Entra App Setup
Default OSO app
Most users do not need to create an app registration. They can run:
teams auth login --device-code
The default app is OSO's multi-tenant Microsoft Entra public client app:
| Field | Value |
|---|---|
| Display name | OSO Teams CLI |
| Client ID | fba1b5d0-fdd0-4fe2-9729-9ccdc38f9595 |
| Authority | organizations |
| Redirect URI | http://localhost:8400/callback |
| Publisher domain | oso.sh |
This app does not use a client secret. That is expected for a desktop or command-line public client. The user signs in with Microsoft, and the CLI receives delegated Microsoft Graph tokens for that signed-in user.
Read Security and Consent before granting production tenant consent.
Admin consent
Generate a tenant-specific admin consent URL:
teams auth consent-url --tenant-id <tenant-id-or-domain> --output json
Before approving:
- Confirm the app name is
OSO Teams CLI. - Confirm the client ID matches
fba1b5d0-fdd0-4fe2-9729-9ccdc38f9595. - Review the requested Microsoft Graph delegated permissions.
- Confirm the publisher details match OSO.
- Pilot with a small user group and non-sensitive team/channel.
If your tenant blocks third-party apps, requires a smaller scope set, or requires internal ownership, use a customer-owned app registration instead.
BYO app requirements
- Public client flows enabled.
- Redirect URI:
http://localhost:8400/callback. - Delegated Microsoft Graph permissions for the features in use.
- Admin consent where tenant policy requires it.
Recommended BYO setup:
teams auth login --device-code --client-id <customer-client-id> --tenant-id <tenant-id>
For locked-down tenants, grant only the delegated Graph scopes required by your approved commands. See permissions matrix.
Revoke access
Tenant admins can revoke access in Microsoft Entra by reviewing the enterprise application created for OSO Teams CLI, revoking Graph permissions, disabling the enterprise application, or deleting it from the tenant.
Users can clear local credentials with:
teams auth logout
teams auth logout --all