Skip to main content

Tenant Conditional Access

Tenant policy can block user consent, require admin approval, restrict device code, or block unverified apps.

Common symptoms

  • Login says admin approval is required.
  • Device-code login is blocked by Conditional Access.
  • The consent prompt shows an unverified publisher warning.
  • auth doctor succeeds locally but Graph calls return 403.
  • A command works for one user and fails for another because Teams membership or directory policy differs.

Generate the tenant-specific admin consent URL:

teams auth consent-url --tenant-id <tenant-id-or-domain> --output json

Before approving, confirm the app identity and scopes in Security and Consent.

BYO app fallback

Use BYO app mode when the customer requires a tenant-owned registration.

teams auth login --device-code --client-id <customer-client-id> --tenant-id <tenant-id>

BYO app mode is also the right path when a tenant wants a narrower permission set than the default OSO shared app.

Conditional Access checks

Ask the tenant admin to review:

  • Sign-in logs for the OSO Teams CLI enterprise application.
  • Conditional Access result details for the failed sign-in.
  • Whether device-code flow is permitted.
  • Whether only verified publishers are allowed.
  • Whether user consent is disabled and admin consent workflow is required.
  • Whether the user is allowed to access the target team, channel, chat, or presence information.

Revocation

If access must be removed, clear both sides:

teams auth logout --all

Then revoke consent, disable, or delete the enterprise application in Microsoft Entra.