Reduce some of the permissions that the new 3rd party Bots have
I'm looking at the new integration with 3rd party Bots. At the moment I am not adding any bots because of the permissions they require.
This bot has the following permissions:
Receive messages and data that I provide to it.
Send me messages and notifications.
Receive messages and data that team members provide to it in a channel.
Send messages and notifications in a channel.
Access my profile information such as my name, email address, company name, and preferred language.
Access this team's information such as team name, channel list and roster (including team member's names and email addresses) - and use this to contact them.
In particular is the last one where they require acces to the team's information and channels list.
This means we need to be really careful when adding information and channel names to make sure it doesn't have any sensitive information. Or we need to create a new Team with nothing interesting in it and then add a bot. Or just use it in private chats.
Seriously. There's one called secretarybot that's supposed to help schedule meetings... why would it possibly need access to my entire SP site collection? Microsoft needs to limit this based on bot/app functionality, not leave it up to the developer.