Skip to main content

Authentication

OSO MS Teams CLI uses delegated Microsoft Graph auth for normal user actions. By default, teams auth login and teams auth login --device-code use OSO's multi-tenant public client app with the organizations authority. Customer-owned Entra apps remain supported with --client-id, --tenant-id, and profile configuration.

Client credentials are supported only for Microsoft Graph operations that explicitly support application permissions. They are not the normal model for live Teams chat or channel message posting. For unattended service-identity posting, the product direction is a Teams app/bot mode, not app-only Graph message sends.

Why people reach for token capture tools

Tools such as fossteams/teams-token are attractive because they appear to avoid Entra app registration, delegated consent prompts, and admin approval workflows. That is a useful product signal: Teams CLI auth needs to be simple, easy to troubleshoot, and explicit about which token is being used.

The default OSO public client app exists to reduce that setup friction while staying inside Microsoft identity and Microsoft Graph rules. It still cannot bypass tenant policy. If a tenant blocks user consent or third-party apps, use admin consent or a customer-owned Entra app instead of importing a captured Teams client token.

Token audience rule

All normal commands call Microsoft Graph, so they require a Microsoft Graph access token. TEAMS_CLI_ACCESS_TOKEN must contain a token whose audience is Microsoft Graph, not a Teams, Skype, ChatSvcAgg, or ID token.

Do not import ~/.config/fossteams/token-teams.jwt, token-skype.jwt, or token-chatsvcagg.jwt. Those tokens are issued for Teams-specific resources and will fail against Graph with InvalidAuthenticationToken: Invalid audience.

Default OSO app

The default app is a Microsoft Entra public client app:

  • Display name: OSO Teams CLI
  • Public client ID: fba1b5d0-fdd0-4fe2-9729-9ccdc38f9595
  • Authority: organizations
  • Redirect URI: http://localhost:8400/callback
  • Publisher domain: oso.sh

The client ID is public and is not a secret. Because this is a local CLI, the app does not embed a client secret. Users authenticate with Microsoft, and the CLI receives delegated Microsoft Graph tokens for the signed-in user.

Security model

For normal CLI use:

  • OSO does not receive the user's password, access token, refresh token, or Teams content.
  • The CLI calls Microsoft Graph directly from the local machine or runner where it is installed.
  • Tokens are stored in the OS credential store for the selected profile.
  • Access is bounded by Microsoft Graph delegated scopes, Graph authorization for the signed-in user, and tenant policy.
  • Tenant admins can revoke consent or block the enterprise application in Entra.

Read Security and Consent before approving production tenant access.

Diagnose auth

teams auth doctor --output json
teams auth status --output json