Integrate a new Microsoft Teams source
All detectors are supported, with the exception of these 2 generic detectors, in order to limit the risk of false positives:
Setting up and configuring this integration is limited to users with an Owner or Manager access level. Microsoft Teams tenant installation is only open to workspaces under the Business plan. However, you can install and test secret detection in Microsoft Teams with a 30-day trial. Any secret incidents detected during the trial will remain accessible in your incident dashboard.
GitGuardian integrates natively with Microsoft Teams via an Entra app that you can install on your Microsoft Teams tenants. Note that the GitGuardian Entra app only has read access to your channels.
Setup your Microsoft Teams integration
You can install GitGuardian on multiple Microsoft Teams tenants to monitor your standard, private and shared channels.
- Make sure you're logged as administrator in the Microsoft Teams tenant you want to install
- In the GitGuardian platform, navigate to the Sources integration page
- Click Install next to Microsoft Teams in the Messaging section
- Click Install on the Microsoft Teams integration page
- Select your Microsoft Teams administrator account
- Click Accept to grant the permissions requested by GitGuardian
That's it! Our GitGuardian Entra app is now automatically installed on your Microsoft Teams tenant. It will now start monitoring all posts shared on your standard, private and shared channels for secrets.
Setup Microsoft Teams for self-hosted GitGuardian
We recommend using dedicated workers for Microsoft Teams. For more detailed information on scaling and configuration, please visit our scaling page.
If you are using a self-hosted GitGuardian instance, you must first configure a dedicated Azure Entra ID Application.
Create the Azure Entra ID Application for GitGuardian
You must be logged as an Microsoft Entra ID administrator to complete this process
-
In your Microsoft Azure Tenant, browse to your Entra ID applications and create a new application, and click the "Create your own application" button
-
Choose a name for your application and register it to integrate with Microsoft Entra ID
-
Set a Redirect URI matching your GitGuardian Self-Hosted Instance:
https://<your instance url>/api/v1/microsoft-teams/app/install_callback/
- Set permissions for your application
Browse to Manage / API Permissions to set the needed permissions.Choose Application permissions if you are asked :
Your application must be allowed the following Graph API permissions:
- Application.ReadWrite.OwnedBy
- Channel.ReadBasic.All
- ChannelMessage.Read.All
- ChatMember.Read.All
- ChatMessage.Read.All
- Files.Read.All
- Group.Read.All
- Organization.Read.All
- Policy.Read.All
- Policy.ReadWrite.ApplicationConfiguration
- Team.ReadBasic.All
- TeamMember.Read.All
- User.Read
You must also "Grant admin consent" for all these permissions.
- Generate a Secret for your application
Browse to Manage / Certificates & secrets to create a Client Secret, create a secret and copy it while it is displayed.
Store the Application ID and the Client Secret in a secure location like a vault or a secret manager
Reference your newly created application in GitGuardian Self-Hosted
-
Navigate to the Microsoft Teams integration page
-
Click Configure Microsoft Teams app
-
Set the Application ID and Secret you just created in Microsoft Azure Entra Id
Uninstall your Microsoft Teams tenant
To uninstall a Microsoft Teams tenant:
- In the GitGuardian platform, navigate to the Sources integration page
- Click Edit next to Microsoft Teams in the Messaging section
- Click the bin icon next to the Microsoft Teams tenant to uninstall
- Confirm by clicking Yes, uninstall in the confirmation modal
That's it! Your Microsoft Teams tenant is now uninstalled.
Limitations
The Microsoft Teams integration is currently available in beta and has a number of limitations:
- Historical Scan: Historical scans are not automatically executed upon the addition of newly created sources. It only works in manual mode through the perimeter page.
- Scan Frequency: Scans are not performed in realtime: they are performed at least once a day.
For GitGuardian Self-Hosted instances, scan frequency can be configured in the Admin Area.- Time interval unit: seconds
- Default value: 21600 (6 hours)
- Minimum value: 1800 (30 minutes)
- Monitored Perimeter: Customization of the monitored perimeter is not supported. All channels are monitored by default.
- Team Perimeter: Customization of a team perimeter with Microsoft Teams channels is not supported. Users must be in All-incidents team to view and access Microsoft Teams incidents.
- Source Visibility: The visibility of channels is partially determined. Private channels are considered
private, while public and shared channels are consideredpublicin both the UI and API. - Presence Check: The presence check feature is not supported. All occurrences are considered
presentin both the UI and API. - Group Chats: Group chats are not scanned.
- File Attachments: File attachments are not scanned.
Privacy
Country-specific laws and regulations may require you to inform your Microsoft Teams users that your channels are being scanned for secrets. Here is a suggestion for a message you may want to use:
As part of our internal information security process, the company scans the Microsoft Teams channels for potential secrets leaks using GitGuardian. All data collected will be processed for the purpose of detecting potential leaks. To find out more about how we manage your personal data and to exercise your rights, please refer to our employee/partner privacy notice. Please note that only channels relating to the company’s activity and business may be monitored and that users shall refrain from sharing personal or sensitive data not relevant to the channel’s purpose.
