StrongDM AI
This feature is currently in a closed-access tech preview. Functionality and documentation may change. Contact StrongDM for more information.
Overview
StrongDM AI is an AI-powered administrative assistant that helps StrongDM administrators understand, operate, and manage StrongDM more efficiently and safely.
It acts as a conversational co-admin that is built in to your work environment, that supports both read-only queries (for example, “Who has access to prod?”) and controlled actions (for example, “Grant access to Alice Glick for 2 hours”).
StrongDM AI is available across multiple work environments, including the following:
Microsoft Teams
Slack
StrongDM AI helps automate and assist with StrongDM admin workflows using your existing permissions and approvals. It can suggest and execute tasks only within StrongDM and requires explicit confirmation before making access or policy changes. StrongDM AI supports core StrongDM workflows, including but not limited to:
Entitlement discovery and auditing: Answer “who has access to what,” identify over-permissioning, and summarize access posture.
Access provisioning and revocation: Grant, change, or remove access in alignment with your configured roles, policies, and approvals.
Authorization policy authoring and editing: Draft or update policies and role definitions for review.
Approval workflow orchestration: Route requests to the right approvers, collect context, and track outcomes end-to-end.
Monitoring and troubleshooting: Help diagnose access issues, connectivity problems, and session failures using StrongDM visibility.
Emergency session termination: Identify and terminate active sessions when needed.
Log retrieval and audit explanation: Pull relevant logs and explain why access was granted/denied or how a change occurred.
Recurring task automation: Automate routine administrative work such as:
Scheduled access review reports (for example, weekly summary of entitlements by team/role)
Dormant or unused access reports (for example, monthly “unused permissions” digest) Expiring access / time-bound access reminders (for example, notify designated owners before access expires)
Approval activity summaries (for example, daily/weekly overview of pending/approved/denied requests)
Security notifications based on defined triggers (for example, notify Security On-Call when high-privilege access is requested or granted)
Every action will typically follow a Plan → Preview → Confirm → Execute → Receipt model, ensuring safe, auditable changes.
Capabilities
During the closed-access tech preview, StrongDM AI operates with the following constraints:
Administrator-only access: Only StrongDM administrators can interact with StrongDM AI. Being able to configure which users can interact with StrongDM AI is not yet supported.
StrongDM AI-attributed audit logs: Actions are recorded as performed by StrongDM AI. Individual user attribution is not yet available.
Token scoped permissions: StrongDM AI operates using the "StrongDM Agent Access" token. This token has full access to StrongDM. The scope of the token cannot be currently adjusted. Note that when generally available, scope adjustment for StrongDM AI will be available, along with auditing that includes the user who initiated the agent task.
Slack and Teams access model: StrongDM AI is accessed through Slack and Microsoft Teams only. Email will be supported when StrongDM AI is generally available later.
Teams DM limitation: Direct messages with StrongDM AI are not supported with Teams. Teams does not support threaded conversations in a 1:1 chat, which limits the StrongDM AI experience.
Limited @mention support: The ability to @mention user groups (for example, a group or team called productmanagers-team) is not supported.
Platform constraints may apply: Features and formatting may vary slightly across Slack and Teams.
Limitations
There is a limitation of 10 simultaneous tasks/requests per organization being processed. If, for example, in an organization, 20 requests are sent to StrongDM AI, then 10 will be processed in parallel and the others will be queued and picked up when one of the 10 completes.
Based on this limitation, you may experience some slowness with certain requests if StrongDM AI is in lot of use.
Requirements
To use StrongDM AI, the following requirements must be met.
Your organization must have StrongDM AI enabled. You can confirm that it's enabled by visiting the Admin UI > Settings > StrongDM AI page. If the page is available in Settings, then StrongDM AI is enabled.
You must have the StrongDM Administrator permission level. Standard users do not have access by default.
Configuration
At this time during tech preview, configuration involves setting up StrongDM AI in Slack or Teams directly, and then connecting Slack or Teams with your StrongDM organization in the StrongDM Admin UI's Settings > StrongDM AI page.
When StrongDM AI is generally available later, the app will be installed from Slack and the Microsoft Marketplace.
Choose the connection steps for either Slack or Teams.
Slack
Use Slack to interact with StrongDM AI from channels and threads.
Prerequisites
Slack workspace where you have admin privileges (to install apps)
StrongDM account with the Administrator permission level
2.1: Create the Slack app (from manifest)
Go to Slack API Apps.
Click Create New App > From an app manifest.
Select your workspace and click Next.
Switch to the JSON tab, paste the manifest (see the Slack App Manifest (JSON) section that follows these steps), and then click Next.
Review the summary (scopes, events, request URL) and then click Create.
