Alright, let's break down how to solve this problem since your school's unmanaged Azure AD tenant is blocking the regular Graph API app approach. We'll focus on direct username/password authentication methods that work for your scenario, and clear up the NTLM confusion along the way.

This library is purpose-built for interacting with Office 365 REST APIs and natively supports username/password authentication—perfect for accessing your OneDrive for Business files directly.

Step 1: Install the library #

pip install office365-rest-python-client

Step 2: Sample Code to Download Your Excel File #

Here's a script that connects to your personal OneDrive and pulls down the target .xlsx file:

from office365.sharepoint.client_context import ClientContext
from office365.runtime.auth.user_credential import UserCredential

# Your personal OneDrive URL (from your question)
site_url = "https://abcedu-my.sharepoint.com/personal/alice_abc_edu"
# Your Office 365 credentials
username = "alice@abc.edu"
password = "your_password_here"
# Path to the Excel file in your OneDrive (e.g., "Documents/MyCourseData.xlsx")
file_path = "Documents/YourTargetFile.xlsx"
# Local path to save the downloaded file
local_save_path = "./downloaded_excel.xlsx"

# Initialize the client context with your credentials
ctx = ClientContext(site_url).with_credentials(UserCredential(username, password))

# Fetch the file object from OneDrive
file = ctx.web.get_file_by_server_relative_url(file_path)
# Download the file content
file_content = file.read().execute_query()

# Save the content to your local machine
with open(local_save_path, "wb") as f:
    f.write(file_content)

print(f"File downloaded successfully to {local_save_path}")

Key Notes: #

• Replace placeholders like your_password_here and file_path with your actual details.
• If your school enforces Multi-Factor Authentication (MFA), this method won't work—we'll cover an MFA-compatible alternative later.

Since your school's tenant is unmanaged, you can't use app-level permissions for Graph API. Instead, use the ROPC flow to authenticate as your user directly (no admin consent required).

Step 1: Install the Graph SDK dependencies #

pip install msgraph-sdk azure-identity

Step 2: Register a Public Client App #

Even with an unmanaged tenant, you can create a public client app (no app secret needed):

1. Navigate to the Azure AD App Registration portal, create a new app registration.
2. Under Authentication > Advanced settings, enable "Allow public client flows".
3. Note down your Client ID—you'll need it for the code.

Step 3: Sample Code to Download via Graph API #

from msgraph import GraphServiceClient
from azure.identity import UsernamePasswordCredential

# Your app and user details
client_id = "your_client_id_here"
username = "alice@abc.edu"
password = "your_password_here"
# Get your file ID from OneDrive web: right-click the file > Embed > copy the ID from the embed URL
file_id = "your_one_drive_file_id_here"
local_save_path = "./graph_downloaded_excel.xlsx"

# Initialize credential and Graph client
credential = UsernamePasswordCredential(
    client_id=client_id,
    username=username,
    password=password,
    tenant_id="abc.edu"  # Use your school's domain as the tenant ID
)
client = GraphServiceClient(credential)

# Download the file content via Graph API
file_content = client.me.drive.items.by_id(file_id).content.get()

# Save to local file
with open(local_save_path, "wb") as f:
    f.write(file_content)

print(f"File downloaded via Graph API to {local_save_path}")

Important Caveats: #

• ROPC Limitations: This flow doesn't support MFA, and Microsoft discourages its use for production apps (due to password security risks). It's best suited for personal scripts only.
• Finding the File ID: On OneDrive web, right-click your Excel file > "Embed" > copy the long alphanumeric ID from the embed URL (looks like 01XYZABC123...).

You don't need to waste time with NTLM—it's an outdated authentication protocol that's not recommended for modern Office 365 access. Both methods above use OAuth 2.0, the current standard for Office 365 APIs, so you can ignore NTLM entirely.

If your school requires MFA, the username/password methods will fail. In that case:

• Use the Device Code Flow with either library (both support it). This will prompt you to log in via a browser on any device, which works seamlessly with MFA.
• Alternatively, reach out to your school's IT admin to convert the tenant to a managed state—this would let you use app-level permissions with Graph API properly.

内容的提问来源于stack exchange，提问作者hsluoyz