Incoming Webhook security
So far, I've not found any information on the topic of incoming webhook and actionable messages security, specifically - I'd love to be able to have any authorization required to post to the incoming webhook or limit the possible Actionable Message url target to just my company domain. Right now, I am afraid that if the incoming webhook address leaks outside the company, someone will be able to send Actionable Message form, which will send sensitive info outside of my company.
Matthias Kirsch commented
Any News on this topic? Thx!
Hello ! When can we have information about amelioration on this feature ? We need to add this in our organization (20000 users) and it's blocked by security department because it opens a anonymous acces on our organization. We can't survey posts on webhook, we can't have audit log on this, and we can't restrict its use on some user account's.
It's unusable and it's frustrating for teams who needs this feature.
Please increase security on this component !
Pankaj Sharma commented
Hey - any information around this!
Do we know how to secure incoming webhooks on MS Teams yet? This really makes the webhook unusable if it not secure.
Bradley Stein commented
We also cannot find if there is ANY way to secure an incoming web-hook.
In theory, this means that the security hole here is somewhere between a nuclear bomb and a universe destroying black hole.
Can someone from MS chime in as to whether it is even possible to secure an incoming web-hook so that you can control who is allowed to call it.
When it will be addressed?