Hi Vaibhav Kinger,
- Security vulnerabilities: there are no security risks of the current approach. All the IDs are publicly available to 3p developers and they are all EUPI so developers can't get user information from them directly (no privacy concerns as well). On Teams/IC3 services, we do perform ACL check, tenant setting/policy and user identity validation so any unauthorized access will be blocked.
- Regarding the global route alias "teams", it won't impact latency since due to the EUDB and other compliance requirement, SMBA service will process the bot request in the user/tenant region. Due to this requirement, an internal region lookup is always needed. So, it doesn't matter which alias is passed by the bot (regional alias like amer, apac, in, etc. or the global one teams).
- The global routing alias provides extensive support for proactive message scenario in a case where the bot wants to send a message to user w/o previous received message, so it cached the callback URL.
Thanks,
Prasad Das
*************************************************************************
If the response is helpful, please click "Accept Answer" and upvote it. You can share your feedback via Microsoft Teams Developer Feedback link. Click here to escalate.