Addressing Security & Compliance Concerns for Apps in Microsoft Teams
Articles,  Blog

Addressing Security & Compliance Concerns for Apps in Microsoft Teams


Welcome to another episode of Teams
Superheroes. I don’t think you need an introduction from me, but we are very
happy to have this man back. You mind giving the folks another intro? For
sure. I’m Trent Hazy, I’m a senior product manager on Teams platform ecosystem. So Trent and I are kind of partners in crime and we’ve been talking quite a bit
and we had him on as our first episode actually to talk about apps in Teams.
You and I were chatting though earlier this week and I said dude we’ve got to film
another video on this because you are addressing one of the most common
concerns and questions that we get from customers, particularly admins and
security departments, which is access that applications have in terms of data
and the security and compliance that they’re meeting. Is that fair? Hundred percent. It’s a big concern and it’s a valid one because when you add an application in Teams
there’s a developer behind that application and you’ve got to think
about what they have access to. So Trent, this is good context. If I’m a
developer I would imagine though if I’m building an application for Teams there
are guardrails, so to speak, in place that I have to adhere to by Microsoft policy.
Can you talk us through that a little bit? Hundred percent. So the way that the
Microsoft Team’s API, it’s a public API that allows developers to build on top
of Teams, the way that it’s structured is, there’s a couple of things we need to
outline here, first you have to define, as a developer, what permissions you want
from your users. So those permissions might be to read a message, or to write a
message, or to send a file, and you have to explicitly call out which permissions
you want from users. The second thing, you need to define is what type of scope you
want to be in, and what I mean by scope is does your app live in a chat? Or a
channel? Where do I actually interact with that app as a user? And so I’m
calling those out because if you have the permissions and the scope, suddenly I
know what I’m handing over as a user to a developer and let’s get a little
deeper into that in a few minutes. And this is great context. We know from our
interactions with a lot of customers that they’re commonly three questions
that we get very often and these are, you know, myths that we want to debunk so to speak and the first one is probably the one we get most often is that an
application in Teams there’s a concern that it has access to all of my
information. Can you talk us through what these apps actually have access to?
Yeah that’s a great question. So I think it’s a valid concern. You know I add a bot into a team and it’s valid to think that it might have
access to the entire history of conversations and maybe my chats, so to answer your question, Jace, when a bot or an app is added to a team, it
actually only has access to the messages in which it’s explicitly
mentioned. So if I add a bot in and I say, “Hey, @Contoso bot,” it’s only gonna see
that message where I invoke it. It’s not gonna see the history because it’s not
being called out in those interactions. So that’s one example of kind of the
permission that it’s given is only to read messages where it’s explicitly
mentioned. So maybe we actually unpack that one a little bit if you’re
comfortable with it? Okay so you and I are in a channel together in a
broader team, we invoke a bot by having a conversation and let’s say there’s 20
replies to that conversation. Regardless of what else has happened in the team,
the bot only gets access to that conversation and the 20 replies, nothing
else in that channel? Yeah and actually the bot would have to be mentioned in
each of the replies for it to read those as well. Oh wow, okay. Yeah so it’s in order for a bot to read a message it needs to be called by name. Now what about in a
chat? If I’m in a chat? Is it only the context in when it was invoked there as
well, or would that actually get history of the chat? That’s a good question because a lot of apps
actually have their own chat, so let’s take, trying to think of my favorite bot,
ADP is a cool bot. So I can actually ask it for my most recent pay stub and a few
other things. In that chat with the ADP bot, it can actually read everything
because it’s between me and the HR bot. If I were to have a chat between the two
of us and I added another bot in, that is a situation where again I would
have to explicitly mention it by name for it to read what we are typing. That’s great to know. So back to concerns. Concern number two that we hear it really often is that if
I add an application into Teams, it now has access to all of my personal info.
Yes. Valid concern and actually if you open the app store and you click on an
app, there’s a little pop-up that comes up. If you scroll down, it’ll actually
call out the permissions and data that it’s gonna get access to. In that it will
actually tell you whether it’s gonna grab your name and your email. So I can
show you that in a second, but that’s a really helpful tip to know whether
you’re actually giving the developer your name and your email. Beyond that, if
the app wanted your department, or your title, it would actually need to
configure that through Azure active directory and those are extra
permissions. You would know that you’d be giving those up. But at baseline, I
suggest you actually look at that pop up to see is your name and your email being
handed over to the developer. Now we also, I would imagine, put guidelines in place
for the developers though on how they can use that information. That’s correct.
Yeah if you were to feel like you were getting spammed by a developer, that’s a
violation of the terms of our app store and so we would actually take that
application down. So there you’re totally right, that’s not behavior that we would
accept. So let us know that’s happening. Okay so concern number three. We add an application into Teams and then we add a file to that application. Take Trello
for example, we use all the time. We have a Trello board, we have a new project
card, and we add a file to that card. Now does the developer have access to that
file? That’s a great question. This one’s pretty intricate actually, so
in order for an application to get access to a file, it has to be given this
permission called supports files. So the developer needs to define that when
they’re making the app. If they do that, you will know it, it’s in that same area
that I just mentioned, the list of permissions, but more importantly anytime you share a file with an application, there’s an extra little check point that
we say “Are you sure you want to grant access to this developer?” and
you confirm. So it’s actually really neat to see that we’re really
careful with your data. The files that you already have shared in OneDrive or
anywhere in Teams, no app can access those. It’s only when you explicitly
state that that app can access a single file that you share it with that
developer. Awesome, awesome. Okay so if I want to get more information about a
specific app and the permissions that that application has, if I’m watching
this, where do I go? There’s actually three places I want you
to look. So the first I mentioned and that’s to actually open the app store,
click on the app, and in that pop-up when you scroll down you’ll see the
permissions that that app is requesting from users. So that’s number one. The
second is, we actually have a security and compliance catalog for the
third-party apps in our store and we’ll share that link it’s actually an
incredible resource to see who the developer, is what data they’re
requesting, and their overall compliance standards. Correct me if I’m
wrong on that one, that actually came as a request from customers, exactly, and us
working with them to make sure that we were hitting the right boxes so to speak
that you can tick off right? Yeah and it builds great transparency and trust in
our ecosystem. And then the last is actually a really awesome document from
the architect of Team’s, Bill Bliss, who wrote up some of these guidelines that
explain essentially what these permissions actually are, what can you
grant to a bot, or a tab, or a message extension, and that really helps us
understand what these developers can gain access to. I mean I say selfishly, and
correct me if you feel differently, but that page sparked the conversation you
and I are having right now. If there’s anything you go check out of those three,
I’d go check out that page. It’s a great resource that’s very specific
about the capabilities and the guidelines that we put in place on those
applications. Hundred percent. Trent, always great having you man. Thanks so much for your time. Thank you very much for watching and feel free to leave some
comments if you have any questions

3 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *