import requests
from config import TENANT_ID, CLIENT_ID, CLIENT_SECRET


def get_access_token(scope: str = "https://graph.microsoft.com/.default"):
    """Request an application token from Microsoft identity platform."""
    url = f"https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token"
    data = {
        "grant_type": "client_credentials",
        "client_id": CLIENT_ID,
        "client_secret": CLIENT_SECRET,
        "scope": scope,
    }
    try:
        res = requests.post(url, data=data, timeout=15)
        res.raise_for_status()
        token = res.json().get("access_token")
        if not token:
            raise RuntimeError("Token endpoint returned no access_token")
        return token
    except requests.RequestException as exc:
        raise RuntimeError(f"Failed to obtain access token: {exc}") from exc