Teams Integration User Guide

Last modified on November 12, 2024

StrongDM’s integration with Teams, when paired with the Access Workflows feature, allows you to browse the StrongDM resource catalog, request access to resources, and approve or deny such requests (if you’re eligible), all within Teams. In addition, the integration can be added to channels, surfacing requests within a group of potential approvers.

This guide describes how to use the integration to request or approve access. To learn about configuration of the integration in your Teams workspace, see Set up and Configure the Integration With Teams.

Command Reference

The table below contains a reference of the available commands in the integration with Teams. Before using these commands, you should install the integration if you have not already done so.

CommandDescription
access allDisplay entire resource catalog
access approval requestsDisplay list of requests available for the user to approve
access catalogDisplay resource catalog available to user
access my requestsDisplay list of user’s own requests
access toDirectly request access in the format /sdm access to <RESOURCE> for <DURATION> because <REASON>
authorizePresent user with options to authorize their Teams user to be connected to their StrongDM user
deauthorizeDeauthorize and disconnect Teams user from StrongDM user
helpPresent command help text to user

These commands may be entered in direct chat with the StrongDM bot that is installed by the integration. They can also be used in a standard channel where it is present by directing a message to it, such as @StrongDM access my requests. Sending one of these commands to the integration should provoke a response that presents you with a button to click to perform the requested action. In this example, a button would be presented in the bot’s response for you to click to access the list of your requests.

Install the Integration

If the integration with Teams has has been installed for users in your organization already, you can skip the installation instructions. If not, you should be able to install it for yourself. Go to the Marketplace and search for “StrongDM” to locate the integration, and follow the prompts to install it to the chats you’d like to use it in.

Authorize the Integration

An admin for your organization must authorize the integration first in order for anyone else in the organization to authorize with it. If this has been done, each user must authorize the integration with Teams using their StrongDM user account to gain the ability to use Teams for resource access requests. To authorize the integration, in Teams, open the chat with the StrongDM bot and use the authorize command to begin. The integration responds to you indicating that it needs authorization.

Click the Authorize button. You are then guided through a process to ensure that your StrongDM user is logged in and connected to your Teams user account in your current workspace. When the process is complete, the integration indicates a successful authorization and gives you options for how to get started using it.

The response contains the following buttons:

  • Approval Requests: Shows a list of requests that are awaiting approval by you or another eligible approver; the same result as the access approval requests command
  • Catalog: Displays a search dialog that allows you to search and browse the resource catalog, which contains all resources that are available for you to request; the same result as the access catalog command
  • My Requests: Shows a list of the requests that you have submitted; the same result as the access my requests command
  • Usage: Lets you view usage instructions at any time; the same result as the help command

Resource Catalog

Click the Catalog button (or run the command access catalog) to search the resource catalog.

You can search using Name, Type, or Tag (described in the response table below), but you can also search by the Access type:

  • Any: Returns the entire catalog list
  • Available: Only returns resources that you do not currently have access to but that are available for you to request
  • Granted by Role: Returns resources that you have standing access to through roles
  • Granted Temporarily: Returns resources that you have been directly granted temporary access to (not through requests)
  • Pending: Returns only resources for which you currently have pending requests

Resources that are available to request access to have a Request Access button next to them. You may select multiple resources.

Each item in the response includes the following properties, where relevant:

PropertyDescription
AvailabilityWhether the resource is available to request, or already granted by a role
CredentialsWhether the resource uses leased credentials or secret stores
IDID of the resource
NameName of the resource
TagsResource tag keys and values
TypeResource type

Make a request

Within the list of resources presented in the catalog, there is a Request Access button next to any resource that you do not already have standing access to, based on your roles. Click the Request Access button to open a Teams form and make the request. The form asks for the duration for your request, an optional start date/time if you wish the duration to begin in the future, and the reason for your request (required).

If your request is to a resource that is part of a workflow with automatic approvals, it is automatically granted. If the request is being fulfilled via a workflow that requires manual approval, the eligible approvers are individually notified of your request.

You may also make a request directly with a command from anywhere in Teams using the following syntax (optional arguments in brackets):

access to <RESOURCE> [for <DURATION>] [because <REASON>]

For example:

access to rs-3454897454b8ed24 for 3h because testing reasons

  • The value of <RESOURCE> can be either your resource’s exact name, or its resource ID, and should be in quotation marks. The ID can be found in the catalog (access catalog) in the entry for the desired resource. You can also add multiple resources here, each encapsulated by quotation marks, separated by commas. For example, to request access to both the “rs-3454897454b8ed24” resource and the “AWS EC2 3010” resource in the same request:
    access to "rs-3454897454b8ed24", "AWS EC2 3010" for 3h because testing reasons
    
  • The value of <DURATION> is the number of days (d), hours (h), or minutes (m) (for example, 15d or 3h or 10m). This argument is optional as an argument in the command, but all requests require a duration.
  • The value of <REASON> should be a sufficient reason that an approver (or later auditor) is be able to understand your need for access and approve. This argument is optional as an argument in the command, but all requests require a reason.

View and Respond to Requests

Click the Approval Requests button (or run the command access approval requests) to display a list of current requests that you are eligible to approve.

Each request listed contains the following properties:

PropertyDescription
DurationLength of time for which access was requested
ReasonReason stated for the request
RequesterName of the requester
StartDate and time the access is to begin
SubmittedDate and time the request was submitted

If the Respond button appears next to any of the requests, you can click it to see information about the request and respond to it with an approval or a denial. Additionally, for any requests for which you are an eligible reviewer, you receive a Teams notification (in addition to the email that you get from the system if enabled for your organization) that allows you to immediately click to approve or deny the request without opening the list.

If the Revoke button appears next to any of the previously approved requests, clicking that button immediately revokes the access.


Please view the StrongDM Privacy Policy for information about how StrongDM collects, manages, and stores third-party data.

Top