppIds.Office_365_SharePoint_Online
+)
+app = client.applications.get_by_app_id(test_client_id)
+resource.grant_application_permissions(app, "Sites.FullControl.All").execute_query()

examples/sharepoint/auth_app_only.py

@@ -16,6 +16,11 @@
 The example demonstrates how to use SharePoint App-Only principal (second option)
 
 https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
+
+Notice:
+Starting April 2, 2026, Azure Access Control service (ACS) usage will be retired for SharePoint in Microsoft 365
+and users will no longer be able to create or use Azure ACS principals to access SharePoint.
+Learn more about the [Access Control retirement](https://aka.ms/retirement/acs/support)
 """
 
 from office365.sharepoint.client_context import ClientContext

examples/sharepoint/auth_app_principal_aad.py

@@ -1,6 +1,6 @@
 from office365.runtime.auth.token_response import TokenResponse
 from office365.sharepoint.client_context import ClientContext
-from tests import settings, test_site_url
+from tests import test_client_id, test_client_secret, test_team_site_url, test_tenant
 
 """
 Important: for Application authenticated against Azure AD blade, calling SharePoint v1 API endpoint when
@@ -20,22 +20,20 @@
 
 
 def acquire_token():
-    authority_url = "https://login.microsoftonline.com/{0}".format(
-        settings.get("default", "tenant")
-    )
+    authority = "https://login.microsoftonline.com/{0}".format(test_tenant)
     import msal
 
     app = msal.ConfidentialClientApplication(
-        authority=authority_url,
-        client_id=settings.get("client_credentials", "client_id"),
-        client_credential=settings.get("client_credentials", "client_secret"),
+        authority=authority,
+        client_id=test_client_id,
+        client_credential=test_client_secret,
     )
     token_json = app.acquire_token_for_client(
         scopes=["https://mediadev8.sharepoint.com/.default"]
     )
     return TokenResponse.from_json(token_json)
 
 
-ctx = ClientContext(test_site_url).with_access_token(acquire_token)
+ctx = ClientContext(test_team_site_url).with_access_token(acquire_token)
 target_web = ctx.web.get().execute_query()
 print(target_web.url)

examples/sharepoint/auth_certificate.py

@@ -12,8 +12,6 @@
 https://github.com/vgrem/Office365-REST-Python-Client/wiki/How-to-connect-to-SharePoint-Online-with-certificate-credentials
 """
 
-import os
-
 from office365.sharepoint.client_context import ClientContext
 from tests import (
     test_cert_thumbprint,
@@ -26,7 +24,7 @@
     "tenant": test_tenant,
     "client_id": test_client_id,
     "thumbprint": test_cert_thumbprint,
-    "cert_path": "{0}/../selfsignkey.pem".format(os.path.dirname(__file__)),
+    "cert_path": "./selfsigncert.pem",
 }
 ctx = ClientContext(test_site_url).with_client_certificate(**cert_credentials)
 current_web = ctx.web.get().execute_query()

office365/azure_env.py

@@ -48,9 +48,13 @@ class AzureEnvironment(object):
     @classmethod
     def get_graph_authority(cls, env):
         # type: (str) -> str
-        return cls._authority_endpoints.get(env)["graph"]
+        return cls._authority_endpoints.get(env, cls._authority_endpoints["Global"])[
+            "graph"
+        ]
 
     @classmethod
     def get_login_authority(cls, env):
         # type: (str) -> str
-        return cls._authority_endpoints.get(env)["login"]
+        return cls._authority_endpoints.get(env, cls._authority_endpoints["Global"])[
+            "login"
+        ]

office365/directory/applications/app_ids.py

@@ -0,0 +1,6 @@
+class MsAppIds:
+    """Enum for commonly used Microsoft application IDs."""
+
+    Office_365_SharePoint_Online = "00000003-0000-0ff1-ce00-000000000000"
+
+    Office_365_Exchange_Online = "00000002-0000-0ff1-ce00-000000000000"

office365/runtime/auth/authentication_context.py

@@ -4,6 +4,7 @@
 
 from typing_extensions import Required, Self, TypedDict
 
+from office365.azure_env import AzureEnvironment
 from office365.runtime.auth.client_credential import ClientCredential
 from office365.runtime.auth.providers.acs_token_provider import ACSTokenProvider
 from office365.runtime.auth.providers.saml_token_provider import SamlTokenProvider
@@ -31,13 +32,11 @@ def _get_authorization_header(token):
 class AuthenticationContext(object):
     """Authentication context for SharePoint Online/OneDrive For Business"""
 
