Monday, November 8, 2021

Microsoft Teams Security and Compliance (S+C) APIs powered by Graph

Back in early October Microsoft announced the general availability of three new Graph APIs which provide both customers and partners with the capabilities outlined below:

  1. Change Notification API – the ability to subscribe to new chat messages and retrieve associated content
  2. Export API – retrieval of Teams content by user or team (channel)
  3. Patch API – replace/hide (with policy violation notification) Teams messages for data loss prevention (DLP) purposes

This level of extensibility is critical for customers within specific industries which are heavily regulated and, in some cases, can influence whether Microsoft Teams is adopted within said organizations.


Examples of applications which can now take advantage of these S+C APIs could be, archiving solutions, DLP applications or even solutions that monitor employee health and safety via negative key word identification.


There are however some important prerequisites worth noting before you dive in and start developing apps that take advantage of these APIs.


First Microsoft requests that you apply for access, this can be done via a request form located here. There’s also some licensing implications, which kick in depending upon the E SKU your organization subscribes to. If you’re an E5 customer (a requirement for S+C apps) then chances are the seeded quantity will cover you. For non-S+C applications where E5 licenses are not needed there’s a fee associated with these API calls and note this is charged back to the tenant where the app is located. For a detailed overview on licensing Microsoft has an extensive document located here.


So what kind of chat data is included via these APIs?

  • Message text and titles
  • Message formatting
  • @mentions
  • Adaptive cards
  • Images/stickers (as links)
  • Links to code snippets (also images)
  • Links to attachments (located within SharePoint/OneDrive)
  • Membership information is also available

So what does this all look like when integrated into a DLP solution? Check out the demo below from a Microsoft certified product from Proofpoint.


Below we can see sensitive credit card details being sent to our Demo User, the Change Notification API picked up on this and then the Patch API blocked the message and returns a policy violation message.


To learn more about how to build applications together with these new Graph APIs I recommend watching this great overview here.


Adam Jacobs is a Principal Engineer at Proofpoint, where he works on cyber security solutions that integrate with Microsoft Graph API. Prior to working at Proofpoint he worked at Poly where he focused on Teams Devices and Cloud Video Interoperability. Adam is a Microsoft Teams MVP, co-manages the Silicon Valley Microsoft Teams User Group, is a board member for the National US Teams User Group and has presented at various industry events.


Posted at