How are the Teams connectors are transitioning to a new URL to enhance security ??

[jat27516fi]

More details would be appreciated as the lack of security for Teams Incoming WebHooks as noted by many customers including my company prevents us from utilizing them while 3rd party app vendors for Teams sometimes require them. So we can't use their apps or have to request a design change from the app vendor or contemplate moving to the Azure Logic App workaround for Teams Incoming WebHooks to get the necessary safeguards (https://www.linkedin.com/pulse/bring-microsoft-teams-incoming-webhook-security-next-level-kinzelin) .

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: f5eb6a35-32fa-6703-8ed2-0855e602b7d5
• Version Independent ID: 7890ca09-d505-35a9-071a-8662a4b19275
• Content: Manage Microsoft 365 and custom connectors - Microsoft Teams
• Content Source: Teams/Office-365-custom-connectors.md
• Service: msteams
• GitHub Login: @guptaashish
• Microsoft Alias: guptaashish

[dariomws]

Hi @jat27516fi, thank you for your feedback.

New features were added to Teams Incoming WebHooks since the article you shared.

The new design includes tenant-specific domain for webhook so that tenant can inspect SNI (Server Name Indication) during TLS negotiation to prevent connection to other tenant’s webhook within their own perimeter.

The endpoint is updated to - https://[tenant_name].webhook.office.com/webhook/[external_object_id]@[tenant_id]/[connector_type]/[instance_id]/[owner_object_id]

Webhook service validates [tenant_name] and [tenant_id] are pointing to the same tenant.

Please refer to below on searching audit logs, and is available for Connectors/Incoming Webhooks as well. Audit log search - Security & Compliance (office.com) Search the audit log for events in Microsoft Teams - Microsoft Teams | Microsoft Docs