We want our customers to be confident and aware of our data collection practices when using External User Manager.
Note
The content on this page is subject to change. We recommend that you check back quarterly for updates.
Data Management Practices
With its various features, External User Manager accesses, processes and stores several types of data:
- Authentication
- Team/Group
- User
- Teams conversations
Here is how we’re managing data for these different categories:
| Data | Accessed | Cached | Stored | Notes |
|---|---|---|---|---|
| Authentication | ✔ | ✔ | ✔ | Access-Tokens are generated for both Application and Delegated Permission Access-Tokens are cached for up to 45m. Refresh-Token for service user to handle the invite process is stored in the database. |
| Team/Group | ✔ | 🚫 | ✔ | ID of Teams/Groups/Sites is stored in the database. |
| User | ✔ | 🚫 | ✔ | Users data (AAD ID, UPN). AAD ID and ID assigned from the Bot are stored in the database. |
| Teams conversations | ✔ | 🚫 | ✔ | Bot sends messages in Teams and sends Adaptive Cards to users. ID of adaptive Card is stored. |
Microsoft Graph
| Scope | Description | Justification | Admin Consent Required | Type |
|---|---|---|---|---|
AuditLog.Read.All | Retrieve the audit log activities of user object. | Allows the app to read and query your audit log activities, without a signed-in user. | Yes | Application |
email | Required for SSO. | Allows the app to read your primary email address. | No | Delegated |
Group.Read.All | Retrieve the properties of the Group object. | Allows for getting the groups the logged in user has access to. | Yes | Delegated |
Group.ReadWrite.All | Retrieve and update the properties of the Group object. | Allows for getting and updating groups without user access (e.g. lifecycle). | Yes | Application |
GroupMember.ReadWrite.All | Retrieve and update the properties of a user object in a group. | Allows for getting and updating users in a group the logged in user has access to. | Yes | Delegated |
| Retrieve and update the properties of a user object in a group. | Allows for getting and updating users in a group without user access. | Yes | Application |
Mail.Send | Allows to send mails from the user. | Allows for sending the lifecycle mail notifications. | Yes | Application |
offline_access | Required for SSO. | Allows the app to see and update the data you gave it access to, even when you are not currently using the app. This does not give the app any additional permissions. | No | Delegated |
openid | Required for SSO. | Allows you to sign in to the app with your work or school account and allows the app to read your basic profile information. | No | Delegated |
profile | Required for SSO. | Allows the app to see your basic profile (e.g., name, picture, user name, email address). | No | Delegated |
Team.ReadBasic.All | Retrieve the basic properties of a team object. | Allows for getting the basic information of a team. | Yes | Application |
TeamMember.ReadWrite.All | Retrieve and update the properties of a user object in a team. | Allows for getting and updating users in a team the logged in user has access to. | Yes | Delegated |
TeamMember.ReadWrite.All | Retrieve and update the properties of a user object in a team. | Allows for getting and updating users in a team without user access. | Yes | Application |
TeamsActivity.Send | Send Teams activities to users. | Allows for sending activities to users. | No | Delegated |
| Send Teams activities to users. | Allows for sending activities to users. | Yes | Application |
TeamsAppInstallation.ReadForUser | Retrieve installed apps of a user object. Required for sending activities. | Allows the app to read the Teams apps that are installed for you. Does not give the ability to read application-specific settings. | No | Delegated |
TeamsAppInstallation.ReadForUser.All | Retrieve installed apps of a user object. Required for sending activities. | Allows the app to read the Teams apps that are installed for any user, without a signed-in user. Does not give the ability to read application-specific settings. | Yes | Application |
User.Invite.All | Send invite to external guests. | Allows the app to invite guest users to the organization, on your behalf. | Yes | Delegated |
User.Read | Retrieve the properties and relationships of the logged in user object. | Allows to get the logged in user. | No | Delegated |
User.Read.All | Retrieve the properties of user objects. | Allows for getting the user data of all users. | Yes | Delegated |
User.ReadWrite.All | Retrieve and update the properties of a user object. | Allows for getting and updating users without user access. | Yes | Application |
AppCatalog.Read.All | Retrieves the app from the store | Navigation from Adaptive Card into the app | Yes | Application |
Microsoft Teams Apps Security And Compliance
To provide organizations with the information they need to accelerate and inform decisions about the Microsoft Teams apps and add-ins they use, Microsoft works with our Microsoft 365 developer partners. This information is supplemented by information from the Microsoft Cloud App Security app catalog and information provided by developers when they submit their apps. This security, data handling and compliance information is intended to help organizations assess and manage the risks of using these apps.
