Skip to main content

Auth Flows

OSO MS Teams CLI uses delegated Microsoft Graph auth for normal user actions. By default, teams auth login and teams auth login --device-code use OSO's multi-tenant public client app with the organizations authority. Customer-owned Entra apps remain supported with --client-id, --tenant-id, and profile configuration.

Client credentials are supported only for Microsoft Graph operations that explicitly support application permissions. They are not the normal model for live Teams chat or channel message posting. For unattended service-identity posting, the product direction is a Teams app/bot mode, not app-only Graph message sends.

Token resolution order for normal commands:

  1. TEAMS_CLI_ACCESS_TOKEN.
  2. OS keyring token for the selected profile.
  3. Authentication error.

Client ID and tenant ID resolution order is CLI flag, environment variable, then profile config.