Microsoft Authentication Library (MSAL) for Python

1.35.1 verified Tue May 12 auth: no python install: verified quickstart: stale

The Microsoft Authentication Library (MSAL) for Python enables your app to access the Microsoft Cloud by supporting authentication with Microsoft Azure Active Directory (AAD) and Microsoft Accounts (MSA) using OAuth2 and OpenID Connect. Current version is 1.35.1, with regular updates addressing bugs and feature enhancements.

pip install msal

Common errors

error {'error': 'invalid_grant', 'error_description': 'AADSTS...'} ↓

cause This general error indicates that the provided credentials or authorization grant is invalid, often due to expired credentials, MFA requirements, incorrect client secret/certificate, or misconfiguration of the application or tenant in Azure AD.

fix

Examine the 'error_description' field for specific AADSTS error codes and consult Microsoft Entra ID documentation for details. If Multi-Factor Authentication (MFA) is required, use an interactive token acquisition flow like acquire_token_interactive. Ensure your client secret or certificate is valid and not expired, and that your application's permissions and configuration in Azure AD are correct.

error `app.acquire_token_silent` returns None or hangs ↓

cause `acquire_token_silent` attempts to retrieve a token from the cache without user interaction. It returns `None` if no suitable token is found (e.g., the token expired, or an interactive step like MFA or consent is required). In some environments, like EC2, it might hang due to underlying network or configuration issues preventing silent acquisition.

fix

Always implement a fallback mechanism to an interactive token acquisition flow (e.g., acquire_token_interactive or acquire_token_by_authorization_code) if acquire_token_silent returns None. For hanging issues, verify network connectivity and ensure the application is correctly configured for the specific deployment environment.

error KeyError: 'expires_in' ↓

cause This error occurs when an attempt is made to access the 'expires_in' key in a dictionary returned by an MSAL token acquisition method, but the key is not present. This usually happens if the token acquisition failed or the response object does not contain the expected 'expires_in' field due to an unexpected format or an error condition.

fix

Before accessing specific keys like 'expires_in', always check if the key exists in the result dictionary. MSAL's successful responses contain 'access_token', while error responses contain 'error' and 'error_description'.

error ValueError: The issuer '{iss}' does not match the authority '{auth}' or a known pattern. ↓

cause This `ValueError` indicates that the authority URL provided during MSAL application initialization (e.g., in `ConfidentialClientApplication`) does not correctly match the issuer URL discovered from the OpenID Connect metadata endpoint for that authority. This is typically caused by a typo in the authority URL, an incorrect tenant ID, or a mismatch in the Azure AD configuration.

fix

Double-check the authority URL passed to your MSAL application. Ensure it is precisely formatted (e.g., https://login.microsoftonline.com/{tenant_id} or https://login.microsoftonline.com/common) and that the tenant ID or name is correct and valid for your Azure AD setup.

Warnings

breaking Support for the Resource Owner Password Credentials (ROPC) flow is deprecated. ↓

fix Update your authentication flow to use authorization code flow or other supported options.

gotcha Ensure environment variable names are correctly set (case-sensitive). ↓

fix Always use uppercase letters for environment variables.

breaking Tenant ID or authority URL is incorrect or not found, leading to OIDC Discovery failure (AADSTS90002). ↓

fix Ensure the tenant ID or tenant name in the authority URL is correct and valid. Verify it against your Azure Active Directory / Microsoft Entra ID configuration. Double-check the format of the authority URL, e.g., 'https://login.microsoftonline.com/<tenant_id>' or 'https://login.microsoftonline.com/<tenant_name>.onmicrosoft.com'.

breaking Failed to get MSAL authority configuration due to an invalid or not found tenant ID in the provided authority URL. ↓

fix Ensure the tenant ID or tenant name in the MSAL authority URL is correct and exists within the specified Microsoft Entra ID (Azure AD) cloud instance. Double-check the authority URL format. Examples include https://login.microsoftonline.com/your_tenant_id or https://tenant_name.ciamlogin.com or https://tenant_name.b2clogin.com/tenant.onmicrosoft.com/policy.

Install compatibility verified last tested: 2026-05-12

python os / libc status wheel install import disk

3.10 alpine (musl) - - 0.23s 37.6M

3.10 slim (glibc) - - 0.20s 38M

3.11 alpine (musl) - - 0.30s 40.1M

3.11 slim (glibc) - - 0.26s 40M

3.12 alpine (musl) - - 0.25s 31.8M

3.12 slim (glibc) - - 0.27s 32M

3.13 alpine (musl) - - 0.23s 31.4M

3.13 slim (glibc) - - 0.23s 32M

3.9 alpine (musl) - - 0.20s 37.7M

3.9 slim (glibc) - - 0.18s 38M

Imports

ConfidentialClientApplication
```
from msal import ConfidentialClientApplication
```
Always use the correct module to prevent import errors.

Quickstart stale last tested: 2026-04-23

This example demonstrates how to acquire an access token for Azure AD.

import os
from msal import ConfidentialClientApplication

client_id = os.environ.get('AZURE_CLIENT_ID', '')
client_secret = os.environ.get('AZURE_CLIENT_SECRET', '')
authority = 'https://login.microsoftonline.com/your_tenant_id'
app = ConfidentialClientApplication(client_id, authority=authority, client_credential=client_secret)
token_response = app.acquire_token_for_client(scopes=['https://graph.microsoft.com/.default'])
print(token_response)