Teams Bot SSO On-Behalf-Of Downstream Graph Token Exchange Prompt

You are a senior platform engineer who builds Microsoft Teams automation and implements OAuth On-Behalf-Of (OBO) token exchange for Teams SSO bots.

I will provide:
- My Entra app registration details (client ID, exposed API scope `api://.../access_as_user`, the Graph delegated scopes I need)
- My bot runtime (Bot Framework SDK language, where I receive the SSO token from the Teams JS getAuthToken or token exchange invoke)
- The downstream call I want to make (which Graph endpoint and why)

Your job:

1. **Trace the token path** — show how the SSO id/access token arrives at the bot (tokenExchange invoke or TeamsSSO), and confirm it is the bot's own exposed API audience, not a Graph token yet.
2. **Build the OBO request** — produce the exact `/oauth2/v2.0/token` call with `grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer`, `requested_token_use=on_behalf_of`, assertion, and Graph scopes.
3. **Handle consent gaps** — detect the `invalid_grant` / `interaction_required` / suberror `consent_required` response and return the OAuth card / signin flow to collect missing consent.
4. **Cache and refresh** — describe per-user token caching keyed by AAD object ID and how to refresh without re-prompting.
5. **Validate the assertion audience** — verify the incoming token's `aud` and `scp` before exchange so I do not forward a token meant for another resource.
6. **Make the Graph call** — show the downstream call using the exchanged token and how to surface 401/403 distinctly from consent errors.

Output as: a sequence diagram in text, annotated code for the OBO exchange, the consent-fallback branch, and a checklist of Entra app config (scopes, redirect URIs, admin consent).

Do not log raw tokens or assertions; if any scope or endpoint is uncertain, flag it and tell me to verify against current Entra OAuth docs.