# StrongDM AI {% hint style="warning" %} This feature is currently in a closed-access tech preview. Functionality and documentation may change. Contact StrongDM for more information. {% endhint %} ## Overview StrongDM AI is an AI-powered administrative assistant that helps StrongDM administrators understand, operate, and manage StrongDM more efficiently and safely. It acts as a conversational co-admin that is built in to your work environment, that supports both read-only queries (for example, “Who has access to prod?”) and controlled actions (for example, “Grant access to Alice Glick for 2 hours”). StrongDM AI is available across multiple work environments, including the following: * Microsoft Teams * Slack StrongDM AI helps automate and assist with StrongDM admin workflows using your existing permissions and approvals. It can suggest and execute tasks only within StrongDM and requires explicit confirmation before making access or policy changes.\ \ StrongDM AI supports core StrongDM workflows, including but not limited to: * Entitlement discovery and auditing: Answer “who has access to what,” identify over-permissioning, and summarize access posture. * Access provisioning and revocation: Grant, change, or remove access in alignment with your configured roles, policies, and approvals. * Authorization policy authoring and editing: Draft or update policies and role definitions for review. * Approval workflow orchestration: Route requests to the right approvers, collect context, and track outcomes end-to-end. * Monitoring and troubleshooting: Help diagnose access issues, connectivity problems, and session failures using StrongDM visibility. * Emergency session termination: Identify and terminate active sessions when needed. * Log retrieval and audit explanation: Pull relevant logs and explain why access was granted/denied or how a change occurred. * Recurring task automation: Automate routine administrative work such as: * Scheduled access review reports (for example, weekly summary of entitlements by team/role) * Dormant or unused access reports (for example, monthly “unused permissions” digest)\ Expiring access / time-bound access reminders (for example, notify designated owners before access expires) * Approval activity summaries (for example, daily/weekly overview of pending/approved/denied requests) * Security notifications based on defined triggers (for example, notify *Security On-Call* when high-privilege access is requested or granted) Every action will typically follow a Plan → Preview → Confirm → Execute → Receipt model, ensuring safe, auditable changes. ## Capabilities During the closed-access tech preview, StrongDM AI operates with the following constraints: * Administrator-only access: Only StrongDM administrators can interact with StrongDM AI. Being able to configure which users can interact with StrongDM AI is not yet supported. * StrongDM AI-attributed audit logs: Actions are recorded as performed by StrongDM AI. Individual user attribution is not yet available. * Token scoped permissions: StrongDM AI operates using the "StrongDM Agent Access" token. This token has full access to StrongDM. The scope of the token cannot be currently adjusted. Note that when generally available, scope adjustment for StrongDM AI will be available, along with auditing that includes the user who initiated the agent task. * Slack and Teams access model: StrongDM AI is accessed through Slack and Microsoft Teams only. Email will be supported when StrongDM AI is generally available later. * Teams DM limitation: Direct messages with StrongDM AI are not supported with Teams. Teams does not support threaded conversations in a 1:1 chat, which limits the StrongDM AI experience. * Limited @mention support: The ability to @mention user groups (for example, a group or team called productmanagers-team) is not supported. * Platform constraints may apply: Features and formatting may vary slightly across Slack and Teams. ## Limitations There is a limitation of 10 simultaneous tasks/requests per organization being processed. If, for example, in an organization, 20 requests are sent to StrongDM AI, then 10 will be processed in parallel and the others will be queued and picked up when one of the 10 completes. Based on this limitation, you may experience some slowness with certain requests if StrongDM AI is in lot of use. ## Requirements To use StrongDM AI, the following requirements must be met. * Your organization must have StrongDM AI enabled. You can confirm that it's enabled by visiting the **Admin UI > Settings > StrongDM AI** page. If the page is available in **Settings**, then StrongDM AI is enabled. * You must have the