Reduce default delegated auth scopes

sionsmith · sionsmith · commit 52c4ce87a2e6 · 2026-06-04T12:36:26.000+01:00
diff --git a/README.md b/README.md
@@ -175,6 +175,9 @@ teams auth login
 # Device code flow with OSO's public client app
 teams auth login --device-code
 
+# Channel message reads require a broader Graph scope that often needs admin approval
+teams auth login --device-code --scopes "User.Read ChannelMessage.Read.All offline_access"
+
 # Browser-based login with a customer-owned app
 teams auth login --client-id <client-id> --tenant-id <tenant-id>
 
@@ -204,6 +207,12 @@ teams auth login --client-credentials \
 
 Tokens are cached in the OS keyring — subsequent commands reuse the session without re-authentication.
 
+Default delegated login asks for chat, channel-send, discovery, user lookup,
+and presence scopes. It intentionally does not request
+`ChannelMessage.Read.All`, because Microsoft marks that delegated scope as
+admin-consent required. Use `--scopes` or a customer-owned app when a workflow
+needs channel message reads.
+
 **Credential resolution order**: CLI flags > environment variables > config file profiles.
 
 ### Why not import Teams client tokens?
diff --git a/docs/auth-implementation-plan.md b/docs/auth-implementation-plan.md
@@ -135,14 +135,13 @@ Recommended initial delegated scopes:
 - `Team.ReadBasic.All`
 - `Channel.ReadBasic.All`
 - `ChannelMessage.Send`
-- `ChannelMessage.Read.All`
 - `Chat.ReadWrite`
 - `ChatMessage.Send`
 - `ChatMessage.Read`
 - `User.ReadBasic.All`
 - `Presence.Read.All`
 
-Implementation note: split these into documented scope presets before release. The current default scope string is broad and convenient for testing, but commercial onboarding should explain exactly why each scope exists and allow lower-scope profiles where possible.
+Implementation note: keep the default scope string below known admin-consent-required delegated scopes where possible. `ChannelMessage.Read.All` is needed for channel message reads, but it should be requested explicitly with `--scopes` or through a customer-owned app because Microsoft marks it as admin-consent required.
 
 ### 2. Customer BYO Public Client App
 
diff --git a/docs/auth.md b/docs/auth.md
@@ -76,15 +76,20 @@ offline_access
 Team.ReadBasic.All
 Channel.ReadBasic.All
 ChannelMessage.Send
-ChannelMessage.Read.All
 Chat.ReadWrite
 ChatMessage.Send
 ChatMessage.Read
 User.ReadBasic.All
 Presence.Read.All
 ```
 
-These permissions cover the current read/write message, team/channel discovery, chat, user lookup, and presence smoke tests. Future features may need additional consent.
+These permissions cover the current chat read/write, channel-send, team/channel discovery, user lookup, and presence smoke tests. The default does not include `ChannelMessage.Read.All` because Microsoft marks that delegated Graph scope as admin-consent required. Add it explicitly when a workflow needs channel message reads:
+
+```bash
+teams auth login --device-code --scopes "User.Read ChannelMessage.Read.All offline_access"
+```
+
+Future features may need additional consent.
 
 ## Login options
 
diff --git a/docs/faq.md b/docs/faq.md
@@ -44,15 +44,14 @@ offline_access
 Team.ReadBasic.All
 Channel.ReadBasic.All
 ChannelMessage.Send
-ChannelMessage.Read.All
 Chat.ReadWrite
 ChatMessage.Send
 ChatMessage.Read
 User.ReadBasic.All
 Presence.Read.All
 ```
 
-Customers should review these during admin consent. Future features may require additional permissions.
+The default avoids `ChannelMessage.Read.All` because Microsoft marks that delegated Graph scope as admin-consent required. Customers that need channel message reads should grant it explicitly with `--scopes` or through a customer-owned app. Future features may require additional permissions.
 
