You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This CLI calls Microsoft Graph. Every token used by commands must be a Microsoft Graph access token. Tokens captured from the Microsoft Teams web or desktop client, including `fossteams/teams-token` files such as `~/.config/fossteams/token-teams.jwt`, are issued for Teams-specific audiences and will fail against Graph with `InvalidAuthenticationToken: Invalid audience`.
78
+
79
+
For normal delegated use, the CLI defaults to the OSO public client app and the `organizations` authority:
80
+
81
+
```bash
82
+
teams auth login # Browser-based login
83
+
teams auth login --device-code # SSH, containers, and remote terminals
84
+
teams auth doctor --output json # Inspect client, tenant, token source, and token audience
85
+
```
86
+
77
87
For AI agents and automation, use **client credentials** (fully headless, no browser):
Tools such as `fossteams/teams-token` are attractive because they avoid Entra app registration and consent setup, especially in tenants where users cannot approve third-party apps themselves. That is a real usability signal: `teams auth login` should be easy to diagnose, should support browser and device-code flows clearly, and should not make users reverse-engineer token audiences.
122
+
123
+
The supported fix is better Graph-native auth, not reusing Teams client tokens. A Teams, Skype, ChatSvcAgg, or ID token cannot be converted into a Graph token by this CLI. Use one of these paths instead:
124
+
125
+
- Delegated login with an approved Entra app for human-driven commands.
126
+
- Device-code login for SSH, containers, and remote terminals.
127
+
- Client credentials for app-only Microsoft Graph operations that support application permissions.
128
+
-`TEAMS_CLI_ACCESS_TOKEN` only when the token was explicitly acquired for Microsoft Graph.
Copy file name to clipboardExpand all lines: src/api/client.rs
+38-26Lines changed: 38 additions & 26 deletions
Original file line number
Diff line number
Diff line change
@@ -37,6 +37,40 @@ impl GraphClient {
37
37
})
38
38
}
39
39
40
+
fnauth_error_message(&self,body:&str) -> String{
41
+
letmut message = if body.trim().is_empty(){
42
+
"Authentication failed (401)".to_string()
43
+
}else{
44
+
format!("Authentication failed (401): {body}")
45
+
};
46
+
47
+
if body.contains("Invalid audience") || body.contains("InvalidAuthenticationToken"){
48
+
let diagnostics = self.token.diagnostics();
49
+
let audience = diagnostics
50
+
.audience
51
+
.as_deref()
52
+
.unwrap_or("unknown or opaque token");
53
+
54
+
message.push_str(&format!(
55
+
"\nHint: Microsoft Graph rejected this token audience. This CLI requires a Microsoft Graph access token; observed audience: {audience}. Run `teams auth login`, `teams auth login --device-code`, or provide a Graph token via `TEAMS_CLI_ACCESS_TOKEN`. Teams client tokens such as `~/.config/fossteams/token-teams.jwt` are not supported."
0 commit comments