This blog series focuses on presenting complex DevOps projects as simple and approachable via plain language and lots of pictures. You can do it!

These articles are supported by readers, please consider subscribing to support me writing more of these articles <3 :)

This article is part of a series of articles, because 1 article would be absolutely massive.

• Part 1: Create an Azure Bot and App Registration

• Part 2: Register Bot in Teams with Teams Developer Portal

• Part 3 (this article): Delegated Permissions and Making Lambda Stateful for Oauth2

Hey all!

During the last two articles, we talked about how to get started building a Teams Bot - we built the manifest, registered the Bot resource, and linked it to an App Registration. That App Registration contains all sorts of wonderful permissions that we need to use in order to build conversation context and operate as a bot.

However, all the permissions are set as Delegated - that means that the Bot can’t do those things itself - it has no rights at all, since all the permissions are “Delegated” (vs “Application” permissions).

I talked to our Azure admin about just granting the Bot Application permissions to:

• Read all Channels

• Read all Messages in any channel

• Read all private chats

And he just laughed and laughed. Granting a static permission to a bot to work like that would be bizzare - that’s way too many permissions! And if someone was able to steal the Client ID and Client Secret, they could exfiltrate absolutely all data from our Teams.

Thus, delegated permissions.

Lets talk about what delegated permissions are, and then talk about how the changes we need to make to our Receiver lambda (that is obviously stateless, it’s a lambda), to operate in a stateful way.

Don’t understand why our Receiver lambda needs state? Well, read on! It’s all about the OAuth2 token delivery safety mechanism in Azure

If you’d rather skip right to the code, this tool is available and open source. Please, go build!