Does anyone know of any resources for information / specifications / preview access to the MS Teams SIP Gateway that was the subject of a further announcement last week?
https://techcommunity.microsoft.com/t5/microsoft-teams-blog/introducing-operator-connect-and-more-teams-calling-updates/ba-p/2176398
There was some information previously regarding certification programmes ... (the link implies just S4B, but it covers Teams too).
https://learn.microsoft.com/en-us/SkypeForBusiness/certification/how-to-join
But this appears to be closed.
Thanks
Gavin
we have observed the same question raised by you through email, concerned team member will respond to you sure. For now we are closing this question as duplicate.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
Problem Statement:
We have created a FAQ Chatbot using MS Botframework V4, QnA Maker and LUIS. The Client's Information security team suspects if, anyone gets hold of the MicrosoftAppId of the chatbot then, anyone would be able to publish the Chatbot on any other MS Teams Subscription causing a security Threat.
Condition: The client is not in favor of adding an extra Authentication prompt where the users would have to login despite being logged in MS Teams
Query:
Having read the problem statement, could anyone please help me with a technique/Methodology where we can restrict down the ChatBot to be usable only from the Client Organization's MS Teams without any additional authentication Login Prompt to the user to sign-in
-Thanks in Advance
Please read my blog post about how bot communications work to get an understanding of the request-response process. As it explains, although the response looks kind of "synchronous" from the bot, it's actually not and is sent via a reply to the Bot Framework services itself. In order to do this, your bot code (dotnet, node, whatever) actually needs TWO things - the app id AND the app password, in order to authenticate itself internally. Without these, no-one can run another bot on your behalf, even on that same id. Note that this is a 'regular' bot scenario, and does NOT require the user to actually Sign In to the bot in any way (that is only required if you want to, for example, access resources on the Graph on the user's behalf, like to fetch a file from SharePoint Online).
Separately, but perhaps related, if someone DID have your app id, they could possibly register an app that would result in more messages coming TO your bot (a kind of "DOS" attack, if you like), but that still wouldn't enable them to 'act as' your bot, as mentioned above. [Update: Note that your bot would still end up responding to these messages, as it wouldn't know it wasn't your own Teams app. I'd struggle to understand why someone might want to do that though. No one would be able to develop and host a bot that impersonated your bot, however - they would need (a) you app password and (b) to change the registered endpoint where you host your bot, in the Bot Framework].
So, albeit that the App Id alone is not enough, you should of course try to protect it (e.g. KayVault), and all the more so with the app password.
On a separate note, it is also possible to restrict your bot to only being used from a single (or restricted set of) tenants. Please see my answer at MS Teams app manifest file Tenant restriction.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 3 years ago.
Improve this question
My clients are receiving emails like this (I quote the text, but it is an html email):
From: Google Accounts
Date: [OMITTED]
Subject: Limiting access to data in your Google Account
To: <[OMITTED my client's email address]>
Hi,
Although you don’t need to do anything, we wanted to let you
know that the following apps may no longer be able to access
some data in your Google Account, including your Gmail content.
If these apps are unable to meet the deadline to comply with our
updated data policy requirements, they'll lose access to your
Account starting July 15th, 2019.
[OMITTED my company's name]
We are making this change as part of ongoing efforts to make
sure your data is protected and private.
You can always view, manage and remove apps you’ve given
access to your account by visiting your Google Account.
Thanks,
The Google Accounts team
I operate a webapp that uses the following gmail API methods:
gmail.users.getProfile
gmail.users.messages.send
gmail.users.threads.get
As far as I know I am following all of the rules. I have searched through the Google APIs Console, but I cannot see what data policy I am violating.
How can I determine the data policy I am violating? Why hasn't Google reached out to me about this?
Is this a convincing phishing scam? These emails are being sent to my clients, so I don't have access to see if they are signed properly, but from what I can tell from the forwarded emails they appear to be authentic.
You are not violating any security policy. This is a standard mail that comes when ever a user connects their account to a new application containing high risk scopes (note as far as I know not all scopes will result in this mail but I haven't actually tested all scopes). This most often comes with the Gmail scopes in applications.
I would double check that your application has been verified it may help to remove some of the notifications your users are getting. Users should be informed by Google when they are accessing third party applications and warned about what that could mean.