 ## Why did `team list` return no teams?
 
diff --git a/src/auth/auth_code_pkce.rs b/src/auth/auth_code_pkce.rs
@@ -8,9 +8,9 @@ use std::sync::Mutex;
 use tokio::sync::oneshot;
 
 use super::token::MsTokenResponse;
+use crate::config::DEFAULT_DELEGATED_SCOPES;
 use crate::error::{Result, TeamsError};
 
-const DEFAULT_SCOPES: &str = "User.Read Team.ReadBasic.All Channel.ReadBasic.All ChannelMessage.Send ChannelMessage.Read.All Chat.ReadWrite ChatMessage.Send ChatMessage.Read User.ReadBasic.All Presence.Read.All offline_access";
 const REDIRECT_URI: &str = "http://localhost:8400/callback";
 
 fn random_urlsafe_bytes(len: usize) -> Result<String> {
@@ -37,7 +37,7 @@ pub async fn authenticate(
     tenant_id: &str,
     scopes: Option<&str>,
 ) -> Result<MsTokenResponse> {
-    let scopes = scopes.unwrap_or(DEFAULT_SCOPES);
+    let scopes = scopes.unwrap_or(DEFAULT_DELEGATED_SCOPES);
     let (verifier, challenge) = generate_pkce()?;
 
     let state = random_urlsafe_bytes(16)?;
diff --git a/src/auth/device_code.rs b/src/auth/device_code.rs
@@ -3,10 +3,9 @@ use serde::Deserialize;
 use std::time::Duration;
 
 use super::token::MsTokenResponse;
+use crate::config::DEFAULT_DELEGATED_SCOPES;
 use crate::error::{Result, TeamsError};
 
-const DEFAULT_SCOPES: &str = "User.Read Team.ReadBasic.All Channel.ReadBasic.All ChannelMessage.Send ChannelMessage.Read.All Chat.ReadWrite ChatMessage.Send ChatMessage.Read User.ReadBasic.All Presence.Read.All offline_access";
-
 #[derive(Debug, Deserialize)]
 struct DeviceCodeResponse {
     device_code: String,
@@ -40,7 +39,7 @@ pub async fn authenticate(
     tenant_id: &str,
     scopes: Option<&str>,
 ) -> Result<MsTokenResponse> {
-    let scopes = scopes.unwrap_or(DEFAULT_SCOPES);
+    let scopes = scopes.unwrap_or(DEFAULT_DELEGATED_SCOPES);
     let http = Client::new();
 
     // Step 1: Request device code
diff --git a/src/config.rs b/src/config.rs
@@ -8,6 +8,7 @@ use crate::error::{Result, TeamsError};
 
 pub const OSO_PUBLIC_CLIENT_ID: &str = "fba1b5d0-fdd0-4fe2-9729-9ccdc38f9595";
 pub const DEFAULT_DELEGATED_TENANT_ID: &str = "organizations";
+pub const DEFAULT_DELEGATED_SCOPES: &str = "User.Read Team.ReadBasic.All Channel.ReadBasic.All ChannelMessage.Send Chat.ReadWrite ChatMessage.Send ChatMessage.Read User.ReadBasic.All Presence.Read.All offline_access";
 
 #[derive(Debug, Clone, Serialize, Deserialize, Default)]
 pub struct ConfigFile {
@@ -404,6 +405,13 @@ auth_flow = "device-code"
         );
     }
 
+    #[test]
+    fn default_delegated_scopes_avoid_admin_required_channel_read() {
+        assert!(DEFAULT_DELEGATED_SCOPES.contains("ChatMessage.Send"));
+        assert!(DEFAULT_DELEGATED_SCOPES.contains("ChannelMessage.Send"));
+        assert!(!DEFAULT_DELEGATED_SCOPES.contains("ChannelMessage.Read.All"));
+    }
+
     #[test]
     fn delegated_auth_byo_requires_client_id() {
         let mut config = ConfigFile::default();
