Cannot login with cli 3.0.8 and teamsapp.yml 1.8

[ThomasPe]

Describe the bug
I upgraded my teams app solution to 1.8 in the teamsapp.yml.
For the deployment via Azure DevOps Pipelines it seems I need the CLI version 3.0.8 as anything lower will result in a version error.
But with that version I cannot log in using a Password / Client Secret.

To Reproduce
here's my DevOps yaml:

- script: |
    npm install @microsoft/teamsapp-cli@3.0.8
  displayName: "Install CLI"
  workingDirectory: $(Pipeline.Workspace)/TeamsApp

- script: |
    npx teamsapp auth login azure \
    --username $(AZURE_SERVICE_PRINCIPAL_NAME) \
    --service-principal true \
    --tenant $(AZURE_TENANT_ID) \
    --password $(AZURE_SERVICE_PRINCIPAL_PASSWORD) \
    --interactive false 
  displayName: "Login Azure by service principal"
  workingDirectory: $(Pipeline.Workspace)/TeamsApp

(✖) Error: unknown.UnhandledError: An unexpected error has occurred while performing the unknown task. {"stack":"AggregateAuthenticationError: ChainedTokenCredential authentication failed.\nAuthenticationRequiredError: invalid_scope: 1002012 - [2025-03-27 20:28:34Z]: AADSTS1002012: The provided value for scope https://management.core.windows.net/user_impersonation is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI). Trace ID: cf0070cd-cc37-4911-b1ad-11ea1cb9ad00 Correlation ID: 0a64959d-60fe-4569-8399-ba260d74ef1d Timestamp: 2025-03-27 20:28:34Z - Correlation ID: 0a64959d-60fe-4569-8399-ba260d74ef1d - Trace ID: cf0070cd-cc37-4911-b1ad-11ea1cb9ad00\n    at /home/vsts/work/1/s/node_modules/@microsoft/teamsapp-cli/lib/index.js:2:162247\n    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at async Object.withSpan (/home/vsts/work/1/s/node_modules/@microsoft/teamsapp-cli/lib/index.js:20:737957)\n    at async ChainedTokenCredential.getToken (/home/vsts/work/1/s/node_modules/@microsoft/teamsapp-cli/lib/index.js:2:161614)","message":"ChainedTokenCredential authentication failed.\nAuthenticationRequiredError: invalid_scope: 1002012 - [2025-03-27 20:28:34Z]: AADSTS1002012: The provided value for scope https://management.core.windows.net/user_impersonation is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI). Trace ID: cf0070cd-cc37-4911-b1ad-11ea1cb9ad00 Correlation ID: 0a64959d-60fe-4569-8399-ba260d74ef1d Timestamp: 2025-03-27 20:28:34Z - Correlation ID: 0a64959d-60fe-4569-8399-ba260d74ef1d - Trace ID: cf0070cd-cc37-4911-b1ad-11ea1cb9ad00","errors":[{"stack":"AuthenticationRequiredError: invalid_scope: 1002012 - [2025-03-27 20:28:34Z]: AADSTS1002012: The provided value for scope https://management.core.windows.net/user_impersonation is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI). Trace ID: cf0070cd-cc37-4911-b1ad-11ea1cb9ad00 Correlation ID: 0a64959d-60fe-4569-8399-ba260d74ef1d Timestamp: 2025-03-27 20:28:34Z - Correlation ID: 0a64959d-60fe-4569-8399-ba260d74ef1d - Trace ID: cf0070cd-cc37-4911-b1ad-11ea1cb9ad00\n    at handleMsalError (/home/vsts/work/1/s/node_modules/@microsoft/teamsapp-cli/lib/index.js:2:117222)\n    at MsalClientSecret.doGetToken (/home/vsts/work/1/s/node_modules/@microsoft/teamsapp-cli/lib/index.js:2:167367)\n    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at async Object.withSpan (/home/vsts/work/1/s/node_modules/@microsoft/teamsapp-cli/lib/index.js:20:737957)\n    at async /home/vsts/work/1/s/node_modules/@microsoft/teamsapp-cli/lib/index.js:2:161924\n    at async Object.withSpan (/home/vsts/work/1/s/node_modules/@microsoft/teamsapp-cli/lib/index.js:20:737957)\n    at async ChainedTokenCredential.getToken (/home/vsts/work/1/s/node_modules/@microsoft/teamsapp-cli/lib/index.js:2:161614)","message":"invalid_scope: 1002012 - [2025-03-27 20:28:34Z]: AADSTS1002012: The provided value for scope https://management.core.windows.net/user_impersonation is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI). Trace ID: cf0070cd-cc37-4911-b1ad-11ea1cb9ad00 Correlation ID: 0a64959d-60fe-4569-8399-ba260d74ef1d Timestamp: 2025-03-27 20:28:34Z - Correlation ID: 0a64959d-60fe-4569-8399-ba260d74ef1d - Trace ID: cf0070cd-cc37-4911-b1ad-11ea1cb9ad00","name":"AuthenticationRequiredError"}],"name":"AggregateAuthenticationError"}