The following scope is one of the most critical as far as Google is concerned this is most likely the one that will mean your users will always get this email when they authenticate your application. I wouldn't be surprised if all the Gmail scopes would result in that mail but I haven't tested it.
https://www.googleapis.com/auth/gmail.send
verification
This email is most likely related to the fact that this application has not been verified to use the gmail scopes. Gmail scopes are one of the most sensitive scopes as far as Google is concerned as the chance that they could be abused by malicious developers is even greater.
You should apply for verification as soon as you can google may contact you and ask for a video of your application running.
Unverified apps
In most cases it does NOT cost anything to be verified. In some cases, for particularly sensitive APIs, Google may require an outside audit of your code to make sure it does not put users of your program at risk.
After several hours of piecing together information across multiple sites along with a friend while waiting for further clarification from Google the following information was found which I hope will help developers in the future.
additional reading piecing together information available:
Elevating user trust in our API ecosystem while this page does mention "All fees are paid directly to the assessor and not to Google." it does not state an amount. Again i have never heard
of anyone having to pay for this. However I have contacted Google and requested that the page be updated with more accurate information as to what the fee entails.
Additional Requirements for Specific API Scopes
Why fee clearly states why a fee is charged. These assessments are done by a third party company that must be paid. It would be unrealistic IMO for a company wishing to develop an application using Googles API to expect Google to pay for this: IMO it makes perfect sense that the cost would be transferred to the company developing the application. they will after all be making money on the application.
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 3 years ago.
Improve this question
I am trying to obtain API key for QPX express but I stuck because QPX is not available in Google API Library on my account (I also tried other account).
Googe API Library screenshot
When I try use the API key without enabling API I get as result:
QPX with API key screenshot
When I go to link from description I see:
QPX api problem screenshot
I followed this instructions - https://developers.google.com/qpx-express/v1/prereqs
Is there any other way to obtain this key?
I've been having the same problem and then came across this:
https://developers.google.com/qpx-express/faq#EndOfServiceFAQs
QPX Express is shutting down in April and "New users can no longer sign up for the QPX Express API service"
same for me. i am assuming maybe it's because i am still on the free trial account and that api is not visible until you actually pay monhtly (like aws)
have sent an email yesterday.. hope someone will come back
Alternatively, can anyone suggest any other APIs i can use? i tried skyscanner but it does not show Ryanayr flights...
kr
I'm using MS Bot Framework with Directline for webchat and our client has raised an issue about Data Protection i.e. the user is sending personal data via a Microsoft api.
I don't really know how to reply to this since (a) Pretty much every bot uses a cloud service if you want any sort of assistance and (b) I assume that Directline does nothing with the data and it is purely a conduit, but I don't know that for a fact.
Was going to post on bot builder github issues, but they say it's just for bugs and suggested that I come here. I am looking for some clarification (or a contact at MS) about the privacy and data protection of the conversations if you are using Microsoft's bot framework with any one of their connection services - particularly Directline.
Thanks,
Jarrod
Our official handling terms are listed under the Bot Framework Terms of Service and Privacy statement found on the Bot Framework portal. Are there specific questions your customer has?
-jim
I have been trying to publish my Skype bot to Microsoft Bot Directory, it has been almost two weeks and it is still in review.
My questions are:
Do they have a list of must haves for the bot so that they can only accept it if it fulfills these requirements? They didn't reject mine either but I will be prepared in advance in case they do.
If yes where can I find this info?
Has anyone here submitted their bot and how long did it take for them to be published?
Thank you
I submitted a few months ago and it is still not approved.
The bot directory is very selective and they won't approve you unless it's a full fledged mature application.
Plus, they also claim that their reviewing resources are very limited.
I'd say don't expect to get approved.
And no, they don't have any kind of requirements.
Here are a few items that might help with guidance:
MICROSOFT BOT FRAMEWORK– PREVIEW ONLINE SERVICES AGREEMENT
Bot review guidelines
Developer Code of Conduct for the Microsoft Bot Framework
It takes a few days (maybe a little longer) to get a response from a review. A couple items that caught me off guard were their logo requirements, which are very precise, and the welcome/help message needs to be complete. You also need to specify your Terms of Use and Privacy Policy well. Looking at these documents, there are probably several more items that are likely to trip-up submission.