I'm implementing a microsoft teams incoming webhook and I got worried about some bad guy getting the webhook link and sending spams, getting messages from the team and so on. So I'd like to know how secure this feature is? Is there anything that I can do to improve the webhook security?
You can bring Microsoft Teams Incoming Webhook security to the next level using Azure Logic Apps:
It provides following security levels:
Better control over who can create and use a webhook:
You can rely on Azure RBAC built-in roles for Azure Logic App to define your access policy. The configuration of the webhook is done in Azure and no configuration information is available from Microsoft Teams.
More options to authenticate the event emitter: There are different ways to authenticate an emitter and Azure Logic App provides a wide range of options to do that - These methods come in addition to the SAS signature or can replace it.
To name the most requested one in the context of incoming webhooks, we have:
Source IP white listing
Basic authentication / Http headers acces keys
Azure AD OAuth2.0 token
Protect users from the content published into Teams:
With Azure Logic App, you will capture all requests to the webhook because you have control over the endpoint (versus incoming webhooks hosted and exposed via the O365 platform) - When the workflow is triggered, you can add actions steps to your workflow to:
Validate the schema of the payload (in case an inappropriate JSON
content is pushed)
Log this request into an external system - e.g.
you can push this payload or log this event into Azure Monitor and
process the content in Azure Sentinel using Logic App built-in
connectors.
Map / aggregate / curate / enrich / .... the incoming
content and format the message to be pushed in Teams using Adaptive Cards.
Reference doc: https://www.linkedin.com/pulse/bring-microsoft-teams-incoming-webhook-security-next-level-kinzelin/?msclkid=58f6ddafd0eb11eca9ccc0356553ed5c
Related
I have an outlook addin that I've built using Yeoman. The addin communicates with a server API on my server to combine data from an email with additional data from a database that a user has saved against an email address. This is all working great.
Next I want to store a copy of the email server side, as a file on disk, .msg preferred but I'll take a .eml if thats the only option.
I have 2 options but don't know if either are possible. Either the addin generates the .msg file and posts it to the server API OR the server side API generates the .msg file directly. I have got the server side using the Outlook v2 API and able to pull back the email information when the client passes it the token, id etc. If it could just generate/download a .msg file server side this would be ideal.
As a side note, many of the Microsoft API pages point out the deprecation of the Outlook API in favor of the Graph API, however there are inconsistent links between the pages and it get confusing. I have discovered the token from getCallbackTokenAsync only works with the Outlook API and not Graph, but I cant find out a way to generate a graph compatible token. All the example code from MS uses Office.context.mailbox.restUrl which still gives the Outlook API url and not Graph!
So I guess I'm trying to find out if it's even possible to get/generate a .msg or .eml file either client side using outlook.js or server side using one of the api's. Thank you.
I can get message data both client and server side but cannot get a physical email file.
The Office JavaScript API (OfficeJS) doesn't provide anything for saving messages as msg files (or getting streams). The best what you could do is to use Graph API where you could get the EML file, see Get MIME content of a message for more information.
The server-side code may use the OAuth 2.0 On-Behalf-Of flow (OBO) to request a new access token with permissions to Microsoft Graph. Read more about that in the Authorize to Microsoft Graph with SSO article.
The on-behalf-of (OBO) flow describes the scenario of a web API using an identity other than its own to call another web API. Referred to as delegation in OAuth, the intent is to pass a user's identity and permissions through the request chain.
For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from the Microsoft identity platform. It only uses delegated scopes and not application roles. Roles remain attached to the principal (the user) and never to the application operating on the user's behalf. This occurs to prevent the user gaining permission to resources they shouldn't have access to. See Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow for more information.
Eugene's answer is good. If ultimately you need to get that message to your backend service, using Graph as Eugune described would be the recommended approach. If for whatever reason you are still looking for a capability to access it on client using Office.js, it is not a part of the product. We track Outlook add-in feature requests on our Tech Community Page. Please submit your request there and choose the appropriate label(s). Feature requests on Tech Community are considered, when we go through our planning process. Note there is already a couple of similar ideas there, if you search for "eml" keyword, that you may want to upvote.
What I'm trying to accomplish?
Send an API (chat.postMessage) from a 3rd party app to a Slack user - Done
The message will have two buttons (approve and decline) which the user can click on - Done
Upon clicking on one of the buttons, Slack should send an API back to the 3rd party app - TBD
Before sending an API, Slack should retrieve an authentication token via API - TBD
Note: I've seen in Slack docs mentioning of /incoming endpoint (also /interactive-message). My 3rd party app has a strict set of available APIs. I'm not able to create new API endpoints. Also, I need the payload to be sent in a specific JSON structure.
I've reviewed Slack documentation but I can't figure it out.
Making notifications actionable
I'm technical but not a developer so there might be nuances which I'm missing.
Is there any section in Slack where I can add custom code to accomplish such integration?
If not, how I can accomplish it?
Edit:
I've configured a Request URL (in slack), when I click on one of the buttons in the message, I can see an API request is being sent to the URL.
I'm able to see the payload as well.
My problem is that I need the information to be sent in a different format and to a different endpoint.
What is the best approach to take for this? Do I need to develop a new service to capture and parse the payload and then generate the API request to my 3rd party app?
Ok, so here is how I've accomplished it.
Upon clicking a button in slack, Slack sends an API with a certain payload to the predefined endpoint which you configure (Request URL).
I've used free tier AWS serverless components:
API Gateway and Lambda
API gateway receives the payload and invokes the Lambda function (I used Python as it seems the easier for a non developer)
My Lambda function is processing the payload and has the logic to interact with my 3rd party app in the required way.
I have a Microsoft teams bot and I am looking for the best way for me to authenticate incoming requests since I just have an exposed endpoint. Would it be possible to make the incoming requests from Teams to my bot, have custom headers with custom authentication?
You would need to implement user authentication into your bot to control access to those commands and resources which require access to a specific user's data. Here is the documentation on user auth in bot builder to get you started.
I want to pull some metrics daily posted in my slack channel. these metrics are located in my personal server, and to pull them via rest API a basic authentication is also required.
Does slack support this?in other words can slack do external api call in such way?
and if yes how?
To achieve this, you need to create a custom application(bot).
You can implement your custom business logic and then use slack APIs to post generated data to Slack Client.
https://slack.com/intl/en-in/help/articles/115005265703-Create-a-bot-for-your-workspace
I'm looking for a solution where my bot can understand users request(may be with LUIS this can be achieved) and verifies/validates the user/requirement with master data. If all good, then connect to my native database(Siebel CRM via API) to perform the defined action and log a reference ticket(via API) and finally send an email to user using outlook. Is this achievable using azure service?
Yes, the Bot Framework can do all of those things:
my bot can understand users request
LUIS is perfect for this.
verifies/validates the user/requirement with master data
All of this can be done within Waterfall dialogs or Prompts. You can either store the master data in the bot code, or query it from an external source and have the bot validate against it.
Here's a good sample for prompts and validation.
connect to my native database(Siebel CRM via API) to perform the defined action and log a reference ticket(via API)
The bot runs on C#/Node, so anything (including calling your APIs) that you can do in C#/Node, you can do in your bot.
send an email to user using outlook
Bot Framework has a specific Email Channel for this or you can use the Graph API.
Recommended Resources
Docs and QuickStarts
Samples Repo
Reference Docs: C# / TypeScript
LUIS Docs