Microsoft Graph authentication

The application

Requirements

Source code steps

How it works

Construct the sign-in link
User clicks the link and authenticates
An authorization code is sent to the Redirect URI configured in the app
Exchange the authorization code for an access token
Store the access token as well as its expiration time and the refresh token
Check if the access token has expired whenever calling the Graph API; if it has, refresh it

Create an App registration

Click "New registration" and add a name for the registration.
Make sure the selection is set to "Accounts in this organizational directory only" / single tenant
Leave the Redirect URI blank, we'll fill that in later
Click Register
In the new App registration click "Certificates and secrets"
Click "New client secret"
Select "Never", leave the description blank, and click "Add"
Copy the value into the clipboard
Also copy the "Application (client) ID" and "Directory (tenant) ID"

Create an App Service

Click "Add"
Select a subscription (add one if you don't have one already) and create a new resource group for this app
Give the app a name, which will be the site subdomain name
Leave the selection as publish code, and for the runtime stack select Python 3.7
Leave the operating system as Linux and set the Region to Canada Central
Create a new App Service Plan using the Free tier

Configure the App Service

Once your App Service is created, click "Go to resource"
Under "Settings" click "Configuration"
Add new Application Settings values:
- AZURE_APP_ID = "Application (client) ID" (from the App registration)
- AZURE_TENANT_ID = "Directory (tenant) ID" (from the App registration)
- AZURE_APP_SECRET = Client secret (from the App registration)
Save the settings
In the App Service Overview, copy the URL to the clipboard
In the App Registration in the Overview blade, click "Add a Redirect URI"
Select "Add a platform" and select "Web"
Paste the address you just copied, and add /get_token to the end

Deploy your code