To use @thingsai/msft-todo-cli-mcp, you need an Azure AD app registration. This is free — no paid Azure subscription required. The app uses OAuth 2.0 with PKCE (a public client flow), so no client secret is needed.
Go to Azure Portal → App registrations and click New registration.
- Name:
Todo CLI - Supported account types — choose based on which accounts you'll use:
- "Personal Microsoft accounts only" — for @outlook.com, @hotmail.com, @live.com
- "Accounts in any organizational directory and personal Microsoft accounts" — for work/school + personal accounts
- Redirect URI:
- Platform: Public client/native (mobile & desktop)
- URI:
http://localhost:3847/callback
Click Register.
Go to Authentication in the left sidebar. Under Advanced settings, set:
- Allow public client flows → Yes
Click Save.
Go to API permissions in the left sidebar.
- Click Add a permission → Microsoft Graph → Delegated permissions
- Search for
Tasks.ReadWriteand check it, then click Add permissions - Remove the default
User.Readpermission (click ⋯ → Remove permission → confirm)
Go to Overview. Copy the Application (client) ID — you'll need this for todo setup.
Note: Do not create a client secret. This app uses PKCE (public client flow) and does not need one.
- Azure CLI installed
- Logged in:
az login
az ad app create \
--display-name "Todo CLI" \
--public-client-redirect-uris "http://localhost:3847/callback" \
--sign-in-audience "AzureADandPersonalMicrosoftAccount" \
--query appId -o tsvThis prints your Application (client) ID. Save it.
--sign-in-audience options:
| Value | Description |
|---|---|
PersonalMicrosoftAccount |
Personal Microsoft accounts only (@outlook.com, @hotmail.com, @live.com) |
AzureADandPersonalMicrosoftAccount |
Work/school + personal accounts |
AzureADMyOrg |
Single organization only |
# Microsoft Graph app ID: 00000003-0000-0000-c000-000000000000
# Tasks.ReadWrite permission ID: 2219042f-cab5-40cc-b0d2-16b1540b4c5f
az ad app permission add \
--id <your-client-id> \
--api 00000003-0000-0000-c000-000000000000 \
--api-permissions 2219042f-cab5-40cc-b0d2-16b1540b4c5f=ScopeReplace <your-client-id> with the ID from the previous step.
| Account type | Tenant value | Example domains |
|---|---|---|
| Personal accounts | consumers (the default) |
@outlook.com, @hotmail.com, @live.com |
| Work/school accounts | common or your org's tenant ID |
@yourcompany.com |
To set the tenant explicitly:
export TODO_MCP_TENANT="common"Personal Microsoft accounts without a mailbox may hit this error. Solution: Ensure you have a valid Microsoft To Do account — sign in at https://to.do first to provision your mailbox.
Double-check your client ID and confirm the app registration exists in the correct tenant. If you registered for personal accounts only, ensure you're logging in with a personal account.
The user needs to consent to the requested permissions. This happens automatically during todo setup — follow the browser prompt to grant consent.
Ensure the redirect URI is exactly http://localhost:3847/callback and the platform is set to Public client/native (mobile & desktop). A mismatch in scheme, port, or path will cause authentication to fail.