SOLVED

What storages Teams Apps are using

%3CLINGO-SUB%20id%3D%22lingo-sub-1930568%22%20slang%3D%22en-US%22%3EWhat%20storages%20Teams%20Apps%20are%20using%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1930568%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EDoes%20anybody%20have%20a%20good%20idea%20into%20where%20those%20apps%20in%20Teams%20are%20storing%20data%20and%20who%20is%20controlling%20the%20encryption%20level%20on%20those%3F%20We%20are%20using%20our%20own%20encryption%20keys%2C%20but%20how%20could%20we%20be%20sure%20that%20those%20apps%20are%20following%20same%20rules%3F%20We%20already%20noticed%20issues%20with%20Power%20Apps%20on%20these.%20I%20believe%20Microsoft's%20own%20apps%20should%20be%20pretty%20controlled%2C%20but%20how%20about%20third%20part%20apps%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1930568%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDeveloper%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1930844%22%20slang%3D%22en-US%22%3ERe%3A%20What%20storages%20Teams%20Apps%20are%20using%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1930844%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F90197%22%20target%3D%22_blank%22%3E%40Petri%20X%3C%2FA%3E%26nbsp%3BApps%20in%20Teams%20pretty%20much%20fall%20into%20two%20main%20camps%3A%20Bots%2C%20and%20Tabs%20(even%20things%20like%20Message%20Extensions%20and%20outgoing%20webhooks%20often%20basically%20take%20one%20of%20these%20forms).%20Bots%20are%20essentially%20just%20remote%20web%20services%20(HTTP%20POST%20endpoints)%20and%20Tabs%20are%20basically%20just%20'iframed'%20webpages.%20As%20a%20result%2C%20in%20this%20context%2C%20you're%20pretty%20much%20totally%20reliant%20on%20the%20app%20developer%20and%20how%20they've%20chosen%20to%20design%20%2B%20implement%20their%20app.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20said%2C%20Microsoft%20do%20offer%20an%20%22App%20Compliance%22%20program%20(see%20more%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365-app-certification%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365-app-certification%2Foverview%3C%2FA%3E)%2C%20where%20an%20app%20can%20achieve%20various%20levels%20of%20increased%20trust%20and%20verification.%20Follow%20the%20links%20to%20some%20of%20the%20sub%20pages%20to%20see%20more%20about%20the%20program's%20goals%20and%20approach.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1933121%22%20slang%3D%22en-US%22%3ERe%3A%20What%20storages%20Teams%20Apps%20are%20using%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1933121%22%20slang%3D%22en-US%22%3EYes%2C%20we're%20talking%20about%20the%20same%20thing%20-%20I%20mean%20any%203rd%20party%20app%20in%20Teams%20-%20there's%20no%20way%20for%20you%20to%20know%20for%20sure%20where%2Fhow%20it's%20storing%20it's%20data%20behind%20the%20scenes.%20I%20would%20guess%20it's%20one%20of%20the%20main%20reasons%20exactly%20why%20Microsoft%20introduced%20the%20Compliance%20program%20I%20mentioned%20-%20there%20is%20a%20lot%20involved%20in%20that%20around%20storage%2Fencryption%2FGDPR%2Fetc.%20etc.%20in%20terms%20of%20how%20the%20app%20vendor%20stores%2C%20secures%20and%20manages%20customer%20and%20user%20data%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1934353%22%20slang%3D%22en-US%22%3ERe%3A%20What%20storages%20Teams%20Apps%20are%20using%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1934353%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F150%22%20target%3D%22_blank%22%3E%40Hilton%20Giesenow%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20wrote%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CFONT%20color%3D%22%230000FF%22%3E%3CEM%3Ethere's%20no%20way%20for%20you%20to%20know%20for%20sure%20where%2Fhow%20it's%20storing%20it's%20data%20behind%20the%20scenes.%26nbsp%3B%3C%2FEM%3E%3C%2FFONT%3E%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EReally%3F%20Is%20it%20only%20me%20who%20is%20wondering%20how%20bad%20this%20sounds.%20How%20anybody%20can%20trust%20those%20apps%20then%3F%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2Fimages%2Femoticons%2Ffacepalm_40x40.gif%22%20alt%3D%22%3Afacepalm%3A%22%20title%3D%22%3Afacepalm%3A%22%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENeed%20to%20read%20more%20about%20link%20you%20shared.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Super Contributor

Hi,

Does anybody have a good idea into where those apps in Teams are storing data and who is controlling the encryption level on those? We are using our own encryption keys, but how could we be sure that those apps are following same rules? We already noticed issues with Power Apps on these. I believe Microsoft's own apps should be pretty controlled, but how about third part apps?

8 Replies

@Petri X Apps in Teams pretty much fall into two main camps: Bots, and Tabs (even things like Message Extensions and outgoing webhooks often basically take one of these forms). Bots are essentially just remote web services (HTTP POST endpoints) and Tabs are basically just 'iframed' webpages. As a result, in this context, you're pretty much totally reliant on the app developer and how they've chosen to design + implement their app.

 

That said, Microsoft do offer an "App Compliance" program (see more at https://docs.microsoft.com/en-us/microsoft-365-app-certification/overview), where an app can achieve various levels of increased trust and verification. Follow the links to some of the sub pages to see more about the program's goals and approach.

Hi @Hilton Giesenow 

Not sure do we speak about the same item...? I meant those apps which are listed on:

Teams Admin center / Teams Apps / Manage Apps

On there we have Microsoft apps, but also third part  apps.

 

In case our users are asking to allow application XYZ, I was hoping easily to see what it store and where it store the information.

Yes, we're talking about the same thing - I mean any 3rd party app in Teams - there's no way for you to know for sure where/how it's storing it's data behind the scenes. I would guess it's one of the main reasons exactly why Microsoft introduced the Compliance program I mentioned - there is a lot involved in that around storage/encryption/GDPR/etc. etc. in terms of how the app vendor stores, secures and manages customer and user data

@Hilton Giesenow 

You wrote: 

"there's no way for you to know for sure where/how it's storing it's data behind the scenes. "

 

Really? Is it only me who is wondering how bad this sounds. How anybody can trust those apps then? :facepalm:

 

Need to read more about link you shared.

While I don't disagree with you, this is hardly a "Teams App" issue - it's true for ANY SaaS system you use. Certainly a smaller/lesser known vendor, and even true for the larger/bigger names. While the larger ones might have more to lose (reputation-wise) for anything malicious, they're also very prone to breaches, as we've seen time and again. As a result, there's a certain level of trust that we're either assuming or granting to -any- 'cloud' product. This certification, while hardly faultless, at least aims to make the vendor think about (and hopefully implement) certain practices. In addition, it's of course recommended to review the vendor's privacy policy/terms of use/etc.

@Hilton Giesenow 

On the other hand, we are their customers. If we do not care, nothing will change. Some of us might have some legal requirements for certain level of encryption and other storage related topics. Customers should actively challenging

 

At least Microsoft should be able to provide information if application is able to following tenant level settings. As on some level Microsoft has accepted the application to become apps list on Teams.

Like I said, definitely not disagreeing with you :-). Just being realistic and practical - this reality goes beyond Microsoft and beyond Teams.
best response confirmed by Wajeed-MSFT (Microsoft)
Solution

@Petri X Microsoft offers a Microsoft 365 App Certification to resolve the issues you are facing when looking to enable 3rd party apps. In order to complete the Certification and get a badge next to their app in the Teams IT Admin portal and in AppSource an app developer must demonstrate that they meet specific criteria. To better understand what that criteria is please refer to our Certification Submission Guide