Unattended Python in Azure Function Using App Authentication with Delegated Permissions

[BillingtonRWG]

I am new to authentications and might be missing something small. I am trying to have an unattended python program in an Azure function read a particular user's email, download attachments, etc... It would be ideal to use Delegated API Permissions to avoid giving the application access to all emails/files and then having to find ways to restrict them.

`
credentials = ('xxx','yyy')

account = O365.Account(credentials, tenant_id='zzz')

my_scopes=['basic','message_all','onedrive_all','address_book_shared']

if not account.is_authenticated:

if account.authenticate(scopes=['basic','message_all','onedrive_all','address_book_shared']):

   print('Authenticated!')

`

I am able to do the authentication in the console and run the library no problem. (Great, BTW)

What I don't understand is how to capture the result of that authentication and use it later when the program is moved to an Azure function. I can see the final URL after I click the grant access button is essentially one large code. I know that code has to be the thing I need to use other places, but just can't seem to figure out how to use it. (Essentially make the azure resident python code do a 1-step authentication)

These examples get close, but I just can't seem to make my adaptation work:
The flask implementation just automates the same authentication dialogue from the console.

The example for FileSystem TokenBackend is confusing to me.
I think what I'm trying to do is:

1. Run an authentication locally (as in above code) but retrieve the special code/token. Save that locally.
2. Have a python program that starts and uses that file (the output of the authorization) so that we can just use the application authentication for the rest of it.

I know I'm missing something, or it's impossible and microsoft just doesn't want to allow an unattended python function from accessing with delegated permissions.

[alejcas]

The FileTokenBackend (default one) stores the auth token on a txt file in the file system.
This token contains what is needed to authenticate.

Note that the token is only valid for 1 hour and the app will try to refresh it (automatically provided you added the offline_access permission)

There are other TockenBackends available (for databases, environment, etc) or you can make your own. The thing is the token needs to be read and write from somewhere...

I think you should read the readme more carefully as all this is explained there.