question

Veera-6768 avatar image
0 Votes"
Veera-6768 asked RamaMohanaCharyAkavarapu-4424 edited

How the bot service is able to send messages to different organization/tenant MS Teams users without getting any permissions from their admin/users??

Hii,

I am building a bot service to send proactive messages to only Microsoft Teams users. I am following this (https://docs.microsoft.com/en-us/azure/bot-service/rest-api/bot-framework-rest-connector-quickstart?view=azure-bot-service-4.0) to send messages using REST API.

I want to know few things.
1. I couldn't understand how the bot is able to send messages to different organization/tenant users without their consent. Doesn't the bot need any permission from users/admins to send messages?
2. And I am able to send messages to different organization/tenant users with just one bot access token (till it expires). Doesn't need different access tokens for different organization/tenant users??




office-teams-app-devazure-bot-service
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Veera-6768
As we are mainly responsible for general issue of Microsoft Teams, your question related to development is not in our scope. I will remove office-teams-windows-itpro tag. Thanks for your understanding.

0 Votes 0 ·

@Veera-6768 With respect to this tutorial I think the bot connector service is doing the heavy lifting and you can check the following topic on authentication to give more insights on how the bot is able to authenticate with OAuth with different teams settings.

OAuth 2.0 uses the Azure Active Directory (Azure AD) v2 account login service to generate a secure token that a bot can use to send messages. This token is a service-to-service token; no user login is required.




0 Votes 0 ·

@romungi-MSFT In this tutorial OAuth 2.0 client credentials flow, it says user login is not needed because the permissions are granted directly to the application (bot service in this context) itself by the admin.

In the client credentials flow, permissions are granted directly to the application itself by an administrator. When the app presents a token to a resource, the resource enforces that the app itself has authorization to perform an action since there is no user involved in the authentication.

Since admin doesn't grant any permission to bot service to send messages and bot service connects to bot framework service to send messages, I am assuming bot framework service don't need any permission (or) has all the permissions by default to send messages to different tenant users. Please correct me, if I am wrong.










0 Votes 0 ·

@veera-6768 I think the AD tutorial details granting access by admin to the app for authentication scenario. In this case the bot connector service is used instead of actually authenticating users against an AD. So, Yes with respect to above question the bot framework is handling it internally.
If you look at the process to setup authentication in a bot the process is actually registering the AD identity provider with the bot there by granting required access with consent.


0 Votes 0 ·

1 Answer

RamaMohanaCharyAkavarapu-4424 avatar image
0 Votes"
RamaMohanaCharyAkavarapu-4424 answered RamaMohanaCharyAkavarapu-4424 edited

Moving comments to answer section for better visibility.


I think the AD tutorial details granting access by admin to the app for authentication scenario. In this case the bot connector service is used instead of actually authenticating users against an AD. So, Yes with respect to above question the bot framework is handling it internally.
If you look at the process to setup authentication in a bot the process is actually registering the AD identity provider with the bot there by granting required access with consent.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.