Azure AD
Connect Toby to Microsoft Graph (Azure AD) for directory and contact-related chat tools.
CLI name: azuread
Azure AD ships as an installable plugin (toby-plugin-azuread). Release installs
and upgrades place it in ~/.toby/plugins/ automatically. When building from
source, run bun run build:plugin:azuread then
toby plugins install ./dist/toby-plugin-azuread.
Prerequisites
- A Microsoft Entra ID (Azure AD) tenant
- An app registration with Microsoft Graph permissions for directory lookup
Microsoft Entra app registration
Toby calls Microsoft Graph to search users and read profile fields. You need Tenant ID, Client ID, and (for client-credentials auth) a Client Secret.
Required Graph permissions (both auth methods):
User.Read.AllUser.ReadBasic.All
OAuth (PKCE) also requests openid, profile, and offline_access during sign-in.
1. Register an application
-
Open the Microsoft Entra admin center (or Azure Portal → Microsoft Entra ID).
-
Go to Applications → App registrations → New registration.
-
Enter a name (for example
Toby). -
Choose Supported account types (single tenant is typical for org directory lookup).
-
For Redirect URI, choose Public client/native (mobile & desktop) and add:
http://localhost:9877/callbackThis matches Toby’s default OAuth callback. If you set a custom OAuth Redirect URI in configure, register that exact URL instead.
-
Click Register.
-
On the app Overview page, copy Application (client) ID and Directory (tenant) ID.
2. Allow public client flows (OAuth PKCE only)
If you use OAuth (PKCE) (Toby’s default):
- Open Authentication for the app.
- Under Advanced settings, set Allow public client flows to Yes (Toby exchanges the auth code with PKCE and does not send a client secret on that step).
- Confirm http://localhost:9877/callback appears under redirect URIs.
- Save.
3. Add Microsoft Graph API permissions
- Open API permissions → Add a permission → Microsoft Graph.
OAuth (PKCE) — delegated permissions
Add these Delegated permissions:
| Permission | Purpose |
|---|---|
User.Read.All | Read all users’ full profiles |
User.ReadBasic.All | Read basic profile for all users |
openid, profile, offline_access | Sign-in and refresh tokens (often added automatically with user read scopes) |
Client credentials — application permissions
Add these Application permissions instead:
| Permission | Purpose |
|---|---|
User.Read.All | Read all users (app-only) |
User.ReadBasic.All | Read basic profiles (app-only) |
- Click Grant admin consent for your tenant if required (common for
User.Read.All).
4. Create a client secret (client credentials only)
Skip this step for OAuth (PKCE) unless you also use client credentials elsewhere.
- Open Certificates & secrets → New client secret.
- Add a description and expiry, then create the secret.
- Copy the Value immediately (Entra hides it later).
5. Copy values into Toby
Use Tenant ID, Client ID, and (for client credentials) Client Secret in the Configure section. Do not commit secrets to git; Toby stores them in ~/.toby/credentials.json.
Configure
toby config
Go to Integrations → Azure AD and choose an Auth Method:
OAuth (PKCE) — default
| Field | Description |
|---|---|
| Tenant ID | Your Azure AD tenant ID |
| Client ID | Application (client) ID |
| OAuth Redirect URI (optional) | Defaults to http://localhost:9877/callback if omitted |
Client credentials
| Field | Description |
|---|---|
| Tenant ID | Your Azure AD tenant ID |
| Client ID | Application (client) ID |
| Client Secret | App secret for client-credentials flow |
Save the configuration.
Connect
toby connect azuread
- OAuth (PKCE): Complete sign-in in the browser.
- Client credentials: Connect validates credentials and marks the integration connected.
Verify
toby status integration -i azuread
Disconnect
toby disconnect azuread
Example chat prompts
- “Look up contact details for people named Jordan in my organization.”
- “Who is the manager listed for this email address?”