Teams MessageCard authentication (Related to Azure Security Center integration)

This is a brain dump post. If you want some background check PoC part 0 – Integrating Azure Security Center Alerts with MS Teams!

Teams messagecards findings:

• The outbound call is NOT client-side XHR/AJAX/Fetch style call from the Teams client, but call rather proxied through another MS service.
  • This means, that when you develop the solution, the endpoint that does the messageCard action handling needs to be visible to that Microsoft service (in another words, the service needs to be publicly accessible)
• Your Bot/Web App/function can verify authenticity of MessageCards action by verifying the embedded JWT token
  • This feature is not directly documented on the docs, so I wanted to make sure that some trace of it is available in the web

• https://docs.microsoft.com/en-us/outlook/actionable-messages/message-card-reference#httppost-action

Peeking under the hood

• This is what my ExpressJS based NodeJS Azure Web App sees in the request when feature below is invoked (Sending reply to Azure Security Center Alert)

• 

References

• https://docs.microsoft.com/en-us/outlook/actionable-messages/message-card-reference#httppost-action
• PoC part 0 – Integrating Azure Security Center Alerts with MS Teams!