Teams Integration User Guide

Last modified on November 12, 2024

This feature is part of the Enterprise plan. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Center.

StrongDM’s integration with Teams, when paired with the Access Workflows feature, allows you to browse the StrongDM resource catalog, request access to resources, and approve or deny such requests (if you’re eligible), all within Teams. In addition, the integration can be added to channels, surfacing requests within a group of potential approvers.

This guide describes how to use the integration to request or approve access. To learn about configuration of the integration in your Teams workspace, see Set up and Configure the Integration With Teams.

Command Reference

The table below contains a reference of the available commands in the integration with Teams. Before using these commands, you should install the integration if you have not already done so.

Command	Description
`access all`	Display entire resource catalog
`access approval requests`	Display list of requests available for the user to approve
`access catalog`	Display resource catalog available to user
`access my requests`	Display list of user’s own requests
`access to`	Directly request access in the format `/sdm access to <RESOURCE> for <DURATION> because <REASON>`
`authorize`	Present user with options to authorize their Teams user to be connected to their StrongDM user
`deauthorize`	Deauthorize and disconnect Teams user from StrongDM user
`help`	Present command help text to user

These commands may be entered in direct chat with the StrongDM bot that is installed by the integration. They can also be used in a standard channel where it is present by directing a message to it, such as @StrongDM access my requests. Sending one of these commands to the integration should provoke a response that presents you with a button to click to perform the requested action. In this example, a button would be presented in the bot’s response for you to click to access the list of your requests.

Microsoft Teams bot applications are not supported in private channels and shared channels, so the integration is not available in those channels.

Install the Integration

If the integration with Teams has has been installed for users in your organization already, you can skip the installation instructions. If not, you should be able to install it for yourself. Go to the Marketplace and search for “StrongDM” to locate the integration, and follow the prompts to install it to the chats you’d like to use it in.

Authorize the Integration

An admin for your organization must authorize the integration first in order for anyone else in the organization to authorize with it. If this has been done, each user must authorize the integration with Teams using their StrongDM user account to gain the ability to use Teams for resource access requests. To authorize the integration, in Teams, open the chat with the StrongDM bot and use the authorize command to begin. The integration responds to you indicating that it needs authorization.

If you have not yet authorized the connection between your StrongDM user and your Teams user account, entering any commands results in the same response requiring you to authorize the integration.

Click the Authorize button. You are then guided through a process to ensure that your StrongDM user is logged in and connected to your Teams user account in your current workspace. When the process is complete, the integration indicates a successful authorization and gives you options for how to get started using it.

The response contains the following buttons:

Approval Requests: Shows a list of requests that are awaiting approval by you or another eligible approver; the same result as the access approval requests command
Catalog: Displays a search dialog that allows you to search and browse the resource catalog, which contains all resources that are available for you to request; the same result as the access catalog command
My Requests: Shows a list of the requests that you have submitted; the same result as the access my requests command
Usage: Lets you view usage instructions at any time; the same result as the help command

Resource Catalog

Click the Catalog button (or run the command access catalog) to search the resource catalog.

You can search using Name, Type, or Tag (described in the response table below), but you can also search by the Access type:

Any: Returns the entire catalog list
Available: Only returns resources that you do not currently have access to but that are available for you to request
Granted by Role: Returns resources that you have standing access to through roles
Granted Temporarily: Returns resources that you have been directly granted temporary access to (not through requests)
Pending: Returns only resources for which you currently have pending requests

Resources that are available to request access to have a Request Access button next to them. You may select multiple resources.

Each item in the response includes the following properties, where relevant:

Property	Description
Availability	Whether the resource is available to request, or already granted by a role
Credentials	Whether the resource uses leased credentials or secret stores
ID	ID of the resource
Name	Name of the resource
Tags	Resource tag keys and values
Type	Resource type

Make a request

Within the list of resources presented in the catalog, there is a Request Access button next to any resource that you do not already have standing access to, based on your roles. Click the Request Access button to open a Teams form and make the request. The form asks for the duration for your request, an optional start date/time if you wish the duration to begin in the future, and the reason for your request (required).

If your request is to a resource that is part of a workflow with automatic approvals, it is automatically granted. If the request is being fulfilled via a workflow that requires manual approval, the eligible approvers are individually notified of your request.

When an access request is created in a group chat or channel, the approval notification is sent to both that group chat or channel and to the approver’s personal chat. This allows approvers in the group chat or channel to take action on the access request directly.

You may also make a request directly with a command from anywhere in Teams using the following syntax (optional arguments in brackets):

access to <RESOURCE> [for <DURATION>] [because <REASON>]

For example:

access to rs-3454897454b8ed24 for 3h because testing reasons

The value of <RESOURCE> can be either your resource’s exact name, or its resource ID, and should be in quotation marks. The ID can be found in the catalog (access catalog) in the entry for the desired resource. You can also add multiple resources here, each encapsulated by quotation marks, separated by commas. For example, to request access to both the “rs-3454897454b8ed24” resource and the “AWS EC2 3010” resource in the same request:
```
access to "rs-3454897454b8ed24", "AWS EC2 3010" for 3h because testing reasons
```
The value of <DURATION> is the number of days (d), hours (h), or minutes (m) (for example, 15d or 3h or 10m). This argument is optional as an argument in the command, but all requests require a duration.
The value of <REASON> should be a sufficient reason that an approver (or later auditor) is be able to understand your need for access and approve. This argument is optional as an argument in the command, but all requests require a reason.

If the access to command is used but the optional duration and reason arguments are not provided, the Teams modal form for access requests displays, pre-populated with the information you did provide about your request, and the request can be completed using the form. This provides a useful response to commands that are accidentally missing arguments as well as offering a shortcut for opening the request form for repeat requests where the resource name is known.

View and Respond to Requests

Click the Approval Requests button (or run the command access approval requests) to display a list of current requests that you are eligible to approve.

Each request listed contains the following properties:

Property	Description
Duration	Length of time for which access was requested
Reason	Reason stated for the request
Requester	Name of the requester
Start	Date and time the access is to begin
Submitted	Date and time the request was submitted

If the Respond button appears next to any of the requests, you can click it to see information about the request and respond to it with an approval or a denial. Additionally, for any requests for which you are an eligible reviewer, you receive a Teams notification (in addition to the email that you get from the system if enabled for your organization) that allows you to immediately click to approve or deny the request without opening the list.

If the Revoke button appears next to any of the previously approved requests, clicking that button immediately revokes the access.

Approving or denying a request from the Approval Requests menu provides the option to give a reason for your decision, if so desired. Clicking an approve or deny button in an announcement message presented by the bot does not provide that option.

Please view the StrongDM Privacy Policy for information about how StrongDM collects, manages, and stores third-party data.

Teams Integration User Guide

Command Reference #

Install the Integration #

Authorize the Integration #

Resource Catalog #

Make a request #

View and Respond to Requests #