Note
Architecture And Flow Diagram
Resource Endpoints
All the traffic from and to the External User Manager platform uses HTTPS protocol on port 443. Here is a short description of each flow:
| Name | Comments |
|---|---|
| .msecnd.net and *.visualstudio.com | for performance metrics analysis |
Dependencies
Server
| Name | Version | Url | License |
| @fluentui/font-icons-mdl2 | 8.4.8 | https://github.com/microsoft/fluentui | MIT |
| @fluentui/foundation-legacy | 8.2.15 | https://github.com/microsoft/fluentui | MIT |
| @fluentui/react | ^8.91.0 | https://github.com/microsoft/fluentui | MIT |
| @fluentui/react-focus | 8.8.0 | https://github.com/microsoft/fluentui | MIT |
| @fluentui/react-hooks | 8.6.7 | https://github.com/microsoft/fluentui | MIT |
| @fluentui/react-northstar | 0.64.0 | https://github.com/microsoft/fluentui | MIT |
| @fluentui/style-utilities | 8.7.7 | https://github.com/microsoft/fluentui | MIT |
| @fluentui/theme | 2.6.12 | https://github.com/microsoft/fluentui | MIT |
| @microsoft/applicationinsights-react-js | ^3.4.0 | https://github.com/microsoft/applicationinsights-react-js | MIT |
| @microsoft/applicationinsights-web | ^2.8.6 | https://github.com/microsoft/ApplicationInsights-JS | MIT |
| @microsoft/teams-js | 1.10.0 | https://github.com/OfficeDev/microsoft-teams-library-js | MIT |
| @react-pdf/renderer | ^2.3.0 | https://github.com/diegomura/react-pdf | MIT |
| @testing-library/jest-dom | ^4.2.4 | https://github.com/testing-library/jest-dom | MIT |
| @testing-library/react | ^9.5.0 | https://github.com/testing-library/react-testing-library | MIT |
| @testing-library/user-event | ^7.2.1 | https://github.com/testing-library/user-event | MIT |
| @types/jest | ^24.9.1 | https://github.com/DefinitelyTyped/DefinitelyTyped | MIT |
| @types/microsoftteams | ^1.9.2 | https://github.com/DefinitelyTyped/DefinitelyTyped | MIT |
| @types/node | ^12.19.4 | https://github.com/DefinitelyTyped/DefinitelyTyped | MIT |
| @types/pdfmake | ^0.2.1 | https://github.com/DefinitelyTyped/DefinitelyTyped | MIT |
| @types/react | ^17.0.39 | https://github.com/DefinitelyTyped/DefinitelyTyped | MIT |
| @types/react-dom | ^18.0.6 | https://github.com/DefinitelyTyped/DefinitelyTyped | MIT |
| @types/react-email-editor | ^1.1.1 | https://github.com/DefinitelyTyped/DefinitelyTyped | MIT |
| @types/react-pdf | ^5.7.2 | https://github.com/DefinitelyTyped/DefinitelyTyped | MIT |
| @types/react-router-dom | ^5.3.3 | https://github.com/DefinitelyTyped/DefinitelyTyped | MIT |
| @types/recharts | ^1.8.23 | https://github.com/DefinitelyTyped/DefinitelyTyped | MIT |
| adaptivecards | ^2.9.0 | https://github.com/microsoft/AdaptiveCards | MIT |
| adaptivecards-templating | ^1.4.0 | https://github.com/microsoft/AdaptiveCards | MIT |
| array-move | ^3.0.1 | https://github.com/sindresorhus/array-move | MIT |
| assert | ^2.0.0 | https://github.com/browserify/commonjs-assert | MIT |
| buffer | ^6.0.3 | https://github.com/feross/buffer | MIT |
| node-sass | ^4.14.1 | https://github.com/sass/node-sass | MIT |
| pdf-lib | ^1.16.0 | https://github.com/Hopding/pdf-lib | MIT |
| pdfmake | ^0.2.5 | https://github.com/bpampuch/pdfmake | MIT |
| react | ^17.0.2 | https://github.com/facebook/react | MIT |
| react-devtools | ^4.25.0 | https://github.com/facebook/react | MIT |
| react-dom | ^17.0.2 | https://github.com/facebook/react | MIT |
| react-dropzone | ^12.0.4 | https://github.com/react-dropzone/react-dropzone | MIT |