This manifest pre-configures the following:
Bot display name: StrongDM AI
Event subscription:
app_mentionBot scopes:
app_mentions:readchannels:readchat:writechat:write.publicreactions:readreactions:writeusers:readusers:read.emailfiles:readfiles:write
Slack App Manifest (JSON)
Paste this JSON into the Slack “From an app manifest” flow.
2.2: Install the app and collect Slack credentials
In the Slack app settings, open Basic Information.
Under App Credentials, copy the Signing Secret.
In the left sidebar, open OAuth & Permissions.
Click Install to.
Copy the Bot User OAuth Token (starts with
xoxb-).
You should now have three credentials:
Slack Bot Token
OAuth & Permissions > Bot User OAuth Token (xoxb-...)
Signing Secret
Basic Information > App Credentials > Signing Secret
Slack Team ID
Slack web URL format: https://app.slack.com/client/T01234ABCDE/... > the T... string after /client/
2.3: Configure Slack integration in StrongDM
Log into the StrongDM Admin UI.
Go to Settings > StrongDM AI.
Under Slack Integration, enter the following.
For Slack Team ID, enter the 11-character alphanumeric identifier (string) for your Slack workspace. This typically starts with the letter "T" (for example,
T012ABCDEFG).For Slack Enterprise ID, if your organization has the Enterprise Grid, enter the alphanumeric identifier (string) that identifies your Enterprise Grid organization. This starts with the letter "E" (for example,
EXXXXXXX).For Signing Secret, enter the signing secret from step 2.2.
For Slack Bot Token, enter the Bot User OAuth Token from step 2.2. This typically starts with
xoxb-).
Under User Lookup Attribute, choose how StrongDM users get matched to their Slack accounts, via either Email or Identity Set.
When Email is selected, the StrongDM user email is matched against Slack email to look up users.
When Identity Set is selected, the specified StrongDM Identity Set is matched against Slack to look up users. Ensure that each user who should have access to StrongDM AI has an Identity Alias within that Identity Set. Note that all admins get access to StrongDM AI, so you must ensure that all admin users are set up with an Identity Alias.
The User Lookup Attribute selection is important if email is not a common identifier between Slack and StrongDM for the user. Identity Aliases are required when users have different email addresses in StrongDM and Slack. The Identity Alias maps Slack identities to StrongDM users.
Click Save.
2.4: Start using StrongDM AI in Slack
In any channel, @mention StrongDM AI with your request (for example,
@StrongDM AI how many users are there?). StrongDM AI will respond in a thread.Alternatively, open the "StrongDM AI" app and send your request (for example, AI how many users are there?" You don't need to use @mention.
Post a message in the channel to interact with StrongDM AI.
StrongDM AI responds in the same thread.
Please note the following:
Only users included in the configured Identity Alias set can use StrongDM AI.
Users must @mention StrongDM AI to get a response every time, even in a Slack thread.
How StrongDM AI Responds
StrongDM AI responds to initial requests with emojis.
is shown as soon as it hits the StrongDM server.- is removed if the response is quick.
is shown if the task is complex and will take some time to return a response.
or 
are shown when the task finishes.
Troubleshooting for Slack
If the bot appears in Slack, but doesn’t respond:
In Slack app settings > Event Subscriptions, confirm that the Request URL shows a green Verified checkmark.
Confirm that the Team ID, Bot Token, and Signing Secret in StrongDM match the Slack app values.
Confirm that the user’s Slack member ID is present in the Identity Alias set.
Confirm that the bot has been invited to the channel where the message was posted.
If the “User not registered” error displays:
The Identity Alias set does not include the user, or it contains an invalid Slack member ID for the sender.
If the bot doesn’t appear in the Apps sidebar:
The app may not be installed to the workspace:
Slack API Apps > your app > OAuth & Permissions > Install to (or Reinstall if permissions changed).
Microsoft Teams
Use Microsoft Teams to interact with StrongDM AI from team channels and group chats.
Prerequisites
Microsoft 365 account with access to Azure AD (Entra ID)
Admin consent privileges (or access to someone who has them) to grant Microsoft Graph API permissions
Custom app sideloading enabled in your Teams organization (
https://admin.teams.microsoft.com/policies/app-setup)StrongDM account with the Administrator permission level
2.1: Create the Teams Bot
Go to
https://dev.teams.microsoft.com/tools.Click on Bot Management.
Click + New Bot and name it (for example, "StrongDM AI").
Under the Configure tab, set the Bot endpoint address to
https://app.nextgen.strongdm.ai/webhooks/teams.Open the Client secrets tab.
Click Add a client secret, and then copy and securely save this value.
2.2: Get Credentials and Grant API Permissions
Creating the bot automatically creates an app registration in Azure AD (Entra ID).
