graph_login: Login to Azure Active Directory Graph

create_graph_loginR Documentation

Login to Azure Active Directory Graph


Login to Azure Active Directory Graph


create_graph_login(tenant = "common", app = NULL, password = NULL,
  username = NULL, certificate = NULL, auth_type = NULL, version = 2,
  host = "",
  aad_host = "", scopes = ".default",
  config_file = NULL, token = NULL, ...)

get_graph_login(tenant = "common", selection = NULL, app = NULL,
  scopes = NULL, auth_type = NULL, refresh = TRUE)

delete_graph_login(tenant = "common", confirm = TRUE)




The Azure Active Directory tenant for which to obtain a login client. Can be a name ("myaadtenant"), a fully qualified domain name ("" or ""), or a GUID. The default is to login via the "common" tenant, which will infer your actual tenant from your credentials.


The client/app ID to use to authenticate with Azure Active Directory. The default is to login interactively using the Azure CLI cross-platform app, but you can supply your own app credentials as well.


If auth_type == "client_credentials", the app secret; if auth_type == "resource_owner", your account password.


If auth_type == "resource_owner", your username.


If 'auth_type == "client_credentials", a certificate to authenticate with. This is a more secure alternative to using an app secret.


The OAuth authentication method to use, one of "client_credentials", "authorization_code", "device_code" or "resource_owner". If NULL, this is chosen based on the presence of the username and password arguments.


The Azure Active Directory version to use for authenticating.


Your Microsoft Graph host. Defaults to Change this if you are using a government or private cloud.


Azure Active Directory host for authentication. Defaults to Change this if you are using a government or private cloud.


The Microsoft Graph scopes (permissions) to obtain for this Graph login. For create_graph_login, this is used only for version=2. For get_graph_login, set this to NA to require an AAD v1.0 token.


Optionally, a JSON file containing any of the arguments listed above. Arguments supplied in this file take priority over those supplied on the command line. You can also use the output from the Azure CLI az ad sp create-for-rbac command.


Optionally, an OAuth 2.0 token, of class AzureAuth::AzureToken. This allows you to reuse the authentication details for an existing session. If supplied, all other arguments to create_graph_login will be ignored.


Other arguments passed to ms_graph$new().


For get_graph_login, if you have multiple logins for a given tenant, which one to use. This can be a number, or the input MD5 hash of the token used for the login. If not supplied, get_graph_login will print a menu and ask you to choose a login.


For get_graph_login, whether to refresh the authentication token on loading the client.


For delete_graph_login, whether to ask for confirmation before deleting.


create_graph_login creates a login client to authenticate with Microsoft Graph, using the supplied arguments. The authentication token is obtained using get_azure_token, which automatically caches and reuses tokens for subsequent sessions.

For interactive use, you would normally not supply the username and password arguments. Omitting them will prompt create_graph_login to authenticate you with AAD using your browser, which is the recommended method. If you don't have a browser available to your R session, for example if you're using RStudio Server or Azure Databricks, you can specify auth_type="device_code".

For non-interactive use, for example if you're calling AzureGraph in a deployment pipeline, the recommended authentication method is via client credentials. For this method, you supply only the password argument, which should contain the client secret for your app registration. You must also specify your own app registration ID, in the app argument.

The AzureAuth package has a vignette that goes into more detail on these authentication scenarios.

get_graph_login returns a previously created login client. If there are multiple existing clients, you can specify which client to return via the selection, app, scopes and auth_type arguments. If you don't specify which one to return, it will pop up a menu and ask you to choose one.

One difference between create_graph_login and get_graph_login is the former will delete any previously saved credentials that match the arguments it was given. You can use this to force AzureGraph to remove obsolete tokens that may be lying around.


For get_graph_login and create_graph_login, an object of class ms_graph, representing the login client. For list_graph_logins, a (possibly nested) list of such objects.

If the AzureR data directory for saving credentials does not exist, get_graph_login will throw an error.

See Also

ms_graph, AzureAuth::get_azure_token for more details on authentication methods

AzureAuth vignette on authentication scenarios

Microsoft Graph overview, REST API reference


## Not run: 

# without any arguments, this will create a client using your AAD organisational account
az <- create_graph_login()

# retrieve the login in subsequent sessions
az <- get_graph_login()

# this will create an Microsoft Graph client for the tenant '',
# using the client_credentials method
az <- create_graph_login("mytenant", app="{app_id}", password="{password}")

# you can also login using credentials in a json file
az <- create_graph_login(config_file="~/creds.json")

# creating and obtaining a login with specific scopes
create_graph_login("mytenant", scopes=c("User.Read", "Files.ReadWrite.All"))
get_graph_login("mytenant", scopes=c("User.Read", "Files.ReadWrite.All"))

# to use your personal account, set the tenant to one of the following
create_graph_login("consumers")  # requires AzureAuth 1.3.0

## End(Not run)

AzureGraph documentation built on March 18, 2022, 8:04 p.m.