Teams Integration User Guide
Last modified on November 12, 2024
This feature is part of the Enterprise plan. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Center.
StrongDM’s integration with Teams, when paired with the Access Workflows feature, allows you to browse the StrongDM resource catalog, request access to resources, and approve or deny such requests (if you’re eligible), all within Teams. In addition, the integration can be added to channels, surfacing requests within a group of potential approvers.
This guide describes how to use the integration to request or approve access. To learn about configuration of the integration in your Teams workspace, see Set up and Configure the Integration With Teams.
Command Reference
The table below contains a reference of the available commands in the integration with Teams. Before using these commands, you should install the integration if you have not already done so.
Command | Description |
---|---|
access all | Display entire resource catalog |
access approval requests | Display list of requests available for the user to approve |
access catalog | Display resource catalog available to user |
access my requests | Display list of user’s own requests |
access to | Directly request access in the format /sdm access to <RESOURCE> for <DURATION> because <REASON> |
authorize | Present user with options to authorize their Teams user to be connected to their StrongDM user |
deauthorize | Deauthorize and disconnect Teams user from StrongDM user |
help | Present command help text to user |
These commands may be entered in direct chat with the StrongDM bot that is installed by the integration. They can also be used in a standard channel where it is present by directing a message to it, such as @StrongDM access my requests
. Sending one of these commands to the integration should provoke a response that presents you with a button to click to perform the requested action. In this example, a button would be presented in the bot’s response for you to click to access the list of your requests.
Install the Integration
If the integration with Teams has has been installed for users in your organization already, you can skip the installation instructions. If not, you should be able to install it for yourself. Go to the Marketplace and search for “StrongDM” to locate the integration, and follow the prompts to install it to the chats you’d like to use it in.
Authorize the Integration
An admin for your organization must authorize the integration first in order for anyone else in the organization to authorize with it. If this has been done, each user must authorize the integration with Teams using their StrongDM user account to gain the ability to use Teams for resource access requests. To authorize the integration, in Teams, open the chat with the StrongDM bot and use the authorize
command to begin. The integration responds to you indicating that it needs authorization.
Click the Authorize button. You are then guided through a process to ensure that your StrongDM user is logged in and connected to your Teams user account in your current workspace. When the process is complete, the integration indicates a successful authorization and gives you options for how to get started using it.
The response contains the following buttons:
- Approval Requests: Shows a list of requests that are awaiting approval by you or another eligible approver; the same result as the
access approval requests
command - Catalog: Displays a search dialog that allows you to search and browse the resource catalog, which contains all resources that are available for you to request; the same result as the
access catalog
command - My Requests: Shows a list of the requests that you have submitted; the same result as the
access my requests
command - Usage: Lets you view usage instructions at any time; the same result as the
help
command
Resource Catalog
Click the Catalog button (or run the command access catalog
) to search the resource catalog.
You can search using Name, Type, or Tag (described in the response table below), but you can also search by the Access type:
- Any: Returns the entire catalog list
- Available: Only returns resources that you do not currently have access to but that are available for you to request
- Granted by Role: Returns resources that you have standing access to through roles
- Granted Temporarily: Returns resources that you have been directly granted temporary access to (not through requests)
- Pending: Returns only resources for which you currently have pending requests
Resources that are available to request access to have a Request Access button next to them. You may select multiple resources.
Each item in the response includes the following properties, where relevant:
Property | Description |
---|---|
Availability | Whether the resource is available to request, or already granted by a role |
Credentials | Whether the resource uses leased credentials or secret stores |
ID | ID of the resource |
Name | Name of the resource |
Tags | Resource tag keys and values |
Type | Resource type |
Make a request
Within the list of resources presented in the catalog, there is a Request Access button next to any resource that you do not already have standing access to, based on your roles. Click the Request Access button to open a Teams form and make the request. The form asks for the duration for your request, an optional start date/time if you wish the duration to begin in the future, and the reason for your request (required).
If your request is to a resource that is part of a workflow with automatic approvals, it is automatically granted. If the request is being fulfilled via a workflow that requires manual approval, the eligible approvers are individually notified of your request.
You may also make a request directly with a command from anywhere in Teams using the following syntax (optional arguments in brackets):
access to <RESOURCE> [for <DURATION>] [because <REASON>]
For example:
access to rs-3454897454b8ed24 for 3h because testing reasons
- The value of
<RESOURCE>
can be either your resource’s exact name, or its resource ID, and should be in quotation marks. The ID can be found in the catalog (access catalog
) in the entry for the desired resource. You can also add multiple resources here, each encapsulated by quotation marks, separated by commas. For example, to request access to both the “rs-3454897454b8ed24” resource and the “AWS EC2 3010” resource in the same request:access to "rs-3454897454b8ed24", "AWS EC2 3010" for 3h because testing reasons
- The value of
<DURATION>
is the number of days (d), hours (h), or minutes (m) (for example,15d
or3h
or10m
). This argument is optional as an argument in the command, but all requests require a duration. - The value of
<REASON>
should be a sufficient reason that an approver (or later auditor) is be able to understand your need for access and approve. This argument is optional as an argument in the command, but all requests require a reason.
access to
command is used but the optional duration and reason arguments are not provided, the Teams modal form for access requests displays, pre-populated with the information you did provide about your request, and the request can be completed using the form. This provides a useful response to commands that are accidentally missing arguments as well as offering a shortcut for opening the request form for repeat requests where the resource name is known.View and Respond to Requests
Click the Approval Requests button (or run the command access approval requests
) to display a list of current requests that you are eligible to approve.
Each request listed contains the following properties:
Property | Description |
---|---|
Duration | Length of time for which access was requested |
Reason | Reason stated for the request |
Requester | Name of the requester |
Start | Date and time the access is to begin |
Submitted | Date and time the request was submitted |
If the Respond button appears next to any of the requests, you can click it to see information about the request and respond to it with an approval or a denial. Additionally, for any requests for which you are an eligible reviewer, you receive a Teams notification (in addition to the email that you get from the system if enabled for your organization) that allows you to immediately click to approve or deny the request without opening the list.
If the Revoke button appears next to any of the previously approved requests, clicking that button immediately revokes the access.
Please view the StrongDM Privacy Policy for information about how StrongDM collects, manages, and stores third-party data.