How the bot service is able to send messages to different organization/tenant MS Teams users without getting any permissions from their admin/users??

Question

How the bot service is able to send messages to different organization/tenant MS Teams users without getting any permissions from their admin/users??

Veera 6

Hii,

I am building a bot service to send proactive messages to only Microsoft Teams users. I am following this (https://learn.microsoft.com/en-us/azure/bot-service/rest-api/bot-framework-rest-connector-quickstart?view=azure-bot-service-4.0) to send messages using REST API.

I want to know few things.

I couldn't understand how the bot is able to send messages to different organization/tenant users without their consent. Doesn't the bot need any permission from users/admins to send messages?
And I am able to send messages to different organization/tenant users with just one bot access token (till it expires). Doesn't need different access tokens for different organization/tenant users??

Sharon Zhao-MSFT 25,756 Reputation points Microsoft External Staff

2021-03-25T08:41:07.867+00:00

@Veera
As we are mainly responsible for general issue of Microsoft Teams, your question related to development is not in our scope. I will remove office-teams-windows-itpro tag. Thanks for your understanding.
romungi-MSFT 48,911 Reputation points Microsoft Employee Moderator

2021-03-25T12:41:42.517+00:00

@Veera With respect to this tutorial I think the bot connector service is doing the heavy lifting and you can check the following topic on authentication to give more insights on how the bot is able to authenticate with OAuth with different teams settings.

OAuth 2.0 uses the Azure Active Directory (Azure AD) v2 account login service to generate a secure token that a bot can use to send messages. This token is a service-to-service token; no user login is required.
Veera 6 Reputation points

2021-03-25T16:17:06.747+00:00

@romungi-MSFT In this tutorial OAuth 2.0 client credentials flow, it says user login is not needed because the permissions are granted directly to the application (bot service in this context) itself by the admin.

In the client credentials flow, permissions are granted directly to the application itself by an administrator. When the app presents a token to a resource, the resource enforces that the app itself has authorization to perform an action since there is no user involved in the authentication.

Since admin doesn't grant any permission to bot service to send messages and bot service connects to bot framework service to send messages, I am assuming bot framework service don't need any permission (or) has all the permissions by default to send messages to different tenant users. Please correct me, if I am wrong.
romungi-MSFT 48,911 Reputation points Microsoft Employee Moderator

2021-03-26T07:18:43.283+00:00

@Veera I think the AD tutorial details granting access by admin to the app for authentication scenario. In this case the bot connector service is used instead of actually authenticating users against an AD. So, Yes with respect to above question the bot framework is handling it internally.
If you look at the process to setup authentication in a bot the process is actually registering the AD identity provider with the bot there by granting required access with consent.

1 answer

Your answer

Sharon Zhao-MSFT 25,756 Reputation points Microsoft External Staff

2021-03-25T08:41:07.867+00:00

@Veera
As we are mainly responsible for general issue of Microsoft Teams, your question related to development is not in our scope. I will remove office-teams-windows-itpro tag. Thanks for your understanding.
romungi-MSFT 48,911 Reputation points Microsoft Employee Moderator

2021-03-25T12:41:42.517+00:00

@Veera With respect to this tutorial I think the bot connector service is doing the heavy lifting and you can check the following topic on authentication to give more insights on how the bot is able to authenticate with OAuth with different teams settings.

OAuth 2.0 uses the Azure Active Directory (Azure AD) v2 account login service to generate a secure token that a bot can use to send messages. This token is a service-to-service token; no user login is required.
Veera 6 Reputation points

2021-03-25T16:17:06.747+00:00

@romungi-MSFT In this tutorial OAuth 2.0 client credentials flow, it says user login is not needed because the permissions are granted directly to the application (bot service in this context) itself by the admin.

In the client credentials flow, permissions are granted directly to the application itself by an administrator. When the app presents a token to a resource, the resource enforces that the app itself has authorization to perform an action since there is no user involved in the authentication.

Since admin doesn't grant any permission to bot service to send messages and bot service connects to bot framework service to send messages, I am assuming bot framework service don't need any permission (or) has all the permissions by default to send messages to different tenant users. Please correct me, if I am wrong.
romungi-MSFT 48,911 Reputation points Microsoft Employee Moderator

2021-03-26T07:18:43.283+00:00

@Veera I think the AD tutorial details granting access by admin to the app for authentication scenario. In this case the bot connector service is used instead of actually authenticating users against an AD. So, Yes with respect to above question the bot framework is handling it internally.
If you look at the process to setup authentication in a bot the process is actually registering the AD identity provider with the bot there by granting required access with consent.

Answer 1

Moving comments to answer section for better visibility.

I think the AD tutorial details granting access by admin to the app for authentication scenario. In this case the bot connector service is used instead of actually authenticating users against an AD. So, Yes with respect to above question the bot framework is handling it internally.
If you look at the process to setup authentication in a bot the process is actually registering the AD identity provider with the bot there by granting required access with consent.

Share via

How the bot service is able to send messages to different organization/tenant MS Teams users without getting any permissions from their admin/users??

1 answer

Your answer