Skip to main content

Auth Failures

Invalid audience

Microsoft Graph rejects tokens that were issued for another resource. If you see an error like this:

Access token validation failure. Invalid audience.

the CLI is probably using a token that is not a Microsoft Graph access token.

Common causes:

  • TEAMS_CLI_ACCESS_TOKEN contains a Teams, Skype, ChatSvcAgg, SharePoint, Exchange, or ID token.
  • A token captured from fossteams/teams-token was imported from ~/.config/fossteams/token-teams.jwt.
  • The token was acquired with the wrong scope or resource.

Fixes:

  • Run teams auth login or teams auth login --device-code.
  • For BYO apps, request Microsoft Graph delegated scopes.
  • For app-only automation, request scope=https://graph.microsoft.com/.default.
  • If using TEAMS_CLI_ACCESS_TOKEN, provide a Microsoft Graph access token only.

The CLI does not support importing fossteams/teams-token files. Those files are useful for Teams-client or reverse-engineering workflows, but they are not valid Graph tokens.

Token expired

teams auth refresh

If refresh fails because the profile has no valid refresh token, sign in again:

teams auth login --device-code

Generate an admin consent URL:

teams auth consent-url --tenant-id <tenant-id-or-domain> --output json

For a workflow-specific scope set, pass the same scopes that login or the selected profile will request:

teams auth consent-url \
--tenant-id <tenant-id-or-domain> \
--scopes "User.Read People.Read Files.Read.All offline_access" \
--output json

After consent succeeds, redeem the stored refresh token for the new scope set:

teams auth refresh --scopes "User.Read People.Read Files.Read.All offline_access"

Browser callback fails

Use device code when http://localhost:8400/callback cannot be reached.