Skip to main content

Teams App Configuration

One-Click Least Privilege. Zero Disruption.



© 2025 Sonrai Security. All rights reserved.

Overview

The Sonrai Cloud Permissions Firewall (CPF) slashes the permissions attack surface by protecting access to privileged permissions, unused services and cloud regions, and quarantining dormant identities.

Access needs are granted seamlessly through Permissions-on-Demand and just-in-time workflows that integrate with the best ChatOps tools out there — Slack included.

When an identity tries to use a restricted permission or quarantined identity, an automated message is routed via Teams to predetermined owners. The message details the account, identity, service, permission, and timeframe, allowing the owner to either approve or deny the request.

Sonrai Teams App Functionalities

  • configure - check if the app is already registered to Sonrai for your tenant
    • If the app is not registered, you will be presented with an option to "Get started using Sonrai in Teams" (click Configure)
  • unregister - unregister the app from Teams
  • jit - initiate a just-in-time workflow for the current user
  • help - display the list of available app commands

Event Subscriptions

Sonrai App for Teams subscribes to the below events:

  • App Mention
  • On Installation

App Mentions

If the app is mentioned using @Sonrai from any group chat in which the Sonrai Teams app exists, the output of the help command will be displayed.

On Installation

Whenever a user installs the app in their personal scope and/or adds the Sonrai App into group chat, the app will send a welcome message along with a help message card.

Administrator App Installation

Before users can install the Sonrai app in their Teams instance, administrators must first install and approve the app, and then register with Sonrai. Many organizations will have multiple team members involved with this process, depending on the Separation of Duties (SoD) in use within your organization.

There are three main roles involved during administrator installation:

Microsoft Teams Administrator

Enables the Sonrai App in the MS Teams Admin Center, and sets up permission policies that allow Users and Groups to interact with the app.

Azure Global Administrator

Approves the Sonrai app as an Enterprise Application in Azure.

Sonrai Administrator

Completes the app registration process within the Sonrai platform.

tip

Often, the Sonrai Administrator role is assigned to the same person acting as the Teams Administrator during app approval.

Separation of Duty Scenarios

Sonrai supports the following specific configurations for assigning these roles across one or more individuals:

Scenario 1: All Roles Combined (Single Person)

  • Azure Global Administrator, Teams Administrator, and Sonrai Administrator are the same person.

This individual performs all steps in the process:

  1. Approves the Sonrai app in Azure.
  2. Configures the Sonrai app in the Teams Admin Center.
  3. Completes CPF registration and authorization.

This is the simplest setup.


Scenario 2: Microsoft Roles + Sonrai Admin Split (Two People)

  • Azure Global Administrator and Teams Administrator roles are held by one person.
  • Sonrai Administrator is a different person.

The installation process requires coordination between these individuals:

  1. The Azure Global/Teams Admin goes to Teams, clicks Configure, and completes Microsoft’s authorization modal.
  2. When redirected to the CPF authorization step, this fails (since the person is not a Sonrai Admin).
  3. The Sonrai Admin logs into Teams, runs Configure, and completes the CPF authorization modal successfully.

This split flow is supported but requires coordination between two team members holding different roles.


info
  • When separation of duties are split between two people, Sonrai app installation will not be complete until a Sonrai Admin finishes authorization successfully.
  • Misconfigured Teams permission policies may cause the Sonrai bot to appear disabled even after installation. If so, ask your Teams Admin to update permission policies in the MS Teams Admin Center.

App Install

  1. To begin the app registration, navigate to the Microsoft AppSource store > Sonrai app and click .
  1. Then, in the Teams application, click (or type) Configure.
  1. Click Review permissions.
  1. Click Accept.
  1. Click Register and log in to the Sonrai Cloud Permissions Firewall.

Upon successful login to the Sonrai platform, you will be redirected to the Sonrai app success page:

Along with this page, in Teams you will receive notification that the app has been successfully registered:

info

If the app is not yet registered for Teams, you will be redirected to the Sonrai Cloud Permissions Firewall login page to complete the OAuth flow. Similarly, if you do not have the required permissions:

User App Installation

info

This section assumes you are asking users in your Approvers list to manually install the Sonrai app in Teams. In many organizations, this approach makes sense because the number of users that require the Sonrai app is limited.

However, if your Microsoft Teams Administrator preinstalls apps for your users, then individual approvers might not need to complete this step.

Once an Administrator has made the Sonrai Teams application available for installation, each user can search for and install it for their Teams application by clicking .

Once added to Teams, your users will begin receiving Permissions on Demand (PoD) messages - dependent on scope, permissions, etc.

Can I access PoD requests without installing the Sonrai Teams App first? What about creating a JIT access request?

PoD Requests without the Sonrai App?

If you do not install the Sonrai Teams application prior to a Permissions on Demand request, don't fret! The request will still arrive in a Teams group chat, with a reminder to install the app:

JIT Requests without the Sonrai App?

No! To initiate JIT access requests from Teams, you must use the Sonrai Teams App. Trying to initiate a JIT access request from the Teams group chat will not work.

Learn more about ChatOps workflows for Teams.


tip

Incorrect permission policies for the Sonrai App in Teams can cause users to receive notification that the Sonrai bot is disabled, even after the app is installed:

MS Teams error message stating that the Sonrai bot is disabled, due to insufficient permission policies granted for the Sonrai App.

If you see this error, ask your Microsoft Teams Administrator to update your permission policies in MS Teams Admin Center.

App Removal

Unregistering the Sonrai Teams App (for your entire organization)

Have an Administrator either:

  • Click >

OR

  • Type in the Unregister app command in Teams

Remove the Sonrai Teams App (individual users)

Right-click on the Sonrai app entry within the lefthand sidebar menu, then click Uninstall.

Last updated on