Authentication Overview

OSO MS Teams CLI uses delegated Microsoft Graph auth for normal user actions. By default, teams auth login and teams auth login --device-code use OSO's multi-tenant public client app with the organizations authority. Customer-owned Entra apps remain supported with --client-id, --tenant-id, and profile configuration.

Client credentials are supported only for Microsoft Graph operations that explicitly support application permissions. They are not the normal model for live Teams chat or channel message posting. For unattended service-identity posting, the product direction is a Teams app/bot mode, not app-only Graph message sends.

teams auth login
teams auth login --device-code

The OSO public client ID is fba1b5d0-fdd0-4fe2-9729-9ccdc38f9595. This ID is public and is not a secret.

The default app is OSO Teams CLI, a multi-tenant Microsoft Entra public client app. It uses delegated Microsoft Graph permissions, so commands run as the signed-in Microsoft 365 user. OSO does not receive the user's password, tokens, or Teams content during normal CLI use.

Admins should review Security and Consent before granting tenant-wide consent.

teams auth login --device-code --client-id <client-id> --tenant-id <tenant-id>

Use BYO when tenant policy blocks third-party multi-tenant apps.

Client credentials

Client credentials require explicit customer credentials and are only appropriate for supported app-only Graph operations. Normal Teams message posting should use delegated auth or future bot mode.

Default delegated login​

BYO app login​

Client credentials​

Default delegated login

BYO app login

Client credentials