What I am trying to achieve:

I want to search my MS 365 content from a Python script. In other words: I want to do the same search I can do here: https://m365.cloud.microsoft

Search: Emails, Teams chats, Contacts, Documents

(this used to be https://www.bing.com/work )

I want to do this using Graph API, and I have used the Explorer tool successfully to find some API calls that do what I want and they work fine in the Explorer (return expected json). https://developer.microsoft.com/en-us/graph/graph-explorer

I am a member of a large organization, and do not have any special permissions in this Org.

What I tried

After reading the docs for two days and playing with various Python code examples, and running into various "Permission denied" and "Admin approval required" messages,

it seems the only way to do this with a command line script is by registering an "App" in Entra in my organisation tenant, supplying the Application (client) ID to my Python script, and approving (consenting) all needed Graph APIs (again in Entra)? But this can only be done by an admin of my organisation. This seems to be required even if the app is just doing delegated access (on behalf of the user).

I understand the idea is added security, but if I am able to access all my content simply through

1. my browser via m365 search
2. the Graph explorer via API calls without any additional admin approval

why is there no way for a script (that is logged in acting on my behalf) retrieving the same information?

Or maybe there is - in that case please explain how.

The basic simple idea is to have a python script that can be used from the command line to search my MS content, and when called opens a browser window to log me in, and then just retrieves the data. Something that can be shared on Github being usable by anyone without needing any "App registration".

Note: another hack seems to be to just use a common App ID from a microsoft tool that is typically registered by default. E.g. I found appid 14d82eec-204b-4c2f-b7e8-296a70dab67e which seems to be from MS Graph Powershell having wide permission. But it seems that is locked/disabled on my organisation. I am assuming the Graph Explorer must also have a an app ID with broad permissions, if anyone managed to reverse engineer that I am willing to give it a try.

It turns out there is a way without having to register an app for a client ID, and it is actually quite simple.

It's not suitable for production use, though it's more than fine for development and testing purposes.

Steps:

1. Log in to the Graph Explorer: https://developer.microsoft.com/en-us/graph/graph-explorer

2. To the right of the upper part of the request details, there is a tab called "Access token"

3. Copy that value and use it in HTTP requests with a 'Authorization': f'Bearer {access_token}' header

Works with all Graph API methods, no pre-approval needed. :-)