Azure Active Directory Authentication Library (ADAL) for Python

1.2.7 · deprecated · verified Sat Mar 28

ADAL for Python is a legacy library that enabled Python applications to authenticate to Azure Active Directory (AAD) to access AAD-protected web resources. It has been replaced by the Microsoft Authentication Library (MSAL) for Python, which offers broader functionality and support for newer authentication protocols and features. ADAL Python will no longer receive new feature improvements or bug fixes. The current version is 1.2.7.

Warnings

breaking ADAL for Python is deprecated and will not receive new features or bug fixes. All new development should use MSAL for Python (Microsoft Authentication Library). Existing applications relying on ADAL Python will continue to work, but migration to MSAL is strongly recommended.
Fix: Migrate your application to use MSAL Python. Install with `pip install msal`. Refer to the official 'ADAL to MSAL migration guide for Python' for detailed steps and API changes.
breaking When migrating from ADAL to MSAL, note a fundamental change in how resources are specified. ADAL uses 'resources' (e.g., `https://graph.microsoft.com`), while MSAL uses 'scopes' (a list of strings).
Fix: Convert ADAL `resource` values to MSAL `scope` lists. For a v1.0 endpoint resource, append `/.default` to form the scope, e.g., `https://graph.microsoft.com` becomes `['https://graph.microsoft.com/.default']`.
deprecated The `api_version` parameter in `AuthenticationContext` implicitly defaulted to '1.0' in older versions. In ADAL Python 1.0.0 and later, the default value became `None`. Explicitly setting `api_version=None` is recommended to avoid deprecation warnings and ensure consistent behavior.
Fix: When creating an `AuthenticationContext` instance, always set `api_version=None`: `context = adal.AuthenticationContext(..., api_version=None)`.
gotcha Versions of ADAL Python prior to 1.2.6 could incorrectly pick up the latest PyJWT 2.x, leading to compatibility issues.
Fix: Upgrade ADAL to version 1.2.6 or higher to ensure compatibility with both PyJWT 1.x and 2.x.
gotcha Versions of ADAL Python prior to 1.2.5 might encounter an 'InvalidScope' error when using the username-password flow with federated user accounts during tenant migration.
Fix: Upgrade ADAL to version 1.2.5 or higher to fix the 'InvalidScope' error in specific username-password flow scenarios.

Install

pip install adal Install ADAL Python

Imports

AuthenticationContext
```
from adal import AuthenticationContext
```
AdalError
```
from adal import AdalError
```

Quickstart

This quickstart demonstrates how to acquire an access token using the client credentials flow, where an application authenticates itself using a client ID and client secret to access a protected resource like Microsoft Graph. Ensure you have registered an application in Azure AD and granted it appropriate permissions.

import os
import adal

# Set these environment variables or replace directly for testing
TENANT_ID = os.environ.get('AZURE_TENANT_ID', 'your_tenant_id_here')
CLIENT_ID = os.environ.get('AZURE_CLIENT_ID', 'your_client_id_here')
CLIENT_SECRET = os.environ.get('AZURE_CLIENT_SECRET', 'your_client_secret_here')
RESOURCE = os.environ.get('AZURE_RESOURCE', 'https://graph.microsoft.com') # Example: Microsoft Graph URL

AUTHORITY = f"https://login.microsoftonline.com/{TENANT_ID}"

try:
    # Initialize AuthenticationContext, explicitly setting api_version=None is recommended
    context = adal.AuthenticationContext(
        AUTHORITY,
        validate_authority=True,
        api_version=None
    )

    # Acquire a token using the client credentials flow
    # This flow is for daemon/service applications that authenticate as themselves
    token_response = context.acquire_token_with_client_credentials(
        RESOURCE,
        CLIENT_ID,
        CLIENT_SECRET
    )

    access_token = token_response.get('accessToken')

    if access_token:
        print("Successfully acquired access token.")
        print(f"Access Token (first 20 chars): {access_token[:20]}...")
        # You can now use the access_token to call the protected resource
        # Example: import requests; headers = {'Authorization': 'Bearer ' + access_token}
        # response = requests.get(f'{RESOURCE}/v1.0/users', headers=headers)
        # print(response.json())
    else:
        print("Failed to acquire access token.")
        print(token_response)

except adal.AdalError as e:
    print(f"ADAL Error: {e}")
except Exception as e:
    print(f"An unexpected error occurred: {e}")

view raw JSON →