Teams Group Chat Notifications

One-Click Least Privilege. Zero Disruption.

© 2026 Sonrai Security. All rights reserved.

Overview

Extend your current ChatOps integration by adding a Teams group chat where team members can observe and monitor permission escalations, without being directly involved in approval chains.

This feature allows you to customize when and where real-time permission request notifications are posted, making it easy for the right people to monitor what is happening within your organization.

---

Planning and Preparation

important

Prerequisite: Group chat notifications in Teams require the Sonrai Teams app to be installed and configured before starting.

Some key considerations to keep in mind when subscribing to notifications within a Teams group chat:

• Adding Sonrai to the Group Chat - The Sonrai app must be added to the group chat via the chat's Apps menu before trying to subscribe to notifications. In the group chat, click ... > Apps, search for Sonrai, and add it.
• Who Can Update Subscriptions? - Only approvers at the specified scope can subscribe or unsubscribe to notifications within a group chat.
• Available Subscriptions - If you don't specify a scope when trying to subscribe, or aren't an approver at the scope that is specified, then the Teams app will warn that you must specify a scope where you are an approver and provide a list of available scopes to use.
• Unsubscribe All - Scope is an optional field when unsubscribing from notifications, but if no scope is provided then that group chat will be unsubscribed from ALL scopes where the user running the unsubscribe command is an approver.
• Scope Identifiers - When specifying a scope, you must use the AWS scope identifier instead of the friendly name for that scope, because AWS doesn't enforce unique friendly names. (When the Sonrai app reports results, it uses friendly names for improved readability.)

tip

You can subscribe to notifications in existing group chats, but creating a new Teams group chat dedicated for this task may prevent existing conversations from being overwhelmed by notifications. Think carefully about the scope you will be subscribing to and the volume of messages expected before adding this to active group chats.

---

Subscribe to Notifications

To subscribe, open the Teams group chat where you want notifications to be reported and send the following command: @Sonrai subscribe scope.

In this command, scope determines what level of notifications are received and can be one of the following values:

• root scope/management account ID - monitor activity for all related OUs and accounts
• OU ID - monitor activity for all accounts within the specified OU
• individual account ID - monitor activity only the specified account

For example:

@Sonrai subscribe aws/r-abcd/ou-abcd-12345678

tip

Unsure what scopes are available to you? Leave out the scope when trying to subscribe, and your Sonrai bot will return an error message that includes a list of available Sonrai scopes where you are an approver.

The Sonrai app will check permissions for the user running this command, and then return a confirmation once the subscription is successfully created.

---

Unsubscribe from Notifications

To remove an existing subscription, open a group chat where you are receiving Sonrai notifications and send the following command: @Sonrai unsubscribe [scope] where scope is an optional value that specifies which level of notifications should be cancelled.

For example:

@Sonrai unsubscribe aws/r-abcd/ou-abcd-12345678/ou-abcd-98765432

The Sonrai app will attempt to remove the subscription for the specified scope, and then return a confirmation once done.

In the case where no scope identifier is provided, then notifications will be removed for all scopes where you are an approver.

---

Frequently Asked Questions

Q: Can multiple group chats be configured to receive notifications?

A: Yes! You can subscribe to notifications from different group chats, using the same or different scopes, to customize what your team members receive.

Q: How can I check what group chats/scopes have existing subscriptions?

A: Run this Graphql query to see the list of group chats you're subscribed to:

GraphQL: Check for existing notification subscriptions

query chatopsMonitoringIntegrations {
  IntegrationRegistrations(
    where: {
      name: { op: ILIKE, value: "chatops-monitor%" }
      type: { value: "Notification" }
    }
  ) {
    items {
      id
      name
      type
      description
      platformMetadata
    }
  }
}

The JSON response will include both the platform and group chat where notifications are being sent, as well as what scope was used for that subscription. Expand the following section to see a detailed example.

Sample JSON response

{
  "data": {
    "IntegrationRegistrations": {
      "items": [
        {
          "id": "097aa552-a8b2-4438-be37-51833c1cfa24",
          "name": "chatops-monitor_teams_[key]_all-shared-channel-name_aws/r-abcd",
          "type": "Notification",
          "description": "ChatOps Monitoring: Teams group chat #shared-channel-name for scope aws/r-abcd",
          "platformMetadata": {
            "key": "[key]",
            "name": "",
            "type": "chatops_monitoring",
            "scope": "aws/r-abcd",
            "filters": [
              {
                "scope": "aws/r-abcd",
                "eventName": "jit.*"
              },
              {
                "scope": "aws/r-abcd",
                "eventName": "pond.*"
              }
            ],
            "platform": "teams",
            "channel_id": "19:abc123def456@thread.v2",
            "channel_name": "shared-channel-name"
          }
        }
      ]
    }
  },
  "extensions": {}
}