Access to not installed app and custom tabs after switching account in MS Teams Android App

[MajaEffenberg]

Steps to reproduce

We build an app for MS Teams which does provide a chatbot to the user and some custom tabs.

We have noticed that some of our users can access these custom tabs after changing their account, even if they do not have this application installed on this new account. The error occurs on the Teams app for Android, for different users whose accounts belong to different tenants.

Expected behavior

You should not be able to access the app and its tab from an account where the app is not installed.

Actual behavior

After changing the account, the user has access to tabs, from application that is not installed on this account, but is installed on the previously active account.

Error details

No response

[Prasad-MSFT]

Hi @MajaEffenberg - Could you please let us know if you have created the app as Single Tenant or Multitenant app? If you have published the app with multi-tenant capability, it will show in other tenants also.

[MajaEffenberg]

@Prasad-MSFT Thank you for the quick answer, but it is not entirely related to this problem.

Our application is a Multitenant app and our users can install it on different tenant accounts. The problem, however, is that some users who have our app installed on their first account. Then, after switching to another tenant account where our app is not installed, they still have access to our application and its custom tabs, which should not be possible.

Additional after user switching his account, we never get installation events for our application on this other tenant, but we get information that he open our custom tabs. How this is posisible that user can open tabs of an app from another tenant on the same device on android?

[ChetanSharma-msft]

Hello @MajaEffenberg - Could you please try after removing the cache? Reference doc: https://learn.microsoft.com/en-us/microsoftteams/troubleshoot/teams-administration/clear-teams-cache

Also, please confirm if it's working as expected in Desktop/Web Teams clients?

The bot receives an installationUpdate event when you install a bot to a conversation thread. If you switch accounts, it will not call bot installation events.

[sschoeb]

@ChetanSharma-msft thanks for your reply. I'm a coworker of @MajaEffenberg.

To answer your questions: We cannot reproduce this on our side, but we get close to every day a call from a tab opened on an android teams installation which has a tenantid for which the user never got any installation event.

So what we know:

• All the users where we see this problem always use the teams app on the Android Phone (never seen on any other client like desktop, web)
• The user does always have multiple tenants
• On one of the tenants our app Micromate is installed (we got an installation event for it)
• On the other tenant our app is NOT installed (as we did not get an installation event for it)
• The user can somehow open tabs of our app in both tenants (not exactly sure what the user is doing, but we get calls from our tab with both tenantids)
• We see it for multiple completely different users (removing the cache can not be the solution, as this is a user of a customer to which we do not have a direct contact)

Anything else you need to know on that?

[ChetanSharma-msft]

Hello @sschoeb - Thanks for sharing your inputs. As we are not able to repro this issue, we will check with engineering team once and let you know the updates.

[Prasad-MSFT]

@sschoeb - Please do share the tenant details and android Teams version where the issue is happening

[sschoeb]

@Prasad-MSFT is there a secure channel to share the tenant-ids?

We do not have the android teams version of the client, as these are customers of our customers. I don't think we get that information.

[Prasad-MSFT]

@sschoeb - You can share tenant details via email to microsoftteamsdev@microsoft.com

[sschoeb]

@Prasad-MSFT I've sent you two examples. Let me know if you need more information.

[Prasad-MSFT]

@sschoeb - Thanks for sharing the tenant details. We have raised an ICM for this issue and assigned to engineering team. We will inform you once we have further update.

[sschoeb]

@Prasad-MSFT We still see this issue happening. Do you have any feedback on this?

[Prasad-MSFT]

Apologies. Currently there is no ETA to share. We are following up with engineering team about this issue. We will update this thread once we hear from them. Thanks!

[sschoeb]

@Prasad-MSFT We see that issue close to every day. Our users are having problems because of this. Please share with the development team that this gets more urgent every day as the users get frustrated with these bugs.

[Prasad-MSFT]

Hi @sschoeb - Engineering team need below details to investigate further. So could you please share these info?

1. Are the tenants listed are test tenant accounts? On Android side logs I only see 1 app (Assignment) being used in one of tenant by one user
2. If partner can provide a recorded video of issue reproduction it would be more helpful.
3. Partner mentioned they are seeing events in their telemetry. It would be helpful if they can share some dump of this data.

[sschoeb]

@Prasad-MSFT sorry, I missed your comment. here the info you requested:

1. No. These are calls from our customers installation to our backend. We usually see that they have two tenants on their devices where usually one is there employer and the other one another company where our app is running inside. Within the tenant of the employer, micromate is NOT installed.
2. No we cannot, this happens very randomly and this is a customer of our customer, so we do not have access to the users. But we have the logs that somehow they have managed to get the wrong tenantid from teams-js within the tab.
3. I do not understand this request, what exactly should be provided here?

[sschoeb]

@Prasad-MSFT I think this should not be closed by the github-policy-service. Is there already any feedback on this? We see this error close to every day.

[sschoeb]

@Prasad-MSFT / @ChetanSharma-msft Could you reopen this bug? This is NOT fixed! We still see this behaviour on a daily basis...

[Prasad-MSFT]

Hi @MajaEffenberg - We had raised an ICM for this issue earlier and no engineering team wants Teams App version and device logs . Could you please provide those?

[sschoeb]

@Prasad-MSFT as mentioned before, we do not have access to a device where we can reproduce this issue, we just see that we get the calls with the wrong information!

As far as I know there is no way to get the teams app version using teams-js or from the calls in the API? Additionally could you provide us with further information how we should get the logs from a device we do not have access to? And what kind of logs do you expect?

Would it be possible to connect us to the engineer who is working on this problem, we are playing the good old telephone game here which is just super bad....

[sschoeb]

@Prasad-MSFT As we await your feedback, could you remove the tag? Thanks.

[Prasad-MSFT]

@sschoeb - https://learn.microsoft.com/en-us/microsoftteams/log-files#desktop-logs and we need MS Teams versions as below:

[sschoeb]

@Prasad-MSFT can you explain me, how I can get this version from I user I don't know?

We need a solution to get this version from teams-js or from the callbacks of the botframework.