StrongDM Administrator permission level. Standard users do not have access by default. ## Configuration At this time during tech preview, configuration involves setting up StrongDM AI in Slack or Teams directly, and then connecting Slack or Teams with your StrongDM organization in the StrongDM Admin UI's **Settings > StrongDM AI** page. {% hint style="info" %} When StrongDM AI is generally available later, the app will be installed from Slack and the Microsoft Marketplace. {% endhint %} Choose the connection steps for either Slack or Teams. {% tabs %} {% tab title="Slack" %} ### Slack Use Slack to interact with StrongDM AI from channels and threads. #### **Prerequisites** * Slack workspace where you have admin privileges (to install apps) * StrongDM account with the Administrator permission level #### **2.1: Create the Slack app (from manifest)** 1. Go to [Slack API Apps](https://api.slack.com/apps). 2. Click **Create New App** > **From an app manifest**. 3. Select your workspace and click **Next**. 4. Switch to the **JSON** tab, paste the manifest (see the **Slack App Manifest (JSON)** section that follows these steps), and then click **Next**. 5. Review the summary (scopes, events, request URL) and then click **Create**. This manifest pre-configures the following: * **Bot display name:** StrongDM AI * **Event subscription:** `app_mention` * **Bot scopes:** * `app_mentions:read` * `channels:read` * `chat:write` * `chat:write.public` * `reactions:read` * `reactions:write` * `users:read` * `users:read.email` * `files:read` * `files:write` **Slack App Manifest (JSON)** Paste this JSON into the Slack “From an app manifest” flow. ```json { "display_information": { "name": "StrongDM AI" }, "features": { "app_home": { "home_tab_enabled": false, "messages_tab_enabled": true, "messages_tab_read_only_enabled": false }, "bot_user": { "display_name": "StrongDM AI", "always_online": true } }, "oauth_config": { "scopes": { "bot": [ "im:history", "app_mentions:read", "channels:read", "chat:write", "chat:write.public", "files:read", "files:write", "reactions:read", "reactions:write", "users:read", "users:read.email" ] } }, "settings": { "event_subscriptions": { "request_url": "https://app.nextgen.strongdm.ai/webhooks/slack", "bot_events": [ "app_mention", "message.im" ] }, "org_deploy_enabled": false, "socket_mode_enabled": false, "token_rotation_enabled": false } } ``` #### **2.2: Install the app and collect Slack credentials** 1. In the Slack app settings, open **Basic Information**. * Under **App Credentials**, copy the **Signing Secret**. 2. In the left sidebar, open **OAuth & Permissions**. * Click **Install to**. * Copy the **Bot User OAuth Token** (starts with `xoxb-`). You should now have three credentials:
CredentialWhere to get it
Slack Bot TokenOAuth & Permissions > Bot User OAuth Token (xoxb-...)
Signing SecretBasic Information > App Credentials > Signing Secret
Slack Team IDSlack web URL format: https://app.slack.com/client/T01234ABCDE/... > the T... string after /client/
#### **2.3: Configure Slack integration in StrongDM** 1. Log into the StrongDM Admin UI. 2. Go to **Settings > StrongDM AI**. 3. Under **Slack Integration**, enter the following. 1. For **Slack Team ID**, enter the 11-character alphanumeric identifier (string) for your Slack workspace. This typically starts with the letter "T" (for example, `T012ABCDEFG`). 2. For **Slack Enterprise ID**, if your organization has the Enterprise Grid, enter the alphanumeric identifier (string) that identifies your Enterprise Grid organization. This starts with the letter "E" (for example, `EXXXXXXX`). 3. For **Signing Secret**, enter the signing secret from step 2.2. 4. For **Slack Bot Token**, enter the Bot User OAuth Token from step 2.2. This typically starts with `xoxb-`). 4. Under **User Lookup Attribute**, choose how StrongDM users get matched to their Slack accounts, via either **Email** or **Identity Set**. 1. When **Email** is selected, the StrongDM user email is matched against Slack email to look up users. 2. When **Identity Set** is selected, the specified StrongDM Identity Set is matched against Slack to look up users. Ensure that each user who should have access to StrongDM AI has an Identity Alias within that Identity Set. Note that all admins get access to StrongDM AI, so you must ensure that all admin users are set up with an Identity Alias. {% hint style="info" %} The **User Lookup Attribute** selection is important if email is not a common identifier between Slack and StrongDM for the user. Identity Aliases are required when users have different email addresses in StrongDM and Slack. The Identity Alias maps Slack identities to StrongDM users. {% endhint %} 5. Click **Save**. #### **2.4: Start using StrongDM AI in Slack** 1. In any channel, @mention StrongDM AI with your request (for example, `@StrongDM AI how many users are there?