IP address restriction to Teams channel of Azure Bot Service
I am creating bots through Azure Portal Bot Service registration. Concerning Teams channel of an Azure Bot Service, I want to know is it possible to restrict access by IP address to the channel of a bot service through a setting on Azure Portal?
I have read about Conditional Access Location Policies, however this seems applied to the scope of Azure Active Directory and I am not sure where that plays a role in the scope of a bot service. If Conditional Access Location Policies are relevant to my issue, further information on how it works in relation to bot services would be appreciated.
Edit:
I included the helpful image from this article. https://hilton.giesenow.com/how-bot-calls-actually-work
For a bot which can be either public or private, I want to apply some form of restriction or authentication at step #2 of the image i.e. from Microsoft Bot Framework Services on Azure Portal.
All (running) bots are public accessible.
- You cannot prevent Teams from sending you messages from any tenant,
- nor you can prevent someone from installing your bot if they have your app manifest.
- you can even @ mention a bot withouth installing it
so you as a developer must prevent your bot from processing the undesired messages.
You have two different options for restricting incoming messages that your bot processes.
If you are dealing with secure data, it is definitely recommended to use OAuth to authenticate the users.
- see Teams SSO bot - C# (experimental branch)
- note that after Authentication you will still need to handle Authorization, perhaps based on the Teams context
Using middleware to filter (to allow only your subscribed customers) is another good option. For example, in the case of the Teams channel, add the TeamsTenantFilteringMiddleware class to your bot, and wire it up in your startup method.
See these examples:
So for tenant filtering that would look something like:
if (!this.tenantMap.Contains(tenantId))
{
throw new UnauthorizedAccessException("Tenant Id '" + tenantId + "' is not allowed access.");
}
- How can I define compile time constants in bicep configuration language?
- Outlook calendar don't render with FullCalendar
- Azure functions decoding error for IotHub device connection state message schema
- How do I set scope in Azure API Manager (APIM) when using D_application_id
- How to mount multiple disks in a loop using ansible
- How can I get sub value in nested json via KQL?
- Azure .NET SDK: Scale Azure SQL databases through SDK
- How can I invoke Azure Trusted Signing from a Linux OS?
- How to transfer "Set Variable" activity output into Json file using "Copy Data" activity or any other options?
- Verify Microsoft Access token on my ASP.NET Core Web API
- I'm trying to install the package from a private Azure DevOps repository using the pip install command, but I'm encountering an error
- Unable to define the sites for an App Registration for SahrePoint with Site.Selected
- Check if the resource exists before using data
- Not able to see azure 'LifecyclePolicyCompleted event' log
- Direct Web Push gives Error when used from Notification Hub
- Azure Remove User Consent to API
- Flutter-Azure Deviops pipelineThe discrepancy between the number of tests reported as passed or failed in the pipeline output and the test report
- App_location on deployment of a static webapp
- MSINotEnabled - Can't use KeyVault Reference in Azure Function
- Reading values from a key value based file and passing these values to azure devops template
- Deleting an Azure Loadbalancer Frontend IP configuration from python?
- How to retrieve the front door id from a Microsoft CDN (classic)
- What is HEAD operation in CosmosDB reported in Azure Monitoring
- Deploying a Python App to Azure App Service with Github Actions
- How to Query User Access Logs for Azure Front Door
- How can I add email recipients to a Graph API request programmatically?
- How to create Azure Devops Service Connection Docker Registry Type Other
- Problem with CORS policy in React front end with FastAPI on the back trying to use Microsoft Single Sign-on
- Azure Document Intelligence Custom Classification Python API
- Azure Function App unaccounted for time in Application Insights Timeline