There are a number of ways to authenticate to the Microsoft Graph API with AzureGraph. This vignette goes through the most common scenarios.
This is the scenario where you’re using R interactively, such as in
your local desktop or laptop, or in a hosted RStudio Server, Jupyter
notebook or ssh session. The first time you authenticate with
AzureGraph, you run
Notice that you don’t enter your username and password.
AzureGraph will attempt to detect which authentication flow to use, based on your session details. In most cases, it will bring up the Azure Active Directory (AAD) login page in your browser, which is where you enter your user credentials. This is also known as the “authorization code” flow.
There are some complications to be aware of:
If you are running R in a hosted session, trying to start a
browser will usually fail. In this case, specify the device code
authentication flow, with the
If you have a personal account that is also a guest in an organisational tenant, you may have to specify your tenant explicitly:
By default, AzureGraph identifies itself using the Azure CLI app
registration ID. This is meant for working with the AAD part of the
Graph API, so it has permissions which are relevant for this purpose. If
you are using Graph for other purposes (eg to interact with Microsoft
365 services), you’ll need to supply your own app ID that has the
correct permissions. On the client side, you supply the app ID via the
app argument; see later for creating the app registration
on the server side.
All of the above arguments can be combined, eg this will authenticate using the device code flow, with an explicit tenant name, and a custom app ID:
If needed, you can also supply other arguments that will be passed to
Having created the login, in subsequent sessions you run
get_graph_login(). This will load your previous
authentication details, saving you from having to login again. If you
specified the tenant in the
you’ll also need to specify it for
other arguments don’t have to be repeated.
This is the scenario where you want to use AzureGraph as part of an automated script or unattended session, for example in a deployment pipeline. The appropriate authentication flow in this case is the client credentials flow.
For this scenario, you must have a custom app ID and client secret.
On the client side, these are supplied in the
password arguments; see later for creating the app
registration on the server side. You must also specify your tenant as
AAD won’t be able to detect it from a user’s credentials.
In the non-interactive scenario, you don’t use
get_graph_login(); instead, you simply call
create_graph_login() as part of your script.
This part is meant mostly for Azure tenant administrators, or users who have the appropriate rights to create AAD app registrations.
You can create a new app registration using any of the usual methods.
For example to create an app registration in the Azure Portal
https://portal.azure.com/), click on “Azure Active
Directory” in the menu bar down the left, go to “App registrations” and
click on “New registration”. Name the app something suitable, eg
“AzureGraph custom app”.
http://localhost:1410. This is appropriate
if your users will be running R on their local PCs, with an Internet
Once the app registration has been created, note the app ID and, if applicable, the client secret. The latter can’t be viewed after app creation, so make sure you note its value now.
It’s also possible to authenticate with a client certificate (public key), but this is more complex and we won’t go into it here. For more details, see the Azure Active Directory documentation and the AzureAuth intro vignette.
For your app to be useful, you must give it the appropriate permisssions for the Microsoft Graph API. You can set this by going to the “API permissions” pane for your app registration, then clicking on “Add a permission”. Choose the Microsoft Graph API, and then enable the permissions that you need.