| react-email-editor | ^1.3.0 | https://github.com/unlayer/react-email-editor | MIT |
| react-html-parser | ^2.0.2 | https://github.com/wrakky/react-html-parser | MIT |
| react-iframe | ^1.8.0 | https://github.com/svenanders/react-iframe | ISC |
| react-intl | ^6.0.8 | github.com/formatjs/formatjs | BSD-3-Clause |
| react-pdf | ^5.7.2 | https://github.com/wojtekmaj/react-pdf | MIT |
| react-router-dom | ^6.3.0 | https://github.com/remix-run/react-router | MIT |
| react-scripts | 3.4.4 | https://github.com/facebook/create-react-app | MIT |
| react-sortable-hoc | ^2.0.0 | https://github.com/clauderic/react-sortable-hoc | MIT |
| read-appsettings-json | ^1.0.98 | https://github.com/codechavez/read-appsettings-json | MIT |
| recharts | ^2.1.13 | https://github.com/recharts/recharts | MIT |
| typescript | ^4.7.4 | https://github.com/Microsoft/TypeScript | Apache-2.0 |
| typestyle | ^2.1.0 | https://github.com/typestyle/typestyle | MIT |
| @testing-library/jest-dom | ^5.16.2 | https://github.com/testing-library/jest-dom | MIT |
| @testing-library/react | ^11.2.7 | https://github.com/testing-library/react-testing-library | MIT |
| @testing-library/user-event | ^12.8.3 | https://github.com/testing-library/user-event | MIT |
| @types/jest | ^26.0.24 | https://github.com/DefinitelyTyped/DefinitelyTyped | MIT |
| @types/node | ^12.20.46 | https://github.com/DefinitelyTyped/DefinitelyTyped | MIT |
| @types/react | ^17.0.39 | https://github.com/DefinitelyTyped/DefinitelyTyped | MIT |
| @types/react-dom | ^17.0.11 | https://github.com/DefinitelyTyped/DefinitelyTyped | MIT |
| @types/react-html-parser | ^2.0.2 | https://github.com/DefinitelyTyped/DefinitelyTyped | MIT |
| @types/react-pdf | ^5.7.2 | https://github.com/DefinitelyTyped/DefinitelyTyped | MIT |
| @types/react-router-dom | ^5.3.3 | https://github.com/DefinitelyTyped/DefinitelyTyped | MIT |
| @types/react-signature-canvas | ^1.0.2 | https://github.com/DefinitelyTyped/DefinitelyTyped | MIT |
| @types/sass | ^1.43.1 | https://github.com/DefinitelyTyped/DefinitelyTyped | MIT |
| js-sha256 | ^0.9.0 | https://github.com/emn178/js-sha256 | MIT |
| react | ^17.0.2 | https://github.com/facebook/react | MIT |
| react-dom | ^17.0.2 | https://github.com/facebook/react | MIT |
| react-html-parser | ^2.0.2 | https://github.com/wrakky/react-html-parser | MIT |
| react-intl | ^5.24.6 | github.com/formatjs/formatjs | BSD-3-Clause |
| react-pdf | ^5.7.2 | https://github.com/wojtekmaj/react-pdf | MIT |
| react-player | ^2.9.0 | https://github.com/CookPete/react-player | MIT |
| react-router-dom | ^6.3.0 | https://github.com/remix-run/react-router | MIT |
| react-scripts | ^5.0.0 | https://github.com/facebook/create-react-app | MIT |
| react-signature-canvas | ^1.0.5 | https://github.com/agilgur5/react-signature-canvas | Apache-2.0 |
| react-toastify | ^9.0.5 | https://github.com/fkhadra/react-toastify | MIT |
| read-appsettings-json | ^1.0.98 | https://github.com/codechavez/read-appsettings-json | MIT |
| sass | ^1.49.9 | https://github.com/sass/dart-sass | MIT |
| typescript | ^4.5.5 | https://github.com/Microsoft/TypeScript | Apache-2.0 |
| web-vitals | ^1.1.2 | https://github.com/GoogleChrome/web-vitals | Apache-2.0 |
| react-responsive | ^9.0.0-beta.6 | https://github.com/contra/react-responsive | MIT |
| AdaptiveCards | 2.7.2 | https://github.com/Microsoft/AdaptiveCards | MICROSOFT SOFTWARE LICENSE TERMS |
