Skip to main content

Documentation Index

Fetch the complete documentation index at: https://authsome.agentr.dev/docs/llms.txt

Use this file to discover all available pages before exploring further.

Microsoft is a bundled OAuth2 provider in authsome. Microsoft Graph: Outlook mail, calendar, OneDrive files, Tasks, user profile.

At a glance

Provider namemicrosoft
Display nameMicrosoft
Auth typeOAuth2
Default flowpkce, PKCE browser flow
PKCE supportedYes
Device code supportedYes
DCR supportedNo
Default scopesUser.Read, offline_access, Mail.ReadWrite, Calendars.ReadWrite, Files.ReadWrite, Tasks.ReadWrite
Proxy hostgraph.microsoft.com
Env var (access_token)MICROSOFT_ACCESS_TOKEN
Env var (refresh_token)MICROSOFT_REFRESH_TOKEN

Prerequisites

You need to register an OAuth app with Microsoft once. Register an application in Microsoft Entra (formerly Azure AD). Configure the platform as “Mobile and desktop applications” with authsome’s callback URL. The redirect URI must be: 
http://127.0.0.1:7998/auth/callback/oauth
This is the only callback URL authsome’s PKCE flow listens on. Dashboard: https://entra.microsoft.com/.

Log in

uvx authsome login microsoft
The first time, authsome opens a local form at http://127.0.0.1:7998 to collect your client_id and client_secret. They are encrypted under your profile and reused on every subsequent login. A second browser window then opens to https://login.microsoftonline.com/common/oauth2/v2.0/authorize for the authorization step. Verify: 
uvx authsome get microsoft --field status
# → connected

Headless setup

For SSH or CI environments, use the device code flow: 
uvx authsome login microsoft --flow device_code
See Headless setup for the full flow.

Custom scopes

The bundled definition requests User.Read, offline_access, Mail.ReadWrite, Calendars.ReadWrite, Files.ReadWrite, Tasks.ReadWrite. Override at login time: 
uvx authsome login microsoft --scopes "<comma-separated>"
The granted scopes are stored on the connection and visible in uvx authsome get microsoft.

Multiple accounts

Pass --connection <name> on login and on every read command to keep two or more accounts on the same provider side by side. See Multiple connections per provider for the full pattern. 
uvx authsome login microsoft --connection personal
uvx authsome login microsoft --connection work

Use the token

Run the agent under the proxy. The library tab is for embedding authsome inside a larger Python orchestrator. 
uvx authsome run -- python my_agent.py
Under the proxy, authsome sets MICROSOFT_ACCESS_TOKEN=authsome-proxy-managed in the child’s environment and injects the real token into outbound requests to graph.microsoft.com. The child process never sees the actual value. Refresh tokens are never exported.

Override the bundled definition

uvx authsome inspect microsoft > ~/.authsome/providers/microsoft.json
# edit scopes, base_url, or anything else
uvx authsome list   # source now shows "custom" for microsoft
User-registered files always win over bundled definitions. See Provider schema.

What’s next

Run agents with the proxy

Inject the access token into outbound requests without exposing it.

Multiple connections per provider

Keep two or more accounts on the same provider side by side.

Provider schema

Every field in a provider definition.

OAuth providers

All bundled OAuth providers.