Go to
https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade.Find the registration matching your bot name.
From the Overview page, copy the following:
Application (client) ID: This is the App ID.
Directory (tenant) ID: This is the Tenant ID.
In the left sidebar, click API permissions.
Click Add a permission > Microsoft Graph > Application permissions.
Search for User.Read.All, check it, and then click Add permissions.
Click Grant admin consent for [your tenant] and confirm.
User.Read.All is required so the system can resolve Teams user IDs to email addresses for automatic user registration.
You should now have three credentials:
Application ID
Azure Portal > App Registration > Overview > Application (client) ID
Application Secret
Teams Developer Portal > Bot > Client secrets
Tenant ID
Azure Portal > App Registration > Overview > Directory (tenant) ID
2.3: Create the Teams App
Go to
https://dev.teams.microsoft.com/apps.Click + New app and name it "StrongDM AI."
Fill in all required metadata fields. Every field must be non-empty or the manifest upload will fail.
Developer name
StrongDM
Long description
StrongDM AI Assistant for infrastructure access management
Privacy policy
Short description
StrongDM AI Assistant
Terms of use
Website URL
Paste the Application ID from Step 2.2 into the Application (client) ID field.
Go to Configure > Application features > Bot.
Under Identify your bot, select your bot from the dropdown menu.
Enable the following scopes:
Personal
Team
Group Chat
Click Save.
Go to Publish > Download app package. This downloads a .zip file.
2.4: Install the App in Teams
To install the app in Teams, follow these steps:
Open Microsoft Teams.
Click Apps in the left sidebar.
Click Manage your apps > Upload a custom app.
Select the downloaded .zip file.
Click Add.
2.5: Configure Teams Integration in StrongDM
Log into the StrongDM Admin UI.
Go to Settings > StrongDM AI.
Under Microsoft Teams Integration, enter the following.
For Teams Tenant ID, enter the Directory (tenant) ID from step 2.2. This is the identifier (string) for your organization's Azure Active Directory (Entra ID) instance.
For Azure Application ID, enter the Application (client) ID from step 2.2. This is the Azure Application ID associated with the StrongDM AI Teams application.
For Azure Application Secret, enter the secret from step 2.2. This is the Azure Application Secret associated with the StrongDM AI Teams application.
Under User Lookup Attribute, choose how StrongDM users get matched to Teams, via either Email or Identity Set.
When Email is selected, the StrongDM user email is matched against the Teams email to look up users.
When Identity Set is selected, the specified StrongDM Identity Set is matched against Teams to look up users. Identity Sets and Identity Aliases are required when users have different email addresses in StrongDM and Entra. The Identity Alias maps Entra identities to StrongDM users. Note that all admins get access to StrongDM AI, so you must ensure that all admin users are set up with an Identity Alias.
Select an Identity Set from the dropdown, or create a new one.
Ensure that each user who should have access to StrongDM AI has an Identity Alias within that Identity Set. The user’s Identity Alias should be set to be their Microsoft email address (the same email associated with their Entra account).
The User Lookup Attribute selection is important if email is not a common identifier between Slack and StrongDM for the user. Identity Aliases are required when users have different email addresses in StrongDM and Slack. The Identity Alias maps Slack identities to StrongDM users.
Click Save.
2.6: Start Using StrongDM AI in Teams
In any channel, @mention StrongDM AI with your request (for example,
@StrongDM AI how many users are there?).StrongDM AI responds in a thread.
Note that Microsoft Teams 1:1 direct messages are not supported during the tech preview.
Troubleshooting for Teams
If “Upload a custom app” is not visible:
Your Teams administrator must enable sideloading at
https://admin.teams.microsoft.com/policies/app-setup.Confirm that Upload custom apps is enabled.
If “Manifest parsing has failed” displays:
One or more required metadata fields were left empty.
Return to the Developer Portal, complete all required fields under Basic Information, re-download the app package, and re-upload.
If the bot appears in Teams but messages receive no response:
Verify that the Bot endpoint address at
https://dev.teams.microsoft.com/botsmatches your instance URL exactly (the path must be/webhooks/teams).Verify that Tenant ID, App ID, and App Secret in the StrongDM Admin UI match Azure Portal and Developer Portal values.
Verify that the user’s Microsoft email is present in the configured Identity Set.
If “User not registered” error is shown:
The user’s Microsoft email is either not included in the Identity Set, or it does not match their Azure AD (Entra) email.
Correct the email in the StrongDM Admin UI under the Identity Set.
If the bot stops responding after initial messages:
The bot framework may stop delivering messages if repeated errors occur.
Verify the communications service is healthy.
Confirm that the endpoint URL has not changed.
The user may need to remove and re-add the app in Teams.
Last updated
Was this helpful?