Microsoft Key creation

[Steven Cotterell]

Hi all,

We want to be able to post messages to our Microsoft Teams channels from within our BPMs and when setting up the Microsoft Key in the Keysafe, we are running into a 'security issue'.  

The first part of creating the key goes swimmingly, the issue comes when then clicking on the 'Connect' button.  

It correctly pops up the Microsoft window prompting for a user to login with.  The issue is with the fact that the account that needs to login, needs 'Microsoft Admin level permissions' in order to proceed so that we can review the option we are authorising the Hornbill App to be allowed to perform.  

We do not feel like we should (nor do we want to) configure the Service Account (using a 'Service Account' as this is better for security) with Microsoft 'Admin' level permissions just to be able to post to a Teams channel.

What permissions does the 'Service Account' need to allow this functionality to work, but still following the least privilege security principle?  I don't know if this is one for you to answer @Steve G?  At Insights19 you seemed to be the man that I'm sure would know the answers when it came to questions on integrations.

Cheers

Steve.

[Gerry]

@Steven Cotterell

I am a bit lost as to where the "Service Account" comes into it? I am pretty sure the Teams post API will not require admin, it might just be you are required to have an account that has the authority to let you authorise the Hornbill app to be able to use the API for teams, I do not think Hornbill will be getting admin rights. 

Gerry

[Steven Cotterell]

14 hours ago, Gerry said:

I am a bit lost as to where the "Service Account" comes into it?

Hi @Gerry, for situations where two systems need to talk to each other we don't use accounts that actually belong to people, we would create a 'Service Account' for this purpose.

14 hours ago, Gerry said:

I am pretty sure the Teams post API will not require admin, it might just be you are required to have an account that has the authority to let you authorise the Hornbill app to be able to use the API for teams, I do not think Hornbill will be getting admin rights.

We understand this part, just need to know what rights to provision the 'Service Account' with so that when we login to it in the Pop-Up window it has the correct rights to authorise the Hornbill app.  Could someone share this with us please?

Cheers, Steve.

[Gerry]

@Steven Cotterell

To be honest I am not sure we would even know that. To the best of my knowledge, the authentication scheme we are using is OAuth2, so the rights that the service account needs would be something I expect should be in the Teams documentation.  Teams is not something we use so I am honestly not sure we would even know ourselves without looking it up.  Our integration engineer that built the integration might know but he is on leave now until next week, hopefully, if he knows he will be able to let you know

Gerry

[Steven Cotterell]

1 hour ago, Gerry said:

To be honest I am not sure we would even know that. To the best of my knowledge, the authentication scheme we are using is OAuth2, so the rights that the service account needs would be something I expect should be in the Teams documentation.  Teams is not something we use so I am honestly not sure we would even know ourselves without looking it up.  Our integration engineer that built the integration might know but he is on leave now until next week, hopefully, if he knows he will be able to let you know

Thanks @Gerry, I will talk to our guys here and see if we can get the answers.

Thanks for jumping on this - much appreciated.

Steve.

[Aaron Summers]

@Steven Cotterell

I am quite intrigued by this actually!
EDITED: You used BPM to post comment on Microsoft Team team channel right? If so, what is your typical BPM look like? I may know to fix this with team side of it.

[Steven Cotterell]

Hey @Aaron Summers,

Yes, we want one of our BPMs to post to a 'Microsoft Teams' channel at various stages of the BPM.  It would post to the Channel :- 

• when a CHG Request is 'Approved and ready to be implemented'
• when a CHG Request has been started
• when a CHG Request has completed

, and I'm comfortable building the BPM to do this, just having 'an issue' getting the KeySafe entry generated...

Any help you can offer would be appreciated.

Cheers, Steve.

[Aaron Summers]

Thanks for the response,

Can you clarify on where the error pop up? It is through BPM or Hornbill App on the phone as I am not sure if it is what I think with KeySafe (application on mobile) or web?

Are you using any 3rd party application like Microsoft Flow for this BPM?

Thanks,
Aaron

[Steven Cotterell]

15 hours ago, Aaron Summers said:

Can you clarify on where the error pop up? It is through BPM or Hornbill App on the phone as I am not sure if it is what I think with KeySafe (application on mobile) or web?

Hi @Aaron Summers,

We're not getting any error as such.  It's more about understanding what permissions we need to set-up the 'Service Account' with in Azure so that when the pop-up windows opens and we use the 'Service Account' credentials to log in, it meets the criteria needed for the authorisation.

15 hours ago, Aaron Summers said:

Are you using any 3rd party application like Microsoft Flow for this BPM?

No, at the moment, all we want to do is what I put in the earlier post to you, i.e. 

16 hours ago, Steven Cotterell said:

Yes, we want one of our BPMs to post to a 'Microsoft Teams' channel at various stages of the BPM.  It would post to the Channel :- 

• when a CHG Request is 'Approved and ready to be implemented'
• when a CHG Request has been started
• when a CHG Request has completed

This is so we can keep our organisation aware of the progress of CHGs.

Thanks, Steve.

[Aaron Summers]

@Steven Cotterell

Following the investigation as we have similar method because we have 1 admin account for admin center in Office 365 but rest of us have admin account to access other things.

I tried it yesterday and it works for me but will have a go today with admin account through office 365.

[Steven Cotterell]

Yes, given the instructions on the WIKI, any account with Microsoft Admin level permissions would work fine, but that massively weakens security.  We want to set-up a specific account that can be just used for Hornbill (at the moment to post to a Team Channel) but adhering to a 'least privilege security principle'.

We are going to try some stuff today hopefully and will report back.

Thanks, Steve.

[Aaron Summers]

Yeah that is what we are looking at, will confirm here soon.

[Steve G]

Hi @Steven Cotterell,

This is more of a Microsoft Graph restriction than Hornbill I'm afraid. The Graph API that posts a message to a Teams channel needs the Group.ReadWrite.All permission (and odd permission, granted, but this is Microsoft...), and this specific permission requires admin consent during the login/oAuth process. See the Microsoft permissions documentation for more information: https://docs.microsoft.com/en-gb/graph/permissions-reference

Now, the Graph API we're using to post to a channel (https://docs.microsoft.com/en-us/graph/api/channel-post-messages?view=graph-rest-beta&tabs=cs) is still in beta, and subject to change, so I wouldn't be surprised if the required permissions become more relevant (and hopefully no longer requires admin consent) when Microsoft promotes this to production. If/when that happens, I'll create a Teams-specific keysafe key type with permissions locked-down to just those required to perform the Teams actions. Will bookmark this post and let you know when that gets done  

Cheers,

Steve

[Aaron Summers]

@Steve G

Many thanks for your response to this, I was actually asking one of my colleague to investigate whether we could create admin account with the least permissions apply to only action when post into Team channel. Would this be necessary if you create a new specific keysafe with permissions locked-down?

He said it can be done from our end to manage this but just wonder whether this is worth to go through the process?

Thanks,
Aaron

[Steve G]

Hi @Aaron Summers,

It's difficult to say until we see what their API and permissions look like when they move out of beta to be honest, it's probably worth waiting until that happens to be fair. 

Cheers,

Steve

[Aaron Summers]

@Steve G

No problem and I incline to agree with you so I will wait for next update

Aaron