Skip to main content

Permissions Matrix

OSO MS Teams CLI uses delegated Microsoft Graph permissions for normal user actions. Delegated permissions allow the CLI to act on behalf of the signed-in user after Microsoft sign-in and consent.

Current OSO app scopes

The default OSO public client app currently requests these delegated scopes:

ScopeUsed forConsent and security note
User.ReadSign in and read the signed-in user's basic profile.Baseline delegated sign-in scope.
offline_accessKeep the profile signed in without prompting every command.Creates refresh-token material in the local credential store.
Team.ReadBasic.AllList teams and resolve team IDs.Review tenant policy for team discovery.
Channel.ReadBasic.AllList channels and resolve channel IDs.Required for channel workflows.
ChannelMessage.SendSend channel messages.Messages are sent as the signed-in user.
Chat.ReadWriteWork with chat objects and chat workflows.High-impact delegated chat access.
ChatMessage.ReadRead chat messages.Meeting or restricted chats can still deny reads.
ChatMessage.SendSend chat messages.Messages are sent as the signed-in user.
User.ReadBasic.AllResolve users for member and mention workflows.Exposes basic directory profile data through Graph.
Presence.Read.AllRead user presence.Tenant policy can restrict presence access.

The default does not request ChannelMessage.Read.All, because Microsoft marks that delegated Graph scope as admin-consent required. Add it explicitly with --scopes or use a customer-owned app when a workflow needs channel message reads.

Profiles can pin broader scope sets for a workflow:

[profiles.attachments]
scopes = "User.Read People.Read Chat.ReadWrite ChatMessage.Read ChatMessage.Send ChannelMessage.Send ChannelMessage.Read.All Files.Read.All Files.ReadWrite Files.ReadWrite.All offline_access"

After an admin grants consent, run teams auth refresh --profile attachments to redeem the stored refresh token for the resolved profile scopes.

Feature mapping

FeatureNormal permission modelNotes
Sign in and profileDelegated User.ReadDefault login path.
Team and channel discoveryDelegated Team.ReadBasic.All, Channel.ReadBasic.AllRequired before channel operations.
Channel message sendDelegated ChannelMessage.SendApp-only normal sends are blocked.
Channel message readDelegated ChannelMessage.Read.AllBroad channel-read permission; admin review recommended.
Chat message sendDelegated ChatMessage.SendApp-only normal sends are blocked.
Chat readDelegated ChatMessage.Read or Chat.ReadWriteMeeting chats may still deny access.
Presence readDelegated Presence.Read.AllTenant policy can restrict.
User lookupDelegated User.ReadBasic.All; People.Read improves user resolve.user resolve verifies People API hits through /users/{userPrincipalName} before returning an object ID.
Inline image read/downloadSame message-read scope as the message.Pasted images are Graph hosted contents. No file scope is needed.
Message file attachment downloadDelegated Files.Read.All.File references point at SharePoint/OneDrive and are downloaded through Graph shares.
Message file attachment sendDelegated Files.ReadWrite for chats; Files.ReadWrite.All for channels.--attach uploads to OneDrive or the team's SharePoint library before sending the message.
Channel filesDelegated file scopes such as Files.ReadWrite.All depending on operation.Use BYO app if you need tight scope control.
App-only admin readsApplication permissions where supported.Validate per Graph endpoint. Not the normal CLI message model.

Use auth doctor to inspect token audience, scopes, and roles.

For the admin-facing trust model, read Security and Consent.