Authentication & Security

Overview

Image 1: App authentication overview

 

Required permissions

In order to work correctly the app will request the following permissions:

Permission

Type

Description

Admin consent required

Remarks

Microsoft Graph

 

  • User.Read

Delegated

Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

No

 

  • User.ReadBasic.All

Delegated

Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions and photo. Also allows the app to read the full profile of the signed-in user.

No

 

  • Channel.ReadBasic.All

Delegated

Read channel names and channel descriptions, on behalf of the signed-in user.

No

 

  • ChannelMessage.Read.All

Application

Allows the app to read all channel messages in Microsoft Teams, without a signed-in user.

Yes

Getting links out of channel messages is currently not possible in a performant way using delegated permissions. After adding the app to a channel a process will preanalyse messages for links and store the following data if a link was found:

  • TenantId

  • GroupId

  • ChannelId

  • MessageId

  • ReplyToMessageId

  • AuthorId

  • LastModifiedDateTime

  • CreationDateTime

  • Url (of the link)

Important note: we will not store any message content directly

Please also have a look at the official permission reference from Microsoft to get detailed information about the permission handling.

When you use the app for the first time or the required permissions of the app have changed a dialog will be shown where you can see all permissions that the app requires to work.

You have to grant these permissions in order to get the app working

You are able to remove these permissions at any time!

Image 2: App consent dialog

 

Because of the scopes mentioned above the app requires an administrator to consent for the whole organization.

Individual users don't have to grant the permissions on their own.

If you want to remove the app permissions for your organization you can follow these steps:

  1. Navigate to https://portal.azure.com using a browser of your choice

  2. Open your Azure Active Directory

  3. Navigate to Enterprise applications

  4. Search for Link Spotter and open the app

  5. In the app configuration navigate to “Manage → Properties“

  6. Press the “Delete“ button in the app action menu and approve if necessary

The full guide can be found on the official documentation from Microsoft: Delete an application from your Azure Active Directory (Azure AD) tenant

Application Data

We store the following data if a link was found

  • TenantId

  • GroupId

  • ChannelId

  • MessageId

  • ReplyToMessageId

  • AuthorId

  • LastModifiedDateTime

  • CreationDateTime

  • Url (of the link)

Important note: We do not store any message content, we are just extracting all links from a message.

We store additional the following data for the channel tab (internal values ​​for the app)

  • LastSyncedDateTime

  • Active

  • SyncState

We store additional the following data for the Microsoft Graph subscription process (internal values ​​for the app)

  • SubscriptionId

  • ClientState

  • ExpiryDate

Important note: If the app consent is removed, all of the above data will be completely removed from the database after one hour.