Share via

Does the Teams Mobile client require specific Known Client Applications in the Azure App Registration

silvio aldin 40 Reputation points
2026-02-16T00:23:45.54+00:00

My Teams Tab application (manifest v1.16) successfully acquires a bootstrap token using microsoftTeams.authentication.getAuthToken(). However, when my backend service attempts to exchange this for a Graph API token via the On-Behalf-Of (OBO) flow, Entra ID returns a 400 Bad Request. This issue is inconsistent; it works for some users in the tenant but fails for others.

The backend logs indicate an invalid_grant error. The sub (subject) and tid (tenant ID) in the bootstrap token are correct, but the exchange fails at the /token endpoint.

Does the Teams Mobile client require specific Known Client Applications in the Azure App Registration to avoid signature mismatches during OBO?

Microsoft Teams | Development
Microsoft Teams | Development

Building, integrating, or customizing apps and workflows within Microsoft Teams using developer tools and APIs

0 comments
Answer accepted by question author
  1. Steven-N 21,885 Reputation points Microsoft External Staff Moderator
    2026-02-16T02:01:22.2566667+00:00

    Hi silvio aldin

    Thank you for reaching out to Microsoft Q&A forum

    Based on my research, in Teams Tab SSO, microsoftTeams.authentication.getAuthToken() can return different token types depending on the client. On Desktop/Web, the token is typically meant to be exchanged by your backend (OBO) for a Microsoft Graph token. On Teams Mobile, the token can already be a Graph-audience token, so attempting the same OBO exchange can fail with 400 Bad Request / invalid_grant even though sub and tid look correct.

    Given this, below suggested approach might help:

    1. In your backend, decode the incoming JWT and check the aud claim before doing OBO. If aud is https://graph.microsoft.com, validate and use it directly for Graph calls; if aud is your API’s Application ID URI (api://...), proceed with the standard OBO exchange.
    2. Verify your Entra ID tab SSO configuration is aligned with Microsoft guidance (app registration + exposed API + trusted/preauthorized client setup for Teams clients), since misconfiguration can also surface as auth/token errors across clients.

    Link references:
    https://learn.microsoft.com/en-us/answers/questions/5764199/token-exchange-fails-specifically-on-mobile-client

    https://github.com/MicrosoftDocs/msteams-docs/blob/main/msteams-platform/tabs/how-to/authentication/tab-sso-overview.md

    Hope my answer will help you.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".   

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.