With the Message Center Notification MC234048 Microsoft announced a change to the Microsoft Teams App “Incoming Webhook”. The URL currently used will be deprecated by mid of April 2021. The exact wording is:

We will begin transitioning to the new webhook URLs on Monday January 11, 2021; however, existing webhooks URLs will continue to work for three (3) months to allow for migration time Source (as of 2021-01-26): https://admin.microsoft.com/Adminportal/Home?#/MessageCenter/:/messages/MC234048

If you created a webhook prior January 11, 2021 you will need to update your existing connector configuration!

This app is in regular use by most companies, if not disabled by a Teams App permission policy in the tenant. The app is a very easy option to post a message to a team. The URI of a webhook is cryptic and the only security in place. If you send a well-crafted HTTP message to the endpoint, you will create a Teams post in the channel the app is connected to. Here is the Microsoft documentation and a great community article.

Currently Microsoft is using a non-tenant specific URI (outlook.office.com). The new URI will be tenant related (YOURTENANT.webhook.office.com).

This feature is communicated for Microsoft Teams, but it is also a Microsoft 365 Group Connector feature so these might also affected.

image

Check if the app is used

It could be a good idea to check, if the app is active in your tenant. As a Teams administrator you can check the application in your admin center.

image

Even if you checked the app and the Teams App Permission policy you could still have the app installed prior this configuration. It is easy to check if the application is installed in a Microsoft Team. To query for installed apps we will need to use the preview version of the MicrosoftTeams module (as of writing 1.1.10-preview). Using the Teams PowerShell you can get a list of Teams the app is installed in.

Get the application ID and more details:

Get-TeamsApp | Where-Object { $_.DisplayName -eq "Incoming Webhook"}

Result:

ExternalId Id                                   DisplayName      DistributionMethod
---------- --                                   -----------      ------------------
           203a1e2c-26cc-47ca-83ae-be98f960b6b2 Incoming Webhook store

With the application id we now can query all teams and check if the app is installed:

Get-Team | ForEach-Object {
    $team = $_;
    $apps = Get-TeamsAppInstallation -TeamId $team.GroupId | Where-Object { $_.TeamsAppId -eq "203a1e2c-26cc-47ca-83ae-be98f960b6b2"};
    if ($apps -ne $null){
        $team;
    }
}

Result for my two teams with the app installed:

GroupId                              DisplayName        Visibility  Archived  MailNickName       Description
-------                              -----------        ----------  --------  ------------       -----------
a6687ed4-c1a6-4c7b-9171-2d625a60b76e GK Malachor MSDN   Public      False     GKMalachorMSDN     Check here for or…
75366f42-6fc6-4857-90d1-3283236789b6 20200906 Demo Acc… Private     False     20200906DemoAcces… 20200906 Demo Acc…

Based on this information we now can contact the owners/members of a team and make them check if they use the app and need to update the URI. Currently I am not aware of a method to get the specific channel the webhook is attached to. The user needs to check all the channels to find the connectors.

How to fix the problem

The user needs to navigate to the team and check for the connector of all channels:

image

image

Open the “x configured” (1) if available and click on the “Manage” (2) button for the specific implementation:

image

This will show you the current configuration of the webhook:

image

You need to click on “Update URL” and you will receive a new URI with the tenant specific part. The connector page did not refresh automatically. I quite the page and reopened the dialog. Now the page is not complaining about a required update and I could copy the new webhook URI:

image

Now you just need to remember and find the app you integrated the webhook in :)

NOTE: I was not able to update the incoming webhook, if the account that created the webhook is not the account updating the webhook. You can see the account that did the setup in the connector list and you will notice the “Save” button is disabled. In this case an easy option is to delete webhook and recreate it with the same name.

image

Summary

Check your tenant (admin) or teams (power users) for the configuration of incoming webhook. Remember as soon as you update the URL the webhook for this will stop working and not accept messages. Updating the URL is only solving 50% of the problem. You also need to update your Power Automate flows, Azure Functions, Azure Automation Runbooks or your PowerShell scripts in your on-prem servers task scheduler.

Bonus

Get the owners of the groups to send an email:

Get-Team | ForEach-Object {
    $team = $_;
    $apps = Get-TeamsAppInstallation -TeamId $team.GroupId | Where-Object { $_.TeamsAppId -eq "203a1e2c-26cc-47ca-83ae-be98f960b6b2"};
    if ($apps -ne $null){
        Get-TeamUser -GroupId $team.GroupId -Role Owner | ForEach-Object {
            $owner = $_;
            $fields = @{
                Team = $team.DisplayName
                OwnerEmail = $owner.User
            }
            New-Object -TypeName PSObject -Property $fields;
        }
    }
}

Result: image