Summary

Support passwordless authentication for the MS Teams channel using Azure AD federated credentials or managed identity, as an alternative to client secrets (appPassword).

Problem to solve

Many enterprise Microsoft/Azure tenants have tenant-wide policies that block creation of client secrets on App Registrations. The current MS Teams channel config (channels.msteams) only supports appId + appPassword (client secret) for Bot Framework authentication.

This means OpenClaw cannot be connected to MS Teams in these enterprise environments at all, since there is no way to configure federated credentials, managed identity, or certificate-based authentication as alternatives.

The error message from Azure AD is:

"Client secrets are blocked by a tenant-wide policy. Contact your tenant administrator for more information."

Proposed solution

Add support for alternative authentication methods in the MS Teams channel config. Proposed new config fields:

channels:
  msteams:
    appId: "<app-id>"
    # Option 1: Existing (keep for backward compat)
    appPassword: "<client-secret>"
    # Option 2: Federated credential via managed identity
    authType: "federatedCredential"  # or "clientSecret" (default)
    managedIdentityClientId: "<user-assigned-managed-identity-client-id>"
    # Option 3: Certificate-based auth
    # authType: "certificate"
    # certPath: "/path/to/cert.pem"
    # certKeyPath: "/path/to/key.pem"

The Bot Framework SDK for Node.js already supports ManagedIdentityCredential and CertificateCredential via @azure/identity. The implementation would:

1. Check authType (default: clientSecret for backward compat)
2. Use the appropriate credential provider from @azure/identity
3. Pass it to the BotFrameworkAdapter or CloudAdapter

Alternatives considered

1. Use browser-based Teams web automation instead — This is what I'm currently doing as a workaround (using OpenClaw's browser automation to interact with Teams web UI). It works but is fragile, slow, and doesn't support real-time message reception.
2. Request a tenant policy exemption — Not always possible in large enterprises, and defeats the purpose of the security policy.
3. Certificate-based auth — A good middle ground, but also not currently supported by OpenClaw's config schema.

Impact

• Affected: All OpenClaw users in enterprise Azure/Microsoft tenants that enforce "no client secrets" policies
• Severity: Blocks workflow — completely prevents MS Teams channel integration
• Frequency: Always (policy is tenant-wide and permanent)
• Consequence: Cannot use OpenClaw with MS Teams at all; forced to use fragile browser automation workarounds

Evidence/examples

• Azure Bot Service: Federated Credentials
• Bot Framework Authentication with Federated Credential
• Current OpenClaw config schema only exposes appId and appPassword under channels.msteams

Additional information

This is increasingly common in enterprise environments as organizations move toward Zero Trust security models. Microsoft itself recommends federated credentials over client secrets for production workloads.