Token Cache
Access tokens and refresh tokens are credential material and belong in the OS credential store.
Stored secrets
After login, the CLI stores token material for the selected profile. Those tokens allow the CLI to call Microsoft Graph until they expire or are revoked.
Expected platform storage:
| Platform | Expected storage |
|---|---|
| macOS | Keychain |
| Windows | Windows Credential Manager |
| Linux | Secret Service/libsecret compatible keyring |
Config files contain non-secret identifiers such as client_id, tenant_id, auth_app, selected profile, and output preferences.
Environment override
TEAMS_CLI_ACCESS_TOKEN can provide a token directly to the process. This is useful for controlled automation, but it bypasses profile keyring lookup and must be handled like any other bearer token.
Do not print environment tokens in CI logs, shell traces, agent transcripts, or support bundles.
Logout and revocation
Local logout removes cached CLI credentials:
teams auth logout
teams auth logout --all
Tenant-side revocation is separate. Admins should revoke or disable the enterprise application in Entra when access must be centrally blocked.
Agent handling
Agents should not print token values into traces or logs. They should also avoid echoing full command environments because bearer tokens can appear in process variables.