> ## Documentation Index
> Fetch the complete documentation index at: https://authsome.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft

> Log in to Microsoft from authsome via OAuth2. Tokens are stored locally and refreshed automatically.

Microsoft is a bundled OAuth2 provider in authsome. Microsoft Graph: Outlook mail, calendar, OneDrive files, Tasks, user profile.

## At a glance

|                           |                                                                                                              |
| ------------------------- | ------------------------------------------------------------------------------------------------------------ |
| Provider name             | `microsoft`                                                                                                  |
| Display name              | Microsoft                                                                                                    |
| Auth type                 | OAuth2                                                                                                       |
| Default flow              | `pkce`, PKCE browser flow                                                                                    |
| PKCE supported            | Yes                                                                                                          |
| Device code supported     | Yes                                                                                                          |
| DCR supported             | No                                                                                                           |
| Default scopes            | `User.Read`, `offline_access`, `Mail.ReadWrite`, `Calendars.ReadWrite`, `Files.ReadWrite`, `Tasks.ReadWrite` |
| Proxy host                | `graph.microsoft.com`                                                                                        |
| Env var (`access_token`)  | `MICROSOFT_ACCESS_TOKEN`                                                                                     |
| Env var (`refresh_token`) | `MICROSOFT_REFRESH_TOKEN`                                                                                    |

## Prerequisites

You need to register an OAuth app with Microsoft once. Register an application in Microsoft Entra (formerly Azure AD). Configure the platform as "Mobile and desktop applications" with authsome's callback URL.

The redirect URI must be:

```text theme={null}
http://127.0.0.1:7998/auth/callback/oauth
```

This is the only callback URL authsome's PKCE flow listens on.

Dashboard: [https://entra.microsoft.com/](https://entra.microsoft.com/).

## Log in

```bash theme={null}
authsome login microsoft
```

The first time, authsome opens a local form at `http://127.0.0.1:7998` to collect your `client_id` and `client_secret`. They are encrypted in your vault and reused on every subsequent login. A second browser window then opens to `https://login.microsoftonline.com/common/oauth2/v2.0/authorize` for the authorization step.

Verify:

```bash theme={null}
authsome get microsoft --field status
# → connected
```

## Headless setup

For SSH or CI environments, use the device code flow:

```bash theme={null}
authsome login microsoft --flow device_code
```

See [Headless setup](/guides/headless-device-code) for the full flow.

## Custom scopes

The bundled definition requests `User.Read`, `offline_access`, `Mail.ReadWrite`, `Calendars.ReadWrite`, `Files.ReadWrite`, `Tasks.ReadWrite`. Override at login time:

```bash theme={null}
authsome login microsoft --scopes "<comma-separated>"
```

The granted scopes are stored on the connection and visible in `authsome get microsoft`.

## Multiple accounts

Pass `--connection <name>` on `login` and on every read command to keep two or more accounts on the same provider side by side. See [Multiple connections per provider](/guides/multiple-connections) for the full pattern.

```bash theme={null}
authsome login microsoft --connection personal
authsome login microsoft --connection work
```

## Use the token

Run the agent under the proxy (recommended).

<CodeGroup>
  ```bash Proxy (recommended) theme={null}
  authsome run -- python my_agent.py
  ```

  ```bash Environment theme={null}
  eval "$(authsome export microsoft --format env)"
  ```
</CodeGroup>

Under the proxy, authsome sets `MICROSOFT_ACCESS_TOKEN=authsome-proxy-managed` in the child's environment and injects the real token into outbound requests to `graph.microsoft.com`. The child process never sees the actual value. Refresh tokens are never exported.

## Override the bundled definition

```bash theme={null}
authsome inspect microsoft > ~/.authsome/providers/microsoft.json
# edit scopes, base_url, or anything else
authsome list   # source now shows "custom" for microsoft
```

User-registered files always win over bundled definitions.

## What's next

<Columns cols={2}>
  <Card title="Run agents with the proxy" icon="shield-halved" href="/guides/run-agents-with-proxy">
    Inject the access token into outbound requests without exposing it.
  </Card>

  <Card title="Multiple connections per provider" icon="users" href="/guides/multiple-connections">
    Keep two or more accounts on the same provider side by side.
  </Card>

  <Card title="OAuth providers" icon="right-to-bracket" href="/integrations/oauth/index">
    All bundled OAuth providers.
  </Card>
</Columns>
