Skip to content

GraphServiceClient token cache persistence and CAE control #1355

New issue
New issue
Open
Open
GraphServiceClient token cache persistence and CAE control#1355
Labels
status:waiting-for-triageAn issue that is yet to be reviewed or assignedtype:featureNew experience request
@danijel3

Description

@danijel3
danijel3
opened on Sep 14, 2025

Is your feature request related to a problem? Please describe the problem.

As outlined in this issue: Azure/azure-sdk-for-python#42898

Given this example code:

token_cache_options = TokenCachePersistenceOptions(name="MyApp")

if Path("cred.json").exists():
    with open("cred.json", "r") as f:
        deserealized_record = AuthenticationRecord.deserialize(f.read())

    device_credential = DeviceCodeCredential(
        client_id=azure_settings["clientId"],
        tenant_id=azure_settings["tenantId"],
        authentication_record=deserealized_record,
        cache_persistence_options=token_cache_options,
        disable_automatic_authentication=True,
    )
else:
    device_credential = DeviceCodeCredential(
        client_id=azure_settings["clientId"],
        tenant_id=azure_settings["tenantId"],
        cache_persistence_options=token_cache_options,
        disable_automatic_authentication=True,
    )

    record = device_credential.authenticate(scopes=azure_settings["graphScope"])

    with open("cred.json", "w") as f:
        f.write(record.serialize())

app_client = GraphServiceClient(
    credentials=device_credential, scopes=azure_settings["graphScope"]
)

# do something with app_client, eg: `app_client.me.get()`

We will not be able to achieve token cache persistence, because by default, the AzureIdentityAuthenticationProvider used internally by the GraphServiceClient has it's CAE setting set to True while the DeviceCodeCredential.authenticate method defaults it to False. Setting the value in authenticate explicitly to True makes the code work:

record = device_credential.authenticate(scopes=azure_settings["graphScope"], enable_cae=True)

But this leaves one issue - if (for some reason) someone wants to set the above value to False, they will never be able to make the code work using the current implementation of the GraphServiceClient.

Describe the solution you'd like.

It is my suggestion to add an argument to the GraphServiceClient initializer method to allow controlling the is_cae_enabled parameter of the AzureIdentityAuthenticationProvider object created inside.

Additional context?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    status:waiting-for-triageAn issue that is yet to be reviewed or assignedtype:featureNew experience request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions