I am trying to use Teams outgoing webhook to interact with my web service which requires AAD authentication. In such a case, I am not able to figure out a way to implement the AAD authentication for outgoing webhooks. Does this mean outgoing webhooks cannot be used with AAD authentication?
Copying for better visibility.
Hi Derek, outgoing webhook currently supports only HMAC token to validate incoming request. For AAD authentication, you have to build Bots
Related
I have a Microsoft teams bot and I am looking for the best way for me to authenticate incoming requests since I just have an exposed endpoint. Would it be possible to make the incoming requests from Teams to my bot, have custom headers with custom authentication?
You would need to implement user authentication into your bot to control access to those commands and resources which require access to a specific user's data. Here is the documentation on user auth in bot builder to get you started.
I'm implementing a microsoft teams incoming webhook and I got worried about some bad guy getting the webhook link and sending spams, getting messages from the team and so on. So I'd like to know how secure this feature is? Is there anything that I can do to improve the webhook security?
You can bring Microsoft Teams Incoming Webhook security to the next level using Azure Logic Apps:
It provides following security levels:
Better control over who can create and use a webhook:
You can rely on Azure RBAC built-in roles for Azure Logic App to define your access policy. The configuration of the webhook is done in Azure and no configuration information is available from Microsoft Teams.
More options to authenticate the event emitter: There are different ways to authenticate an emitter and Azure Logic App provides a wide range of options to do that - These methods come in addition to the SAS signature or can replace it.
To name the most requested one in the context of incoming webhooks, we have:
Source IP white listing
Basic authentication / Http headers acces keys
Azure AD OAuth2.0 token
Protect users from the content published into Teams:
With Azure Logic App, you will capture all requests to the webhook because you have control over the endpoint (versus incoming webhooks hosted and exposed via the O365 platform) - When the workflow is triggered, you can add actions steps to your workflow to:
Validate the schema of the payload (in case an inappropriate JSON
content is pushed)
Log this request into an external system - e.g.
you can push this payload or log this event into Azure Monitor and
process the content in Azure Sentinel using Logic App built-in
connectors.
Map / aggregate / curate / enrich / .... the incoming
content and format the message to be pushed in Teams using Adaptive Cards.
Reference doc: https://www.linkedin.com/pulse/bring-microsoft-teams-incoming-webhook-security-next-level-kinzelin/?msclkid=58f6ddafd0eb11eca9ccc0356553ed5c
Does the messaging endpoint of bot need to be anonymous?
Any help is greatly appreciated.
If you are using bot framework v4 SDK and when you register a bot in the Azure portal, for example via the Bot Channels Registration, this authentication automatically performed. So, you don't need to explicitly write any code. If you want to restrict the use of bot to users belonging to your tenant you can add authentication to a bot using OAuth. Please go through this documentation for reference.
My understanding is that requests to your /api/messages endpoint include a JWT bearer token issued by the bot framework. The SDK will check this for you.
This appears to be the code where it performs the validation:
https://github.com/microsoft/botbuilder-js/blob/fc5dcc535855cf453b0ebf373121277d824ff840/libraries/botbuilder/src/botFrameworkAdapter.ts#L1180
If you're implementing without the SDK, then you will need to do the JWT verification.
I'm working on an email trigger component where I have been able to successfully use client_credentials flow with Microsoft graph API.
However I want to be able to use spring email and bring in benefits it provides over a rest api call to the Microsoft graph API, things like using thymeleaf email templates for decorating the emails.
I tried doing that by first getting the token from Microsoft graph and use it as the password for the JavaMailSender instance and by using host as smtp.office365.com but it didn't work. I followed this link for that experiment JavaMail connecting to Office 365 XOAUTH2 for IMAP Authentication fails
Is there an easy way to do this? I want to basically get the best of both worlds, spring email and Microsoft graph API
I am struggling to get my teams bot to work with my azure app service with Authentication enabled.
Here is my setup:
I have a teams bot that reacts to some events in the team. I also have an azure web app that has an endpoint /api/messages that listens to bot messages. There is an Azure Bot Channels Registration that wires those two together.
It all works fine until I enable EasyAuth in my web app to authenticate with Azure AD (I need this because there are other endpoints in this web app that need to be secured). With authentication in web app enabled, bot messages do not reach the web app, and I cannot find any errors in logs either.
I tried to add different OAuth Connection Settings in my Bot Channels Registration, and also Allowed Token Audiences in auth settings in web app, but I haven't found a setup that works yet.
Could someone please tell me how this should be configured? Thank you in advance.
please refer to Azure App Service Authentication / Authorization (Easy Auth) guidance: https://github.com/cgillum/easyauth
The admin API setting: https://github.com/cgillum/easyauth/wiki
Advanced Application Settings: https://github.com/cgillum/easyauth/wiki/Advanced-Application-Settings
If you need more details, I would highly suggest you go through the official document: https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization