Help CenterGet A DemoTry It Free

Request Access Using Teams

This feature is part of the Enterprise plan. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Center.

StrongDM's integration with Teams, when paired with the Access Workflows feature, allows you to browse the StrongDM resource catalog, request access to resources, and approve or deny such requests (if you're eligible), all within Teams. In addition, the integration can be added to channels, surfacing requests within a group of potential approvers.

This guide describes how to use the integration to request or approve access. To learn about configuration of the integration in your Teams workspace, see Set up and Configure the Integration With Teams.

Command Reference

The table below contains a reference of the available commands in the integration with Teams. Before using these commands, you should install the integration if you have not already done so.

Command
Description

access all

Display entire resource catalog

access approval requests

Display list of requests available for the user to approve

access catalog

Display resource catalog available to user

access my requests

Display list of user's own requests

access to

Directly request access in the format /sdm access to <RESOURCE> for <DURATION> because <REASON>

authorize

Present user with options to authorize their Teams user to be connected to their StrongDM user

deauthorize

Deauthorize and disconnect Teams user from StrongDM user

help

Present command help text to user

These commands may be entered in direct chat with the StrongDM bot that is installed by the integration. They can also be used in a standard channel where it is present by directing a message to it, such as @StrongDM access my requests. Sending one of these commands to the integration should provoke a response that presents you with a button to click to perform the requested action. In this example, a button would be presented in the bot's response for you to click to access the list of your requests.

Microsoft Teams bot applications are not supported in private channels and shared channels, so the integration is not available in those channels.

Install the Integration

If the integration with Teams has has been installed for users in your organization already, you can skip the installation instructions. If not, you should be able to install it for yourself. Go to the Marketplace and search for "StrongDM" to locate the integration, and follow the prompts to install it to the chats you'd like to use it in.

Authorize the Integration

An admin for your organization must authorize the integration first in order for anyone else in the organization to authorize with it. If this has been done, each user must authorize the integration with Teams using their StrongDM user account to gain the ability to use Teams for resource access requests. To authorize the integration, in Teams, open the chat with the StrongDM bot and use the authorize command to begin. The integration responds to you indicating that it needs authorization.

If you have not yet authorized the connection between your StrongDM user and your Teams user account, entering any commands results in the same response requiring you to authorize the integration.

Click the Authorize button. You are then guided through a process to ensure that your StrongDM user is logged in and connected to your Teams user account in your current workspace. When the process is complete, the integration indicates a successful authorization and gives you options for how to get started using it.

The response contains the following buttons:

  • Approval Requests: Shows a list of requests that are awaiting approval by you or another eligible approver; the same result as the access approval requests command

  • Catalog: Displays a search dialog that allows you to search and browse the resource catalog, which contains all resources that are available for you to request; the same result as the access catalog command

  • My Requests: Shows a list of the requests that you have submitted; the same result as the access my requests command

  • Usage: Lets you view usage instructions at any time; the same result as the help command

Resource Catalog

Click the Catalog button (or run the command access catalog) to search the resource catalog.

You can search using Name, Type, or Tag (described in the response table below), but you can also search by the Access type:

  • Any: Returns the entire catalog list

  • Available: Only returns resources that you do not currently have access to but that are available for you to request

  • Granted by Role: Returns resources that you have standing access to through roles

  • Granted Temporarily: Returns resources that you have been directly granted temporary access to (not through requests)

  • Pending: Returns only resources for which you currently have pending requests

Resources that are available to request access to have a Request Access button next to them. You may select multiple resources.

Each item in the response includes the following properties, where relevant:

Property
Description

Availability

Whether the resource is available to request, or already granted by a role

Credentials

Whether the resource uses leased credentials or secret stores

ID

ID of the resource

Name

Name of the resource

Tags

Resource tag keys and values

Type

Resource type

Make a request

Within the list of resources presented in the catalog, there is a Request Access button next to any resource that you do not already have standing access to, based on your roles. Click the Request Access button to open a Teams form and make the request. The form asks for the duration for your request, an optional start date/time if you wish the duration to begin in the future, and the reason for your request (required).

If your request is to a resource that is part of a workflow with automatic approvals, it is automatically granted. If the request is being fulfilled via a workflow that requires manual approval, the eligible approvers are individually notified of your request.

When an access request is created in a group chat or channel, the approval notification is sent to both that group chat or channel and to the approver's personal chat. This allows approvers in the group chat or channel to take action on the access request directly.

You may also make a request directly with a command from anywhere in Teams using the following syntax (optional arguments in brackets):

access to <RESOURCE> [for <DURATION>] [because <REASON>]

For example:

access to rs-3454897454b8ed24 for 3h because testing reasons

  • The value of <RESOURCE> can be either your resource's exact name, or its resource ID, and should be in quotation marks. The ID can be found in the catalog (access catalog) in the entry for the desired resource. You can also add multiple resources here, each encapsulated by quotation marks, separated by commas. For example, to request access to both the "rs-3454897454b8ed24" resource and the "AWS EC2 3010" resource in the same request:

    access to "rs-3454897454b8ed24", "AWS EC2 3010" for 3h because testing reasons

  • The value of <DURATION> is the number of days (d), hours (h), or minutes (m) (for example, 15d or 3h or 10m). This argument is optional as an argument in the command, but all requests require a duration.

  • The value of <REASON> should be a sufficient reason that an approver (or later auditor) is be able to understand your need for access and approve. This argument is optional as an argument in the command, but all requests require a reason.

If the access to command is used but the optional duration and reason arguments are not provided, the Teams modal form for access requests displays, pre-populated with the information you did provide about your request, and the request can be completed using the form. This provides a useful response to commands that are accidentally missing arguments as well as offering a shortcut for opening the request form for repeat requests where the resource name is known.

View and Respond to Requests

Click the Approval Requests button (or run the command access approval requests) to display a list of current requests that you are eligible to approve.

Each request listed contains the following properties:

Property
Description

Duration

Length of time for which access was requested

Reason

Reason stated for the request

Requester

Name of the requester

Start

Date and time the access is to begin

Submitted

Date and time the request was submitted

If the Respond button appears next to any of the requests, you can click it to see information about the request and respond to it with an approval or a denial. Additionally, for any requests for which you are an eligible reviewer, you receive a Teams notification (in addition to the email that you get from the system if enabled for your organization) that allows you to immediately click to approve or deny the request without opening the list.

If the Revoke button appears next to any of the previously approved requests, clicking that button immediately revokes the access.

Approving or denying a request from the Approval Requests menu provides the option to give a reason for your decision, if so desired. Clicking an approve or deny button in an announcement message presented by the bot does not provide that option.

Please view the StrongDM Privacy Policy for information about how StrongDM collects, manages, and stores third-party data.

Last updated

Was this helpful?