a365 setup permissions mcp fails with interactive auth error in non-interactive terminals

[aadharshkannan]

The a365 setup permissions mcp command fails when acquiring a token for the AgentIdentityBlueprint.ReadWrite.All scope because it attempts interactive browser authentication in a non-interactive PowerShell subprocess, which cannot obtain a window handle.

Environment

• CLI Version: 1.0.49+6840cfbb1b
• OS: Windows 10/11
• Terminal: VS Code Integrated Terminal, Windows Terminal, PowerShell
• PowerShell Version: pwsh 7.x

Steps to Reproduce

1. Configure a365 with valid a365.config.json and a365.generated.config.json
2. Ensure Azure CLI is authenticated (az login)
3. Run: a365 setup permissions mcp -v

Expected Behavior

The CLI should successfully acquire all necessary tokens and configure MCP server permissions, using one of:

• Device code flow (-UseDeviceCode) for non-interactive terminals
• Client credentials flow using the blueprint's client secret (already present in a365.generated.config.json)
• Respect existing Microsoft Graph SDK token cache from parent session

Actual Behavior

The CLI:

1. Successfully acquires Graph API tokens via Azure CLI (az account get-access-token) ✓
2. Successfully configures OAuth2 grants ✓
3. Fails when acquiring AgentIdentityBlueprint.ReadWrite.All token

The CLI spawns a subprocess:
pwsh -NoProfile -NonInteractive -Command "... Connect-MgGraph ... -Scopes @('AgentIdentityBlueprint.ReadWrite.All') ..."

This fails with:
InteractiveBrowserCredential authentication failed: A window handle must be configured.
See https://aka.ms/msal-net-wam#parent-window-handles

Root Cause Analysis

1. The CLI uses -NonInteractive flag but attempts interactive browser auth
2. Log shows Device Code: False - device code flow is not used
3. The subprocess does not inherit the parent shell's Graph SDK token cache
4. The blueprint's client secret exists in config but is not used for this API call

Workarounds Attempted (All Failed)

1. Pre-authenticating with Connect-MgGraph in parent shell - CLI spawns fresh subprocess, doesn't inherit token
2. Running from Windows Terminal - Same error, subprocess still can't get window handle
3. Using Azure CLI token - Token lacks AgentIdentityBlueprint.ReadWrite.All scope

Suggested Fixes

1. Add --use-device-code flag to enable device code flow for non-interactive environments
2. Use client credentials with the blueprint's client secret for service-to-service calls
3. Add -UseDeviceCode to Connect-MgGraph when running in non-interactive mode
4. Detect terminal capability and automatically fall back to device code when interactive browser isn't available

Verbose Output

Acquiring Microsoft Graph delegated access token via PowerShell (Device Code: False)
Executing: pwsh -NoProfile -NonInteractive -Command "try { Import-Module Microsoft.Graph.Authentication -ErrorAction Stop; Connect-MgGraph -TenantId 'cb8c3437-f71e-42d1-8489-41c83ac7c33d' -Scopes @('AgentIdentityBlueprint.ReadWrite.All') -NoWelcome -ErrorAction Stop; ...}"
ERROR: Failed to acquire Microsoft Graph access token. Error: Write-Error: InteractiveBrowserCredential authentication failed: A window handle must be configured.

Impact

• Severity: High - Blocks MCP permission setup entirely