Teams App Configuration

One-Click Least Privilege. Zero Disruption.

Overview

The Sonrai Cloud Permissions Firewall slashes the permissions attack surface by protecting access to privileged permissions, unused services and cloud regions, and quarantining dormant identities.

Access needs are granted seamlessly through Permissions-on-Demand and just-in-time workflows that integrate with the best ChatOps tools out there — Slack included.

When an identity tries to use a restricted permission or quarantined identity, an automated message is routed via Teams to predetermined owners. The message details the account, identity, service, permission, and timeframe, allowing the owner to either approve or deny the request.

Sonrai Teams App Functionalities

configure - check if the app is already registered to Sonrai for your tenant
- If the app is not registered, you will be presented with an option to "Get started using Sonrai in Teams" (click Configure)
unregister - unregister the app from Teams
jit - initiate a just-in-time workflow for the current user
help - display the list of available app commands

Event Subscriptions

Sonrai App for Teams subscribes to the below events:

App Mention
On Installation

App Mentions

If the app is mentioned using @Sonrai from any group chat in which the Sonrai Teams app exists, the output of the help command will be displayed.

On Installation

Whenever a user installs the app in their personal scope and/or adds the Sonrai App into group chat, the app will send a welcome message along with a help message card.

Teams App Installation

Administrator App Installation

Prerequisites

Many organizations will have two (or more) team members that will need to be involved with configuring the Cloud Permissions Firewall, depending on the separation of duties in use.

Microsoft Teams Administrator

This role has the permissions required to Sonrai App in the MS Teams Admin Center, and to set up permission policies that allow Users and Groups to interact with the app:

A view of the Microsoft Teams Admin center, highlighting the Permissions section and showing the Status toggle set to Allowed for the Sonrai App.

Global Administrator [in Azure]

This role can approve the Sonrai app as an Enterprise Application in Azure.

Administrator

This Sonrai Administrator role is used to complete the app registration process.

tip

Often, this Sonrai role is assigned to the Teams admin user completing the app approval

App Install

To begin the app registration, navigate to the Microsoft AppSource store > Sonrai app and click .

Then, in the Teams application, click (or type) Configure.

Click Review permissions.

Click Accept.

Click Register and log in to the Sonrai Cloud Permissions Firewall.

Upon successful login to the Sonrai platform, you will be redirected to the Sonrai app success page:

Along with this page, in Teams you will receive notification that the app has been successfuly registered:

info

If the app is not yet registered for Teams, you will be redirected to the Sonrai Cloud Permissions Firewall login page to complete the OAuth flow. Similarly, if you do not have the required permissions:

User App Installation

Once an Administrator has made the Sonrai Teams application available for installation, each user can search for and install it for their Teams application by clicking .

Once added to Teams, your users will begin receiving Permissions on Demand (PoD) messages - dependent on scope, permissions, etc.

Can I access PoD requests without installing the Sonrai Teams App first? What about creating a JIT access request?

PoD Requests without the Sonrai App?

If you do not install the Sonrai Teams application prior to a Permissions on Demand request, don't fret! The request will still arrive in a Teams group chat, with a reminder to install the app:

JIT Requests without the Sonrai App?

No! To initiate JIT access requests from Teams, you must use the Sonrai Teams App. Trying to initiate a JIT access request from the Teams group chat will not work.

Learn more about ChatOps workflows for Teams.

tip

Incorrect permission policies for the Sonrai App in Teams can cause users to receive notification that the Sonrai bot is disabled, even after the app is installed:

MS Teams error message stating that the Sonrai bot is disabled, due to insufficient permission policies granted for the Sonrai App.

If you see this error, ask your Microsoft Teams Administrator to update your permission policies in MS Teams Admin Center.

App Removal

Unregistering the Sonrai Teams App (for your entire organization)

Have an Administrator either:

Click >

Type in the Unregister app command in Teams

Remove the Sonrai Teams App (individual users)

Right-click on the Sonrai app entry within the lefthand sidebar menu, then click Uninstall.

Overview​

Sonrai Teams App Functionalities​

Event Subscriptions​

App Mentions​

On Installation​

Teams App Installation​

Administrator App Installation​

Prerequisites​

App Install​

User App Installation​

App Removal​

Unregistering the Sonrai Teams App (for your entire organization)​

Remove the Sonrai Teams App (individual users)​