SOLVED

Incoming Webhook enable Teams

%3CLINGO-SUB%20id%3D%22lingo-sub-1448513%22%20slang%3D%22en-US%22%3EIncoming%20Webhook%20enable%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1448513%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Everyone%2C%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20like%20support%20from%20you.%20I%20have%20a%20demand%20about%20using%20the%20Webhook%20service.%20I%20saw%20that%20there%20is%20a%20method%20of%20ensuring%20security%20between%20channels%20via%20HMAC.%20The%20problem%20I%20see%20is%20that%20when%20I%20release%20the%20Webhook%2C%20it%20releases%20for%20everyone.%20How%20can%20I%20protect%20other%20entries%20%2F%20integrations%20without%20my%20permission%3F%20Is%20there%20anything%20standard%20with%20Webhook%20without%20using%20HMAC%20in%20the%20code%2C%20or%20from%20the%20moment%20I%20release%20it%2C%20is%20it%20possible%20to%20connect%3F%20Because%20I%20didn't%20see%20this%20type%20of%20configuration%20in%20Teams%2C%20just%20the%20option%20to%20release.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20that%20the%20HMAC%20configuration%20should%20be%20in%20the%20.js%20script%20(for%20example).%20What%20is%20the%20way%20to%20avoid%20other%20connections%20%2F%20integrations%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20advance!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECaio%20R.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1448513%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESettings%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1450155%22%20slang%3D%22en-US%22%3ERe%3A%20Incoming%20Webhook%20enable%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1450155%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F692687%22%20target%3D%22_blank%22%3E%40AppSec_Caio%3C%2FA%3E%26nbsp%3BIncoming%20webhooks%20are%20specific%20to%20a%20channel%20and%20allows%20everyone%20in%20the%20channel%20to%20view%20it.%20It%20is%20not%20possible%20to%20restrict%20the%20visibility%2Fintegration%20of%20incoming%20webhooks%20to%20specific%20people.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Visitor

Hello Everyone, 

I would like support from you. I have a demand about using the Webhook service. I saw that there is a method of ensuring security between channels via HMAC. The problem I see is that when I release the Webhook, it releases for everyone. How can I protect other entries / integrations without my permission? Is there anything standard with Webhook without using HMAC in the code, or from the moment I release it, is it possible to connect? Because I didn't see this type of configuration in Teams, just the option to release.

 

I know that the HMAC configuration should be in the .js script (for example). What is the way to avoid other connections / integrations?

 

Thanks advance! 

 

Caio R.

1 Reply
best response confirmed by AppSec_Caio (Frequent Visitor)
Solution

@AppSec_Caio Incoming webhooks are specific to a channel and allows everyone in the channel to view it. It is not possible to restrict the visibility/integration of incoming webhooks to specific people.