`). StrongDM AI will respond in a thread. 2. Alternatively, open the "StrongDM AI" app and send your request (for example, AI how many users are there?" You don't need to use @mention. 3. Post a message in the channel to interact with StrongDM AI. 4. StrongDM AI responds in the same thread. {% hint style="info" %} Please note the following: * Only users included in the configured Identity Alias set can use StrongDM AI. * Users must @mention StrongDM AI to get a response every time, even in a Slack thread. {% endhint %} #### How StrongDM AI Responds StrongDM AI responds to initial requests with emojis. * ![:eyes:](https://a.slack-edge.com/production-standard-emoji-assets/14.0/apple-medium/1f440@2x.png) is shown as soon as it hits the StrongDM server. * ![:eyes:](https://a.slack-edge.com/production-standard-emoji-assets/14.0/apple-medium/1f440@2x.png) is removed if the response is quick. * ![:hourglass\_flowing\_sand:](https://a.slack-edge.com/production-standard-emoji-assets/14.0/apple-medium/23f3@2x.png) is shown if the task is complex and will take some time to return a response. * ![:white\_check\_mark:](https://a.slack-edge.com/production-standard-emoji-assets/14.0/apple-medium/2705@2x.png) or ![:x:](https://a.slack-edge.com/production-standard-emoji-assets/14.0/apple-medium/274c@2x.png) are shown when the task finishes. #### Troubleshooting for Slack **If the bot appears in Slack, but doesn’t respond:** * In **Slack app settings** > **Event Subscriptions**, confirm that the Request URL shows a green **Verified** checkmark. * Confirm that the **Team ID**, **Bot Token**, and **Signing Secret** in StrongDM match the Slack app values. * Confirm that the user’s **Slack member ID** is present in the I**dentity Alias set**. * Confirm that the bot has been invited to the channel where the message was posted. **If the “User not registered” error displays:** * The Identity Alias set does not include the user, or it contains an invalid Slack member ID for the sender. **If the bot doesn’t appear in the Apps sidebar:** * The app may not be installed to the workspace: * **Slack API Apps** > your app > **OAuth & Permissions** > **Install to** (or **Reinstall** if permissions changed). {% endtab %} {% tab title="Teams" %} ### Microsoft Teams Use Microsoft Teams to interact with StrongDM AI from team channels and group chats. #### **Prerequisites** * Microsoft 365 account with access to Azure AD (Entra ID) * Admin consent privileges (or access to someone who has them) to grant Microsoft Graph API permissions * Custom app sideloading enabled in your Teams organization (`https://admin.teams.microsoft.com/policies/app-setup`) * StrongDM account with the Administrator permission level #### 2.1: Create the Teams Bot 1. Go to `https://dev.teams.microsoft.com/tools`. 2. Click on **Bot Management**. 3. Click **+ New Bot** and name it (for example, "StrongDM AI"). 4. Under the **Configure** tab, set the **Bot endpoint address** to `https://app.nextgen.strongdm.ai/webhooks/teams`. 5. Open the **Client secrets** tab. 6. Click **Add a client secret**, and then copy and securely save this value. #### 2.2: Get Credentials and Grant API Permissions Creating the bot automatically creates an app registration in Azure AD (Entra ID). 1. Go to `https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade`. 2. Find the registration matching your bot name. 3. From the **Overview** page, copy the following: * **Application (client) ID:** This is the **App ID**. * **Directory (tenant) ID:** This is the **Tenant ID**. 4. In the left sidebar, click **API permissions**. 5. Click **Add a permission** > **Microsoft Graph** > **Application permissions**. 6. Search for **User.Read.All**, check it, and then click **Add permissions**. 7. Click **Grant admin consent for \[your tenant]** and confirm. {% hint style="info" %} User.Read.All is required so the system can resolve Teams user IDs to email addresses for automatic user registration. {% endhint %} You should now have three credentials:
CredentialWhere to get it
Application IDAzure Portal > App Registration > Overview > Application (client) ID
Application SecretTeams Developer Portal > Bot > Client secrets
Tenant IDAzure Portal > App Registration > Overview > Directory (tenant) ID
#### 2.3: Create the Teams App 1. Go to `https://dev.teams.microsoft.com/apps`. 2. Click **+ New app** and name it "StrongDM AI." Fill in all required metadata fields. Every field must be non-empty or the manifest upload will fail.