| AdaptiveCards.Templating | 1.1.0 | https://github.com/Microsoft/AdaptiveCards | MICROSOFT SOFTWARE LICENSE TERMS |
| Azure.Storage.Blobs | 12.9.1 | https://github.com/Azure/azure-sdk-for-net | MIT |
| Azure.Storage.Queues | 12.7.0 | https://github.com/Azure/azure-sdk-for-net | MIT |
| Log4net.AzureLogAnalytics | 1.3.1 | https://github.com/Microsoft/ApplicationInsights-dotnet | MIT |
| Microsoft.ApplicationInsights.AspNetCore | 2.17.0 | https://github.com/Microsoft/ApplicationInsights-dotnet | MIT |
| Microsoft.ApplicationInsights.Log4NetAppender | 2.17.0 | https://github.com/Microsoft/ApplicationInsights-dotnet | MIT |
| Microsoft.AspNet.WebApi.Core | 5.2.7 | https://github.com/aspnet/AspNetWebStack | MICROSOFT SOFTWARE LICENSE TERMS |
| Microsoft.AspNet.WebPages | 3.2.7 | https://github.com/aspnet/AspNetWebStack | MICROSOFT SOFTWARE LICENSE TERMS |
| Microsoft.AspNetCore.AzureAppServices.HostingStartup | 3.1.28 | https://github.com/dotnet/aspnetcore | MIT |
| Microsoft.AspNetCore.Cors | 2.2.0 | https://github.com/aspnet/CORS | Apache-2.0 |
| Microsoft.AspNetCore.SpaServices.Extensions | 3.1.8 | https://github.com/dotnet/aspnetcore | MIT |
| Microsoft.Azure.WebJobs.Extensions | 3.0.6 | https://github.com/Azure/azure-webjobs-sdk-extensions | MICROSOFT SOFTWARE LICENSE TERMS |
| Microsoft.Bot.Builder | 4.16.1 | https://github.com/Microsoft/botbuilder-dotnet | MIT |
| Microsoft.Bot.Builder.Integration.AspNet.Core | 4.14.1 | https://github.com/Microsoft/botbuilder-dotnet | MIT |
| Microsoft.Bot.Connector | 4.16.1 | https://github.com/Microsoft/botbuilder-dotnet | MIT |
| Microsoft.Bot.Connector.Teams | 0.10.0 | https://github.com/OfficeDev/BotBuilder-MicrosoftTeams-dotnet | MIT |
| Microsoft.Bot.Schema | 4.16.1 | https://github.com/Microsoft/botbuilder-dotnet | MIT |
| Microsoft.EntityFrameworkCore | 5.0.7 | https://github.com/dotnet/efcore | MIT |
| Microsoft.EntityFrameworkCore.Design | 5.0.7 | https://github.com/dotnet/efcore | MIT |
| Microsoft.EntityFrameworkCore.InMemory | 5.0.7 | https://github.com/dotnet/efcore | MIT |
| Microsoft.EntityFrameworkCore.Sqlite | 5.0.7 | https://github.com/dotnet/efcore | MIT |
| Microsoft.EntityFrameworkCore.SqlServer | 5.0.7 | https://github.com/dotnet/efcore | MIT |
| Microsoft.EntityFrameworkCore.Tools | 5.0.7 | https://github.com/dotnet/efcore | MIT |
| Microsoft.Extensions.Logging.Log4Net.AspNetCore | 3.1.5 | https://github.com/huorswords/Microsoft.Extensions.Logging.Log4Net.AspNetCore | Apache-2.0 |
| Microsoft.Graph.Beta | 0.35.0-preview | https://github.com/microsoftgraph/msgraph-beta-sdk-dotnet | MIT |
| Microsoft.Web.WebJobs.Publish | 2.0.0 | https://dot.net/ | MICROSOFT SOFTWARE LICENSE TERMS |
| SendGrid | 9.24.0 | https://github.com/sendgrid/sendgrid-csharp.git | MIT |
| Solutions2Share.Modules.Logger | 1.3.0 | ||
| System.Drawing.Common | 5.0.2 | https://github.com/dotnet/runtime | MIT |
| System.Net.Http | 4.3.4 | https://dot.net/ | MICROSOFT SOFTWARE LICENSE TERMS |
| log4net | 2.0.12 | https://github.com/apache/logging-log4net | Apache-2.0 |
| Microsoft.Identity.Client | 4.45.0 | https://github.com/AzureAD/microsoft-authentication-library-for-dotnet | MIT |
| Microsoft.Extensions.Configuration.UserSecrets | 3.1.8 | https://github.com/dotnet/runtime | MIT |
| Microsoft.Graph.Core | 1.25.1 | https://developer.microsoft.com/graph | MIT |
| System.IdentityModel.Tokens.Jwt | 6.21.0 | https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet | MIT |