Expected behavior
A successfull login & authenticated cli

CLI Information (please complete the following information):

• OS: ubuntu
• Version 3.0.8

Additional context
teamsapp.yml Version 1.8

[m365-agent-toolkit-assistant]

👋 Hi @ThomasPe,

Thank you for reporting this issue! We want to let you know that:

⏱️ Our team will personally review your issue
🎯 You can expect a response within 2 business days

✨ This is an AI-generated initial response
🤖 AI-Generated Preliminary Analysis:

Troubleshooting Steps

Based on the information and similar issues from various resources, here are some steps to troubleshoot and potentially resolve the login issue with the teamsapp CLI in your Azure DevOps pipeline:

1. Confirm Scope Value:
   Ensure that the scope value is correctly suffixed with .default. In your YAML file, --scope https://management.core.windows.net/.default seems correct, but sometimes the error suggests it might be incorrectly set. Double-check that no extra characters or spaces are present.

2. Use the Correct Version:
   Ensure you are using the correct version of @microsoft/teamsapp-cli. Since you've specified 3.0.8, check if there's a bug or known issue with this version related to authentication, and consider testing with a different version if possible.

3. Environment Variables:
   For non-interactive authentication, ensure the environment variables are correctly set. Also, set these environment variables for the Azure pipeline:

   - script: |
       export AZURE_CLIENT_ID=$(AZURE_SERVICE_PRINCIPAL_NAME)
       export AZURE_CLIENT_SECRET=$(AZURE_SERVICE_PRINCIPAL_PASSWORD)
       export AZURE_TENANT_ID=$(AZURE_TENANT_ID)
       npm install @microsoft/teamsapp-cli@3.0.8
     displayName: "Install CLI"
     workingDirectory: $(Pipeline.Workspace)/TeamsApp
   
   - script: |
       npx teamsapp auth login azure \
       --service-principal true \
       --tenant $(AZURE_TENANT_ID) \
       --interactive false \
       --scope https://management.core.windows.net/.default
     displayName: "Login Azure by service principal"
     workingDirectory: $(Pipeline.Workspace)/TeamsApp

4. Check for Service Principal Permissions:
   Ensure that the service principal has the required permissions for the operations you are trying to perform.

5. Azure MFA:
   If Multi-Factor Authentication (MFA) is enabled for the Azure account, this could interfere with non-interactive login. Ensure that either:

   • MFA is disabled for this service account.
   • Use a service principal that does not require MFA.

