Permissions Matrix
OSO MS Teams CLI uses delegated Microsoft Graph permissions for normal user actions. Delegated permissions allow the CLI to act on behalf of the signed-in user after Microsoft sign-in and consent.
Current OSO app scopes
The default OSO public client app currently requests these delegated scopes:
| Scope | Used for | Consent and security note |
|---|---|---|
User.Read | Sign in and read the signed-in user's basic profile. | Baseline delegated sign-in scope. |
offline_access | Keep the profile signed in without prompting every command. | Creates refresh-token material in the local credential store. |
Team.ReadBasic.All | List teams and resolve team IDs. | Review tenant policy for team discovery. |
Channel.ReadBasic.All | List channels and resolve channel IDs. | Required for channel workflows. |
ChannelMessage.Send | Send channel messages. | Messages are sent as the signed-in user. |
ChannelMessage.Read.All | Read channel messages for channel workflows. | High-impact scope; requires admin review. |
Chat.ReadWrite | Work with chat objects and chat workflows. | High-impact delegated chat access. |
ChatMessage.Read | Read chat messages. | Meeting or restricted chats can still deny reads. |
ChatMessage.Send | Send chat messages. | Messages are sent as the signed-in user. |
User.ReadBasic.All | Resolve users for member and mention workflows. | Exposes basic directory profile data through Graph. |
Presence.Read.All | Read user presence. | Tenant policy can restrict presence access. |
Feature mapping
| Feature | Normal permission model | Notes |
|---|---|---|
| Sign in and profile | Delegated User.Read | Default login path. |
| Team and channel discovery | Delegated Team.ReadBasic.All, Channel.ReadBasic.All | Required before channel operations. |
| Channel message send | Delegated ChannelMessage.Send | App-only normal sends are blocked. |
| Channel message read | Delegated ChannelMessage.Read.All | Broad channel-read permission; admin review recommended. |
| Chat message send | Delegated ChatMessage.Send | App-only normal sends are blocked. |
| Chat read | Delegated ChatMessage.Read or Chat.ReadWrite | Meeting chats may still deny access. |
| Presence read | Delegated Presence.Read.All | Tenant policy can restrict. |
| User lookup | Delegated User.ReadBasic.All | Used for member and mention workflows. |
| Files | Additional delegated file permissions may be required by tenant or release. | Use BYO app if you need tight scope control. |
| App-only admin reads | Application permissions where supported. | Validate per Graph endpoint. Not the normal CLI message model. |
Use auth doctor to inspect token type.
For the admin-facing trust model, read Security and Consent.