Authentication
OSO MS Teams CLI uses delegated Microsoft Graph auth for normal user actions. By default, teams auth login and teams auth login --device-code use OSO's multi-tenant public client app with the organizations authority. Customer-owned Entra apps remain supported with --client-id, --tenant-id, and profile configuration.
Client credentials are supported only for Microsoft Graph operations that explicitly support application permissions. They are not the normal model for live Teams chat or channel message posting. For unattended service-identity posting, the product direction is a Teams app/bot mode, not app-only Graph message sends.
Default OSO app
The default app is a Microsoft Entra public client app:
- Display name:
OSO Teams CLI - Public client ID:
fba1b5d0-fdd0-4fe2-9729-9ccdc38f9595 - Authority:
organizations - Redirect URI:
http://localhost:8400/callback - Publisher domain:
oso.sh
The client ID is public and is not a secret. Because this is a local CLI, the app does not embed a client secret. Users authenticate with Microsoft, and the CLI receives delegated Microsoft Graph tokens for the signed-in user.
Security model
For normal CLI use:
- OSO does not receive the user's password, access token, refresh token, or Teams content.
- The CLI calls Microsoft Graph directly from the local machine or runner where it is installed.
- Tokens are stored in the OS credential store for the selected profile.
- Access is bounded by Microsoft Graph delegated scopes, Graph authorization for the signed-in user, and tenant policy.
- Tenant admins can revoke consent or block the enterprise application in Entra.
Read Security and Consent before approving production tenant access.
Diagnose auth
teams auth doctor --output json
teams auth status --output json