Microsoft Azure Graph RBAC Client Library for Python

0.61.2 · abandoned · verified Thu Apr 09

The `azure-graphrbac` client library for Python provided an interface to manage Azure Active Directory (Azure AD) resources, such as users, groups, and service principals, through the Azure AD Graph API. This library is effectively abandoned due to the deprecation and upcoming retirement of the underlying Azure AD Graph API, which was superseded by Microsoft Graph. The last release was in August 2020, and it is no longer actively maintained.

Warnings

breaking The underlying Azure AD Graph API is officially deprecated and will be retired. Applications using `azure-graphrbac` will eventually cease to function as the API endpoints are removed. Microsoft has ceased investment in Azure AD Graph as of June 30, 2022.
Fix: Migrate all functionality to use the Microsoft Graph API. The recommended Python SDK for Microsoft Graph is `microsoft-graph-sdk` or using `requests` with `azure-identity` to call the Microsoft Graph REST API directly.
deprecated `azure-graphrbac` itself is deprecated and no longer receives updates or bug fixes, as its last release was in August 2020. Using this library for new development is strongly discouraged.
Fix: Use the Microsoft Graph API for all new development concerning Azure Active Directory resources. Consider `azure-identity` for authentication and `microsoft-graph-sdk` or direct REST API calls for resource management.
gotcha Modern Azure SDK authentication methods (e.g., `DefaultAzureCredential` from `azure-identity`) are generally not directly compatible with the older `azure-graphrbac` client library without additional integration layers. It typically expects `ServicePrincipalCredentials` or `ApplicationTokenCredentials`.
Fix: If you must use `azure-graphrbac` for legacy reasons, continue to use `msrestazure.azure_active_directory.ServicePrincipalCredentials` for authentication. For modern applications, migrate to Microsoft Graph and its compatible authentication methods.

Install

pip install azure-graphrbac Install stable version

Imports

GraphRbacManagementClient
```
from azure.graphrbac import GraphRbacManagementClient
```
The client is in the top-level `azure.graphrbac` namespace, not `azure.mgmt.graphrbac`.
ServicePrincipalCredentials
```
from msrestazure.azure_active_directory import ServicePrincipalCredentials
```
This is the typical credential type used with older Azure SDKs like `azure-graphrbac`.

Quickstart

This quickstart demonstrates how to instantiate `GraphRbacManagementClient` using a service principal and list users. Ensure your service principal has appropriate permissions (e.g., 'User.Read.All') in Azure AD. This library relies on the now-deprecated Azure AD Graph API.

import os
from msrestazure.azure_active_directory import ServicePrincipalCredentials
from azure.graphrbac import GraphRbacManagementClient

tenant_id = os.environ.get('AZURE_TENANT_ID', '')
client_id = os.environ.get('AZURE_CLIENT_ID', '')
client_secret = os.environ.get('AZURE_CLIENT_SECRET', '')

if not all([tenant_id, client_id, client_secret]):
    print("Please set AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET environment variables.")
else:
    try:
        # Authenticate using Service Principal Credentials
        credentials = ServicePrincipalCredentials(
            client_id=client_id,
            secret=client_secret,
            tenant=tenant_id
        )

        # Create the Graph RBAC client
        graph_client = GraphRbacManagementClient(credentials, tenant_id)

        # Example: List users (will only work if service principal has sufficient permissions)
        print("Listing first 5 users...")
        users = list(graph_client.users.list())[:5]
        if users:
            for user in users:
                print(f"  User ID: {user.object_id}, Display Name: {user.display_name}")
        else:
            print("No users found or insufficient permissions.")

    except Exception as e:
        print(f"An error occurred: {e}")

view raw JSON →