6. CI Environment Variable:
   Set the CI_ENABLED environment variable to true to avoid any prompts:

   - script: |
       export CI_ENABLED=true
     displayName: "Set CI environment variable"
     workingDirectory: $(Pipeline.Workspace)/TeamsApp

Additional References

These issues and discussions can provide further insights:

• GitHub Issue - Login via CLI
• Stack Overflow Discussion
• Microsoft Docs on Azure CLI - Authentication

Revised Example

Here’s a revised complete YAML example incorporating these suggestions:

trigger: none

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: UseNode@2
  inputs:
    versionSpec: '14.x'
  displayName: 'Install Node.js'

- script: |
    export AZURE_CLIENT_ID=$(AZURE_SERVICE_PRINCIPAL_NAME)
    export AZURE_CLIENT_SECRET=$(AZURE_SERVICE_PRINCIPAL_PASSWORD)
    export AZURE_TENANT_ID=$(AZURE_TENANT_ID)
    export CI_ENABLED=true
    npm install @microsoft/teamsapp-cli@3.0.8
  displayName: "Install CLI"
  workingDirectory: $(Pipeline.Workspace)/TeamsApp

- script: |
    npx teamsapp auth login azure \
    --service-principal true \
    --tenant $(AZURE_TENANT_ID) \
    --interactive false \
    --scope https://management.core.windows.net/.default
  displayName: "Login Azure by service principal"
  workingDirectory: $(Pipeline.Workspace)/TeamsApp

Testing these steps should help in identifying if the issue lies with the scope syntax, version compatibility, permissions, or CI setup constraints. If you still encounter issues, it might be useful to look for updates or patches specifically related to the CLI version you are using.

---

Note: This is an automated first response generated by AI. A human team member will review your issue and provide a more detailed response soon. We appreciate your patience!

[ThomasPe]

--scope is not a valid parameter

[sayali-MSFT]

@ThomasPe ,Thank you for your inquiry about your Teams app development issue!
We are checking the issue. We will get back to you shortly.

[sayali-MSFT]

The issue you're experiencing with authentication for the Teams CLI version 3.0.8 in your Azure DevOps Pipeline is due to the provided value for scope not being valid for client credential flows.
Modify the scope parameter to include /.default. The corrected scope for Azure Management should be https://management.core.windows.net/.defaul
Update your pipeline to use the Teams CLI with specified authentication flow.

- script: |
    npm install @microsoft/teamsapp-cli@3.0.8
  displayName: "Install CLI"
  workingDirectory: $(Pipeline.Workspace)/TeamsApp

- script: |
    npx teamsapp auth login azure \
    --username $(AZURE_SERVICE_PRINCIPAL_NAME) \
    --service-principal true \
    --tenant $(AZURE_TENANT_ID) \
    --password $(AZURE_SERVICE_PRINCIPAL_PASSWORD) \
    --interactive false \
    --scope https://management.core.windows.net/.default
  displayName: "Login Azure by service principal"
  workingDirectory: $(Pipeline.Workspace)/TeamsApp

1. For more details on authentication and configuring your CI/CD pipelines with Teams Toolkit, refer to the official documentation: Set Up CI/CD Pipelines with Teams Toolkit CLI

2. Detailed configuration steps for OAuth 2.0 authorization code flow: OAuth 2.0 Authorization Code Flow

[ThomasPe]

--scope is not a valid parameter

(✖) Error: TeamsfxCLI.UnknownOptionError: The command 'teamsapp auth login azure' can not be executed for unknown option '--scope'.

[sayali-MSFT]

@ThomasPe , could you please Remove the --scope parameter from your command and try it once.

[ThomasPe]

Updated my initial post and removed the scope as it was there by mistake. The error remains the same

[sayali-MSFT]

@ThomasPe ,Thanks for the quick response.
We will check this with internal team and let you know the update.

[HuihuiWu-Microsoft]

Hi @ThomasPe this might be an issue introduced by multi-tenant feature. With your yml file setup, do you have issue with subsequent operations like provision and deploy? Or does it only affects the output while the Azure account actually signed in ?