Authentication Overview
OSO MS Teams CLI uses delegated Microsoft Graph auth for normal user actions. By default, teams auth login and teams auth login --device-code use OSO's multi-tenant public client app with the organizations authority. Customer-owned Entra apps remain supported with --client-id, --tenant-id, and profile configuration.
Client credentials are supported only for Microsoft Graph operations that explicitly support application permissions. They are not the normal model for live Teams chat or channel message posting. For unattended service-identity posting, the product direction is a Teams app/bot mode, not app-only Graph message sends.
Why not reuse a Teams client token?
Some users reach for tools such as fossteams/teams-token because they want Teams access without creating an Entra app or waiting for organization approval. That friction is real, and the OSO public client app is intended to make the supported path easier.
However, OSO MS Teams CLI calls Microsoft Graph. Captured Teams client tokens are issued for Teams-specific audiences, not Graph. They cannot be used with Graph commands and cannot be safely converted by the CLI. If Graph returns InvalidAuthenticationToken: Invalid audience, sign in through teams auth login, use a customer-owned Entra app, or provide a pre-obtained Microsoft Graph access token.
Default delegated login
teams auth login
teams auth login --device-code
The OSO public client ID is fba1b5d0-fdd0-4fe2-9729-9ccdc38f9595. This ID is public and is not a secret.
The default app is OSO Teams CLI, a multi-tenant Microsoft Entra public client app. It uses delegated Microsoft Graph permissions, so commands run as the signed-in Microsoft 365 user. OSO does not receive the user's password, tokens, or Teams content during normal CLI use.
Admins should review Security and Consent before granting tenant-wide consent.
BYO app login
teams auth login --device-code --client-id <client-id> --tenant-id <tenant-id>
Use BYO when tenant policy blocks third-party multi-tenant apps.
Client credentials
Client credentials require explicit customer credentials and are only appropriate for supported app-only Graph operations. Normal Teams message posting should use delegated auth or future bot mode.