When granting Box permissions to integrate with an enterprise’s Microsoft Teams, which is the legitimate Enterprise Application that consent must be granted to?
I am a Microsoft 365 tenant admin, so I review and grant consent when users try to connect external services (such as Box) to our tenant. Currently, Box is connected to our tenant solely for SSO authentication only. Box is not centrally deployed within Teams.
When users find and add the “Box” app within their Microsoft Teams clients, the app attempts to request Entra ID permissions using the following extremely suspicious Entra ID Enterprise Application:
Name: MSFT Entra ID for Teams V2
Verification Status: Unverified
Application ID: bb7e7d80-71c6-408b-9770-f709a59b176e
Permissions Scope: profile, offline_access
That info is impossible to verify the app’s legitimacy. Additionally, that application differs from the Enterprise Application (ID: 6b371dbf-6b35-40a0-bf75-615b61c8bdb8) which is referred to in this official Box documentation. To add more confusion, this other documentation implies that the “Box” Teams app that users can find and install on their own is for “Personal” use...erm, so not Enterprise use???
Which "Box for Microsoft Teams" Entra Enterprise Application is the real one???
👋 Hi
With regards to the Application ID: bb7e7d80-71c6-408b-9770-f709a59b176e, this is a legitimate ID and just a one-time requirement. It will not impact your overall experience with the integration. As announced here: Box for Microsoft Teams Enhancement, this change is to support the new Admin Delegated Authorization feature for the Box for Microsoft Teams integration.
For the latter, that is the client ID when granting Box permissions to your Microsoft Tenant as documented here: Deploying Box for Microsoft Teams in your Enterprise.
Please let us know if you have any other questions or concerns. 😊
Thank you for the reply and clarification, Jey.
Application ID: bb7e7d80-71c6-408b-9770-f709a59b176e being a legitimate Enterprise Application puts my mind at ease a bit.
I highly recommend that Box update that blog post so that both the Application name as well as the ID number are included in the article text. Currently, the SEO value of that information is non-existent, so before posting my question, I was unable to find any information on this Enterprise Application despite 20 minutes of Googling.
Also, I'm disappointed to see that Box is not using a signed Enterprise Application or even one with a more trustworthy app name. I suspect that there are technical reasons for this situation, however, the fact of the matter is that in the absence of any official documentation, the app signature/verification is the only thing that prevents someone from accidentally approving a malicious app. In today's age of OAuth impersonation attacks, organizations cannot operate on a "LOL, trust me, bro." security model.
Dear
Thank you for bringing this to our attention. The message you're seeing is from Microsoft, and regarding the unverified status of the app, it typically appears when integrating third-party or external services that are not Microsoft-owned. I also believe this has always been the case for our app and should not cause any issues.
I completely understand your concerns regarding security, and I want to assure you that we take this feedback seriously. I’ll also make sure to raise the information about the client ID in relation to the Admin Delegated Authorization feature.
We truly value customer input and always appreciate hearing your ideas. I would recommend sharing your feedback on Box Pulse, too, as our Product Team is continuously evaluating customer needs and your insights would certainly contribute to shaping the future of Box.
If you have any other concerns or inquiries, please don't hesitate to let us know. We're here to help! 😊
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.