FieldValue
Developer nameStrongDM
Long descriptionStrongDM AI Assistant for infrastructure access management
Privacy policyhttps://www.strongdm.com/privacy
Short descriptionStrongDM AI Assistant
Terms of usehttps://www.strongdm.com/terms-of-use
Website URLhttps://www.strongdm.com
3. Paste the **Application ID** from Step 2.2 into the **Application (client) ID** field. 4. Go to **Configure > Application features > Bot**. 5. Under **Identify your bot**, select your bot from the dropdown menu. 6. Enable the following scopes: * Personal * Team * Group Chat 7. Click **Save**. 8. Go to **Publish > Download app package**. This downloads a .zip file. #### 2.4: Install the App in Teams To install the app in Teams, follow these steps: 1. Open Microsoft Teams. 2. Click **Apps** in the left sidebar. 3. Click **Manage your apps** > **Upload a custom app**. 4. Select the downloaded .zip file. 5. Click **Add**. #### 2.5: Configure Teams Integration in StrongDM 1. Log into the **StrongDM Admin UI**. 2. Go to **Settings > StrongDM AI**. 3. Under **Microsoft Teams Integration**, enter the following. * For **Teams Tenant ID**, enter the Directory (tenant) ID from step 2.2. This is the identifier (string) for your organization's Azure Active Directory (Entra ID) instance. * For **Azure Application ID**, enter the Application (client) ID from step 2.2. This is the Azure Application ID associated with the StrongDM AI Teams application. * For **Azure Application Secret**, enter the secret from step 2.2. This is the Azure Application Secret associated with the StrongDM AI Teams application. 4. Under **User Lookup Attribute**, choose how StrongDM users get matched to Teams, via either **Email** or **Identity Set**. 1. When **Email** is selected, the StrongDM user email is matched against the Teams email to look up users. 2. When **Identity Set** is selected, the specified StrongDM Identity Set is matched against Teams to look up users. Identity Sets and Identity Aliases are required when users have different email addresses in StrongDM and Entra. The Identity Alias maps Entra identities to StrongDM users. Note that all admins get access to StrongDM AI, so you must ensure that all admin users are set up with an Identity Alias. 1. Select an Identity Set from the dropdown, or create a new one. 2. Ensure that each user who should have access to StrongDM AI has an Identity Alias within that Identity Set. The user’s Identity Alias should be set to be their **Microsoft email address** (the same email associated with their Entra account).

The User Lookup Attribute selection is important if email is not a common identifier between Slack and StrongDM for the user. Identity Aliases are required when users have different email addresses in StrongDM and Slack. The Identity Alias maps Slack identities to StrongDM users.

5. Click **Save**. #### 2.6: Start Using StrongDM AI in Teams 1. In any channel, @mention StrongDM AI with your request (for example, `@StrongDM AI how many users are there?`). 2. StrongDM AI responds in a thread. {% hint style="info" %} Note that Microsoft Teams 1:1 direct messages are not supported during the tech preview. {% endhint %} #### Troubleshooting for Teams **If “Upload a custom app” is not visible:** * Your Teams administrator must enable sideloading at `https://admin.teams.microsoft.com/policies/app-setup`. * Confirm that **Upload custom apps** is enabled. **If “Manifest parsing has failed” displays:** * One or more required metadata fields were left empty. * Return to the Developer Portal, complete all required fields under **Basic Information**, re-download the app package, and re-upload. **If the bot appears in Teams but messages receive no response:** * Verify that the **Bot endpoint address** at `https://dev.teams.microsoft.com/bots` matches your instance URL exactly (the path must be `/webhooks/teams`). * Verify that **Tenant ID**, **App ID**, and **App Secret** in the StrongDM Admin UI match Azure Portal and Developer Portal values. * Verify that the user’s Microsoft email is present in the configured Identity Set. **If “User not registered” error is shown:** * The user’s Microsoft email is either not included in the Identity Set, or it does not match their Azure AD (Entra) email. * Correct the email in the StrongDM Admin UI under the Identity Set. **If the bot stops responding after initial messages:** The bot framework may stop delivering messages if repeated errors occur. * Verify the communications service is healthy. * Confirm that the endpoint URL has not changed. * The user may need to remove and re-add the app in Teams. {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/strongdm-ai.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.