-    def __init__(
-        self, url, environment="commercial", allow_ntlm=False, browser_mode=False
-    ):
+    def __init__(self, url, environment=None, allow_ntlm=False, browser_mode=False):
         """
         :param str url: SharePoint absolute web or site Url
         :param str environment: The Office 365 Cloud Environment endpoint used for authentication
-            defaults to 'commercial'.
+            defaults to 'Azure Global'.
         :param bool allow_ntlm: Flag indicates whether NTLM scheme is enabled. Disabled by default
         :param bool browser_mode: Allow browser authentication
         """
@@ -80,7 +79,9 @@ def with_client_certificate(
                 private_key = f.read()
 
         def _acquire_token():
-            authority_url = "https://login.microsoftonline.com/{0}".format(tenant)
+            authority_url = "{0}/{1}".format(
+                AzureEnvironment.get_login_authority(self._environment), tenant
+            )
             credentials = {
                 "thumbprint": thumbprint,
                 "private_key": private_key,
@@ -119,7 +120,9 @@ def _acquire_token():
 
             app = msal.PublicClientApplication(
                 client_id,
-                authority="https://login.microsoftonline.com/{0}".format(tenant),
+                authority="{0}/{1}".format(
+                    AzureEnvironment.get_login_authority(self._environment), tenant
+                ),
                 client_credential=None,
             )
             result = app.acquire_token_interactive(scopes=scopes)
@@ -145,7 +148,9 @@ def _acquire_token():
 
             app = msal.PublicClientApplication(
                 client_id,
-                authority="https://login.microsoftonline.com/{0}".format(tenant),
+                authority="{0}/{1}".format(
+                    AzureEnvironment.get_login_authority(self._environment), tenant
+                ),
                 client_credential=None,
             )
 

office365/runtime/auth/providers/acs_token_provider.py

@@ -3,22 +3,23 @@
 import requests
 
 import office365.logger
+from office365.azure_env import AzureEnvironment
 from office365.runtime.auth.authentication_provider import AuthenticationProvider
 from office365.runtime.auth.token_response import TokenResponse
 from office365.runtime.compat import urlparse
 from office365.runtime.http.request_options import RequestOptions
 
 
 class ACSTokenProvider(AuthenticationProvider, office365.logger.LoggerContext):
-    def __init__(self, url, client_id, client_secret, environment="commercial"):
+    def __init__(self, url, client_id, client_secret, environment=None):
         """
         Provider to acquire the access token from a Microsoft Azure Access Control Service (ACS)
 
         :param str client_id: The OAuth client id of the calling application.
         :param str client_secret: Secret string that the application uses to prove its identity when requesting a token
         :param str url: SharePoint web or site url
         :param str environment: The Office 365 Cloud Environment endpoint used for authentication
-            defaults to 'commercial'.
+            defaults to 'Azure Global'.
         """
         self.url = url
         self.redirect_url = None
@@ -61,9 +62,7 @@ def _get_app_only_access_token(self, target_host, target_realm):
             self.SharePointPrincipal, target_host, target_realm
         )
         principal_id = self.get_formatted_principal(self._client_id, None, target_realm)
-        sts_url = self.get_security_token_service_url(
-            target_realm, environment=self._environment
-        )
+        sts_url = self.get_security_token_service_url(target_realm)
         oauth2_request = {
             "grant_type": "client_credentials",
             "client_id": principal_id,
@@ -96,11 +95,12 @@ def get_formatted_principal(principal_name, host_name, realm):
             return "{0}/{1}@{2}".format(principal_name, host_name, realm)
         return "{0}@{1}".format(principal_name, realm)
 
-    @staticmethod
-    def get_security_token_service_url(realm, environment):
-        # type: (str, str) -> str
-        if environment == "GCCH":
-            return "https://login.microsoftonline.us/{0}/tokens/OAuth/2".format(realm)
+    def get_security_token_service_url(self, realm):
+        # type: (str) -> str
+        if self._environment:
+            return "{0}/{1}/tokens/OAuth/2".format(
+                AzureEnvironment.get_login_authority(self._environment), realm
+            )
         else:
             return (
                 "https://accounts.accesscontrol.windows.net/{0}/tokens/OAuth/2".format(

office365/sharepoint/client_context.py

@@ -45,7 +45,7 @@ def __init__(
         self,
         base_url,
         auth_context=None,
-        environment="commercial",
+        environment=None,
         allow_ntlm=False,
         browser_mode=False,
     ):

tests/settings.cfg

@@ -19,7 +19,7 @@ client_id = 4b7eb3df-afc3-4b7d-ae1d-629f22a3fe42
 client_secret = --secret--
 
 [certificate_credentials]
-thumbprint = 3EF4F1233C1FC43D681A6E01B02EB99393C7C951
+thumbprint = 18920629918EE14DC0937791358971497E952A77
 
 [users]
 tenant_prefix = mediadev8