I am sending Actionable Message Cards to our outllook email which has capability of restarting applications servers and so on.
From the security perspective I am trying to limit users based on email id to restrict the access on which people can take action. I just want a set of users to perform the action and seems the field of expectedActors in the cards should do the needful. But on using that I don't see any difference and anyone can hit the button to take actions like restarting applications.
Below is the sample of message card I am using as a part of my python script.