Teams Apps/Plugins Governance and Activity Tracking (Not Usage, What if App is Malicious?)

BaikalCoder 20 Reputation points
2023-02-10T23:36:57.19+00:00

Hello,

I have a question about Teams Apps/Plugins Governance and Tracking.

I am aware that a Teams App/Plugin can be granted permissions from a user (delegated) or set directly by an Admin. I see that when you add a Teams App/Plugin, it shows you which permissions it will have.

My question is:

Let's say I add a Teams App/Plugin that has permissions to read all mailboxes and SharePoint/OneDrive sites in the tenant and I have granted permissions to the app via admin consent, and the user in question is a user with admin privileges (hypothetically speaking). So now the app can technically access any mailbox and all of the files in the tenant.

How can I be sure the app is not exfiltrating data in the background? Is this only guaranteed by Microsoft's code review before the App/Plugin is accepted into a store?

I found some Graph API related entries in Azure AD Sign-in Logs and Audit logs. However I am having difficulty finding anything related to data movement etc.

In my Defender for Cloud Apps - App Governance App, I am able to see OAUTH apps and the data passthrough etc. Is there anything like that available for Teams?

Thank you and please correct me if any of my assumptions above are wrong.

Microsoft Teams
Microsoft Teams
A Microsoft customizable chat-based workspace.
10,088 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,005 questions
OneDrive
OneDrive
A Microsoft file hosting and synchronization service.
1,110 questions
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,685 questions
Accepted answer
  1. SokiGuo-MSFT 27,731 Reputation points Microsoft Vendor
    2023-02-13T06:28:58.7966667+00:00

    Hi @BaikalCoder

    Microsoft Teams tag is mainly focused on the general issue of Microsoft Teams application troubleshooting. According to your description, your question is about custom apps, and the following suggestions are for reference only.

    As far as I know, all apps in Teams store pass a mandatory app validation to comply with the app quality and security standards of the Teams apps store. In addition, Microsoft strongly encourages app developers to participate in an optional app compliance program that indicates enhanced compliance, security, and privacy controls. For more information, see Teams app validation guidelines.

    For more details, you could refer to: https://video2.skills-academy.com/en-us/microsoftteams/upload-custom-apps.

    Thanks for your understanding and patience!

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.