BotFramework-Composer icon indicating copy to clipboard operation
BotFramework-Composer copied to clipboard
verified publisher icon microsoft

Teams Channel Embed URL Security Issue

Open SharmaHarsh7 opened this issue 3 years ago • 1 comments

Hi Team,

I am working on a Virtual Agent project using Azure Bot ad Bot Composer.

The key requirement is that only a few user/user groups in the organization should have access to the chatbot and any unauthorized user should not be able to access the chatbot.

While enabling the bot on the MS Teams channel I came through a security issue that even the users who are not part of the whitelisted user groups can access the chatbot by using the Teams Channel Embed URL.

Also, the bigger concern is that the users of another organization can access the bot by using that URL.

Is there any way to prevent the bot access from unauthorized users.

SharmaHarsh7 avatar Aug 03 '22 13:08 SharmaHarsh7

hi @SharmaHarsh7

When you say virtual agent; is that just a descriptor of the end solution? Or are you referring to the legacy Virtual Assistant solution or a Power Virtual Agent integration?

The key requirement is that only a few user/user groups in the organization should have access to the chatbot and any unauthorized user should not be able to access the chatbot.

users who are not part of the whitelisted user groups

Is this a software implemented whitelist? If so, how are you doing that? Or are you saying this is something that you need to (how to) implement?

dmvtech avatar Aug 04 '22 23:08 dmvtech

Closing due to lack of response.

dmvtech avatar Aug 15 '22 16:08 dmvtech