Authenticating to Microsoft 365

Hong Ooi

Authentication

To authenticate with Azure Active Directory, simply call one of the Microsoft365R client functions.

get_personal_onedrive()
get_business_onedrive()
get_personal_outlook()
get_business_outlook()
get_sharepoint_site()
get_team()

Notice that you do not provide your username and password in the function call. Instead, Microsoft365R will use your Internet browser to obtain your credentials, in a similar manner to other web apps. You will get a dialog box asking for permission to access your information. Your login information is saved, so you should only have to authenticate once.

Using the device code flow

The default authentication method assumes that your R session can access the Internet via a browser. If this is not the case, for example if you are using Databricks or RStudio Server, you can switch to the device code flow by passing the auth_type="device_code" argument:

get_personal_onedrive(auth_type="device_code")

This will print an access code and URL on the screen. You login to the URL using a browser on another device, and type in the code. Once this is done, Microsoft365R will complete the authentication process. Again, you do not provide your username and password in the function call.

Specifying the tenant

When authenticating to the Microsoft 365 Business services, Microsoft365R will detect your Azure Active Directory tenant from your logged-in credentials in the browser. Sometimes this doesn’t work, in particular if you are logged in with a personal account that is also a guest account in a tenant. To solve this, specify your tenant name with the tenant argument:

get_business_onedrive(tenant="mytenant")
get_business_outlook(tenant="mytenant")
get_sharepoint_site("My site", tenant="mytenant")
get_team("My team", tenant="mytenant")

App registration and approvals

For authentication purposes, the package is registered as an app in the ‘aicatr’ AAD tenant; depending on your organisation’s security policy, you may have to get an admin to grant it access to your tenant. See app_registration.md for details on the app, including the permissions it requires.

Using your own app registration

Rather than getting the Microsoft365R app approved, you can also use your own app registration for authentication. If you want to use the default authorization code flow, the app registration should have a mobile & desktop redirect URI of https://localhost:1410 (not a web or SPA redirect). If you want to use the device code flow, the “Allow native client” setting should be enabled. Your app should also have the same default permissions as the Microsoft365R app (see above).

Once the app has been registered, you can pass the app ID to Microsoft365R in a couple of ways.

Using other app registrations: last-resort workarounds

The above methods are the recommended solutions to dealing with access restrictions on Microsoft365R. If they are not feasible, it’s possible to work around these issues by piggybacking on other apps:

Be warned that these workarounds may draw the attention of your admin!

Other issues

The AzureR packages save your login sessions so that you don’t need to reauthenticate each time. If you’re experiencing authentication failures, you can try clearing the saved data by running the following code:

AzureAuth::clean_token_directory()
AzureGraph::delete_graph_login(tenant="mytenant")

You can also consult the vignettes from the AzureAuth and AzureGraph packages for more information on this topic.