Security
Security starts with least privilege and explicit identity.
Identity and consent
- Prefer delegated auth for user actions.
- Use the OSO multi-tenant public client app for standard rollouts.
- Use BYO Entra app mode when tenant policy requires internal ownership or narrower scopes.
- Review all delegated Microsoft Graph permissions before granting tenant-wide admin consent.
- Require publisher details to match OSO before production approval.
See Security and Consent for the admin-facing trust model.
Token handling
- Store tokens only in the OS keyring or an approved enterprise vault.
- Treat access tokens and refresh tokens as credential material.
- Do not write token values to CI logs, agent traces, debug output, tickets, or chat messages.
- Prefer short-lived process environment tokens only for tightly controlled automation.
- Run
teams auth logout --allduring endpoint decommissioning.
Agent safety
- Use
--output jsonand branch on exit code before parsing output. - Give agents the minimum set of commands required for the workflow.
- Deny destructive commands such as delete, archive, unarchive, member removal, and app uninstall unless policy explicitly allows them.
- Use dedicated Teams test channels for smoke tests.
- Redact Teams message content, user IDs, tenant IDs, and channel IDs from shared logs unless needed for support.
Tenant controls
Admins should control rollout through Entra and endpoint policy:
- Admin consent workflow.
- Conditional Access for MFA, compliant device, sign-in risk, and sign-in frequency.
- Enterprise application review and revocation.
- Device-code flow policy where required.
- CI runner isolation for automation profiles.
Data flow
For CLI-only use, the installed CLI calls Microsoft Graph directly. OSO does not receive Teams content or tokens just because a tenant grants consent. If a future hosted gateway or bot mode is used, review that product's separate data processing and network path.