While trying to use the DeviceCode flow to log in to an account and read from its own mailbox using delegated permissions I was constantly hit with the "Admin consent is required for the permissions requested by this application." message.
Also neither the DeviceCodeCredential nor the UsernamePasswordCredential classes from the Azure library require a client_secret, but the config parsing of parsedmarc does. However I cannot verify this change for UsernamePasswordCredential in practice, as it is only available for personal Microsoft accounts.
For those coming along: For the DeviceCode flow it is required that the app in Microsoft Entra / Azure allows "public client flows", otherwise the login works but parsedmarc immediatly throws AADSTS7000218 afterwards while trying to call the API. The setting is found under "Manage" and then "Authentication" in the app registrations, not enterprise applications.
While trying to use the DeviceCode flow to log in to an account and read from its own mailbox using delegated permissions I was constantly hit with the "Admin consent is required for the permissions requested by this application." message.
This is because the property "user" from the config is ignored when using DeviceCode, so "Mail.ReadWrite.Shared" is always selected, wheras it should be "Mail.ReadWrite" when user and mailbox match. https://github.com/domainaware/parsedmarc/blob/7d2b431e5f20bdcdb330c4fbb23ce7df5fb0642f/parsedmarc/mail/graph.py#L107-L113
Also neither the DeviceCodeCredential nor the UsernamePasswordCredential classes from the Azure library require a client_secret, but the config parsing of parsedmarc does. However I cannot verify this change for UsernamePasswordCredential in practice, as it is only available for personal Microsoft accounts.
For those coming along: For the DeviceCode flow it is required that the app in Microsoft Entra / Azure allows "public client flows", otherwise the login works but parsedmarc immediatly throws AADSTS7000218 afterwards while trying to call the API. The setting is found under "Manage" and then "Authentication" in the app registrations, not enterprise applications.