Docker
A container image should mount only the config and secrets needed by the workflow.
docker run --rm \
-e TEAMS_CLI_ACCESS_TOKEN \
osodevops/teams-cli:latest \
teams auth status --output json
For long-lived delegated sessions, prefer host keyring storage outside Docker. For CI, use short-lived Microsoft Graph tokens or a controlled login bootstrap.
Do not pass Teams client tokens captured from desktop, browser, or fossteams/teams-token sessions through TEAMS_CLI_ACCESS_TOKEN; Graph will reject them with Invalid audience.