[CoE Starter Kit - Feature]: CoE Inventory data of Teams Webhook connector (trigger) is using anonymous or any authenticated method

fs366e2spm commented 3 weeks ago

Is your feature request related to a problem? Please describe.

When using the Teams Webhook connector (trigger) in a Power Automate Flow we would like to monitor / find out in CoE inventory how many such webhook flows we have and even more important which connections have been made anonymously or which are using authentication.

Describe the solution you'd like

Having inventory data for Webhook triggered Flows and its used authentication method

Describe alternatives you've considered

Having a control possibility to allow / deny on the Webhook trigger in DLP to allow or deny e.g anonymous webhooks

Additional context?

No response

Jenefer-Monroe commented 3 weeks ago

Thank you for posting! Putting on feature backlog for consideration.

miroslav-harlas commented 2 days ago

Hello, I'm voting for feature to inventory the use of this trigger and recognizing the used authentication methods, incoming urls, and potentially additional trigger settings.

Microsoft is deprecating MS teams connectors, per this announcement: Retirement of Office 365 connectors within Microsoft Teams

Microsoft is also stating in the specified blog article that "Power Automate workflows not only offer a much deeper catalog of Office connectors (see all connectors) but also ensure that your integrations are built on an architecture that can grow with your business needs and provide maximum security of your information."

At the same time, despite the words in the blog article mentioned above, there is zero guidance about how to secure the use of the respective trigger "When a Teams webbook request is received" within Power Automate Cloud Flows. Once enabled, it is just in the hands of cloud flow maker to setup the trigger and Anonymous authentication is a DEFAULT option with this trigger, which opens a space for potential malicious attacks against our business processes automated via Power Automate.

Having detailed information about use and configuration of this trigger in the inventory of our tenant's cloud flows would allow us at least to implement some re-active governance processes on top of such inventory data, like sending the email to cloud flow maker or suspending cloud flow with non-compliant setup of the trigger.

The only available official documentation about the trigger: When a Teams webbook request is received.

Thank you in advance for considering this feature.

Miroslav H.

Jenefer-Monroe commented 2 days ago

I hear you that you need more control here. Unfortunately the DLP request will need to go the product team. https://powerusers.microsoft.com

Regarding inventory and the CoE Starter Kit, we do have Teams Webhooks in inventory today:

The request for auth type is not implemented though. I did a quick investigation to understand the cost and I"m not seeing what specifically you might be asking for. If you can take a look in the output of Get Flow as Admin, or in Get Flow and see what you are hoping to be in inventory, then that will help me know if its something we can do.

miroslav-harlas commented 1 day ago

Hello @Jenefer-Monroe , thank you very much for your response.

I haven't noticed the use of this connector could be already inventoried. I have created a couple of such cloud flows in our tenant and I will check our inventory next week (we have little bit larger tenant and customized inventory schedule).

In the meantime, I have tried to explore situation myself on a recently created flows and here are my additional details:

We are interested to see a list of all active (not disabled, not suspended) cloud flows which have Manual Trigger of type "TeamsWebhook"
For such a cloud flows we need to explore the cloud flow definition => If I look into "Raw Output" of the action "Get Flow", I can see exactly what we need. It is present in the output JSON at a path "body/properties/definition/triggers/manual/inputs/", there is a propety named "triggerAuthenticationType", which can contain different values based on the configuration of the trigger. Getting these values inventoried is exactly what we are looking for. After testing with different trigger settings in cloud flows, I have identified that following values could be identified, which is exactly what we are looking for:
- "triggerAuthenticationType" : "All" (for anonymous access)
- "triggerAuthenticationType" : "Tenant" (for allowing access to all tenant users)
- "triggerAuthenticationType" : "User" (for allowing access to specified list of users)
- "triggerAuthenticationType" : "WhatEverIEnterAsMyOwnCustomValue" (if cloud maker is customizing authentication settings, not sure if & how custom option can be used somehow)

3.Finally action "Get Callback URL" from "Power Automate Management" connector can provide the url of the trigger. At this moment, I'm not sure how exactly we could use this information in any security & governance processes. I'm thinking about some kind of automated "Penetration Test" of the cloud flow trigger, but not sure at this moment, I'll discus this internally within our company. 🤔

Once this informaiton is inventoried, then I would love to:

Create our own scheduled custom cloud flow, which will go trough all inventoried cloud flows with specific Trigger Kind and specific triggerAuthenticationType and act somehow (send email, disable flow, etc.)
See a number of cloud flows with triggerAuthenticationType "All" and "Tenant" within the Governance Dashboard of CoE starter Kit, with an option to drill trough down to a list of concrete cloud flows.

I hope these provided details could help. Thank you in advance for looking into this option. Miroslav H.

Jenefer-Monroe commented 1 day ago

Thank you that is quite helpful. I will try and do this for an upcoming release.

microsoft / coe-starter-kit