IP address restriction to Teams channel of Azure Bot Service

0
votes

I am creating bots through Azure Portal Bot Service registration. Concerning Teams channel of an Azure Bot Service, I want to know is it possible to restrict access by IP address to the channel of a bot service through a setting on Azure Portal?

I have read about Conditional Access Location Policies, however this seems applied to the scope of Azure Active Directory and I am not sure where that plays a role in the scope of a bot service. If Conditional Access Location Policies are relevant to my issue, further information on how it works in relation to bot services would be appreciated.

Edit:

I included the helpful image from this article. https://hilton.giesenow.com/how-bot-calls-actually-work

For a bot which can be either public or private, I want to apply some form of restriction or authentication at step #2 of the image i.e. from Microsoft Bot Framework Services on Azure Portal.

enter image description here

1
azurebotframeworkmicrosoft-teams
There is no such setting for Bots. Generally IP restrictions are an outdated way of implementing security, especially wrt to SaaS services such as Teams. could you elaborate on what you are trying to accomplish , rather than just allow IP addresses/ranges ?Jos Verlinde
@JosVerlinde I included an edit for further explanation. If a user were to send a message to the bot within Microsoft Teams, I want to know if it is possible to apply a restriction or authentication for a request before it is forwarded (i.e. send or don't send) to the bot service's messaging endpoint of Microsoft Bot Framework Services.Boyd Ching
@BoydChing - if you are looking to add restriction based on tenant then please take a look at How do I restrict the use of my bot to users belonging to my tenant only? doc.Wajeed-MSFT

1 Answers

2
votes

All (running) bots are public accessible.

  • You cannot prevent Teams from sending you messages from any tenant,
  • nor you can prevent someone from installing your bot if they have your app manifest.
  • you can even @ mention a bot withouth installing it

so you as a developer must prevent your bot from processing the undesired messages.

You have two different options for restricting incoming messages that your bot processes.

  1. If you are dealing with secure data, it is definitely recommended to use OAuth to authenticate the users.

  2. Using middleware to filter (to allow only your subscribed customers) is another good option. For example, in the case of the Teams channel, add the TeamsTenantFilteringMiddleware class to your bot, and wire it up in your startup method.
    See these examples:

So for tenant filtering that would look something like:

            if (!this.tenantMap.Contains(tenantId))
            {
                throw new UnauthorizedAccessException("Tenant Id '" + tenantId + "' is not allowed access.");
            }