Multi-Tenant Profiles
Profiles separate tenant and app settings.
[default]
profile = "client-a"
[profiles.client-a]
auth_app = "oso"
tenant_id = "client-a.onmicrosoft.com"
auth_flow = "device-code"
scopes = "User.Read Chat.ReadWrite ChatMessage.Send offline_access"
[profiles.locked-down]
auth_app = "byo"
client_id = "11111111-1111-1111-1111-111111111111"
tenant_id = "22222222-2222-2222-2222-222222222222"
scopes = "User.Read People.Read Files.Read.All offline_access"
Run commands with --profile client-a.
Scope resolution is predictable: --scopes or TEAMS_CLI_SCOPES, then the selected profile's scopes, then the built-in defaults. offline_access is added automatically for delegated flows.
After an admin grants consent to new scopes, refresh the stored token without a browser prompt:
teams auth refresh --profile locked-down