Auth Failures
Invalid audience
Microsoft Graph rejects tokens that were issued for another resource. If you see an error like this:
Access token validation failure. Invalid audience.
the CLI is probably using a token that is not a Microsoft Graph access token.
Common causes:
TEAMS_CLI_ACCESS_TOKENcontains a Teams, Skype, ChatSvcAgg, SharePoint, Exchange, or ID token.- A token captured from
fossteams/teams-tokenwas imported from~/.config/fossteams/token-teams.jwt. - The token was acquired with the wrong
scopeor resource.
Fixes:
- Run
teams auth loginorteams auth login --device-code. - For BYO apps, request Microsoft Graph delegated scopes.
- For app-only automation, request
scope=https://graph.microsoft.com/.default. - If using
TEAMS_CLI_ACCESS_TOKEN, provide a Microsoft Graph access token only.
The CLI does not support importing fossteams/teams-token files. Those files are useful for Teams-client or reverse-engineering workflows, but they are not valid Graph tokens.
Token expired
teams auth refresh
If refresh fails because the profile has no valid refresh token, sign in again:
teams auth login --device-code
Consent blocked
Generate an admin consent URL:
teams auth consent-url --tenant-id <tenant-id-or-domain> --output json
For a workflow-specific scope set, pass the same scopes that login or the selected profile will request:
teams auth consent-url \
--tenant-id <tenant-id-or-domain> \
--scopes "User.Read People.Read Files.Read.All offline_access" \
--output json
After consent succeeds, redeem the stored refresh token for the new scope set:
teams auth refresh --scopes "User.Read People.Read Files.Read.All offline_access"
Browser callback fails
Use device code when http://localhost:8400/callback cannot be reached.