Microsoft Teams App Scopes
What App Scopes are required to use Ambition's Microsoft Teams Integration?
Why is Ambition storing Names and Emails?
Additional Microsoft Teams Security FAQS
Microsoft Teams App Scopes
App Scopes | What We Access |
What We Store |
Maintain access to data you have given it access to | Maintain access = offline access. You grant access us to us to sync your data every 24 hours. We don’t have to reprompt for permission every time. |
Allows the app to see the data you gave it access to, even when you are not currently using the app. This does not give the app any additional permissions. |
Sign you in and read your profile |
We will receive the authorizing admin's name and email.
Organization Name and Microsoft ID |
Ambition will receive the authorizing admin's name and email. We only store the organization name and Microsoft ID. |
Read all Groups |
Teams Name and IDs
We can see the names of teams, public or private.
|
All Team Names and IDs (public and private). |
Read the names and descriptions of channels | Channels name, ID, and descriptions |
All Channel Names and IDs (public only). We do not read the contents of any messages. We can't read the names of private channels. |
Read all users' basic profiles | User name, emails, and timezones |
All Users: Name, Email (to connect with their Ambition Email), and Microsoft Teams ID. This included people who don't have an Ambition account. |
Message History |
Only messages that the Ambition integration posts We do NOT collect/store messages posted by Users We do NOT access existing channel messages |
Why are Names and Emails Stored?
Team and Channel Names are necessary to populate the Workflow's notification dropdown menu.
User Emails are necessary to connect Microsoft Teams Users with Ambition Users so that we can @tag them within Ambition's Microsoft Teams posts.
Additional Microsoft Teams Security FAQ
What does MS teams get access to through this integration? (ie activity/opportunity data that we are loading into Ambition, personal data from Ambition)
They are getting the contents of messages shown in the channels. So they are not privy to Ambition private info, and they can only see metric data that's shared in Workflows and slash commands.
They will be receiving formatted message (JSON), with metric info about only a specific metric for metric/metric record workflows. The Scheduled Leaderboard Workflows will show metric values for everyone on the Leaderboard.
Finally, the Leaderboard slash command has to query Ambition for the available metrics, and groups. So they will get the names of metrics, groups, and group types/categories. But only just names, this doesn’t send over all the metric values. This doesn’t expose which people are in which group.
Who has access to create these posts?Are are there restrictions on the Ambition side to allow only managers to create a post in MS Teams?
On the Ambition side, we need an Org Admin to authorize the integration.
Managing Workflows is restricted by an Ambition permission as well. By default Org admins & managers can create workflows, but this can be customized by the customer.
On the MS Teams side, anyone with access to your Teams org, (even if they do not have an Ambition account), can use the Leaderboard command to pull in an Ambition leaderboard.
The idea here is that leaderboards are not considered sensitive amongst your org.
Does a post to MS Teams from Ambition generate a unique notification or does it just use the MS Teams notification system?
The Ambition Workflow messages into Teams relies on the automatic notifications that new posts create.
Do users have to sign up for Ambition within Teams or it is automatically added for all users when the integration is turned on?
Teams users do not have to sign up for Ambition Workflow alerts, but after install the Ambition app will need to be added to the appropriate Teams and Channel for use.
Why does Ambition need GroupMember.Read.All
access?
GroupMember.Read.All
is a bit of a misnomer, it offers Ambition the ability to read info about all Groups. A group means Microsoft 365 Group, of which some of them have a special tag on them that makes them into "Teams" which are accessible from within MS Teams client. Ambition does not need access to non-Team groups, so they are filtered out and not saved to our database.
This permission confers privilege to see the names of every group, both public & private. It allows Ambition to query for a list of users who are members of the Team.
Comments
0 comments
Please sign in to leave a comment.