Integrate a new Microsoft Teams source (private beta)
For now, only real-time scanning is supported. All detectors are supported, with the exception of these 2 generic detectors, in order to limit the risk of false positives:
Setting up and configuring this integration is limited to users with an Owner or Manager access level. Microsoft Teams tenant installation is only open to workspaces under the Business plan. However, you can install and test secret detection in Microsoft Teams with a 30-day trial. Any secret incidents detected during the trial will remain accessible in your incident dashboard.
GitGuardian integrates natively with Microsoft Teams via an Entra app that you can install on your Microsoft Teams tenants. Note that the GitGuardian Entra app only has read access to your channels.
Setup your Microsoft Teams integration
You can install GitGuardian on multiple Microsoft Teams tenants to monitor your standard, private and shared channels.
- Make sure you're logged as administrator in the Microsoft Teams tenant you want to install
- In the GitGuardian platform, navigate to the Sources integration page
- Click Install next to Microsoft Teams in the Messaging section
- Click Install on the Microsoft Teams integration page
- Select your Microsoft Teams administrator account
- Click Accept to grant the permissions requested by GitGuardian
That's it! Our GitGuardian Entra app is now automatically installed on your Microsoft Teams tenant. It will now start monitoring all posts shared on your standard, private and shared channels for secrets.
Setup Microsoft Teams for self-hosted GitGuardian
We recommend using dedicated workers for Microsoft Teams. For more detailed information on scaling and configuration, please visit our scaling page.
If you are using a self-hosted GitGuardian instance, you must first configure a dedicated Azure Entra ID Application.
Create the Azure Entra ID Application for GitGuardian
You must be logged as an Microsoft Entra ID administrator to complete this process
-
In your Microsoft Azure Tenant, browse to your Entra ID applications and create a new application, and click the "Create your own application" button
-
Choose a name for your application and register it to integrate with Microsoft Entra ID
-
Set a Redirect URI matching your GitGuardian Self-Hosted Instance:
https://<your instance url>/api/v1/microsoft-teams/app/install_callback/
- Set permissions for your application
Browse to Manage / API Permissions to set the needed permissions
Your application must be allowed the following Graph API permissions:
- Application.ReadWrite.OwnedBy
- Channel.ReadBasic.All
- ChannelMessage.Read.All
- ChatMember.Read.All
- ChatMessage.Read.All
- Files.Read.All
- Group.Read.All
- Organization.Read.All
- Policy.Read.All
- Policy.ReadWrite.ApplicationConfiguration
- Team.ReadBasic.All
- TeamMember.Read.All
- User.Read
You must also "Grant admin consent" for all these permissions.
- Generate a Secret for your application
Browse to Manage / Certificates & secrets to create a Client Secret, create a secret and copy it while it is displayed.
Store the Application ID and the Client Secret in a secure location like a vault or a secret manager
Reference your newly created application in GitGuardian Self-Hosted
-
Navigate to the Microsoft Teams integration page
-
Click Configure Microsoft Teams app
-
Set the Application ID and Secret you just created in Microsoft Azure Entra Id
Uninstall your Microsoft Teams tenant
To uninstall a Microsoft Teams tenant:
- In the GitGuardian platform, navigate to the Sources integration page
- Click Edit next to Microsoft Teams in the Messaging section
- Click the bin icon next to the Microsoft Teams tenant to uninstall
- Confirm by clicking Yes, uninstall in the confirmation modal
That's it! Your Microsoft Teams tenant is now uninstalled.
Limitations
The Microsoft Teams integration is currently available in private beta and has a number of limitations:
- Integration: Once integration has been completed, real-time secret detection is not immediately activated on all channels. The channel integration process continues in the background and may take some time, depending on the size of your Microsoft Teams. Integration progress is visible from the Microsoft Teams integration page.
- Monitored channels: The number of channels that can be included in the monitored perimeter depends on the number of subscriptions authorized by your Azure tenant. In any case, there is a hard limit of 10,000 channels that can be monitored. This limit may be lower, depending on the number of subscriptions already consumed by third-party applications. If your Microsoft Teams has too many channels, your monitoring will be partial. We prioritize the integration of standard channels, followed by private channels, then shared channels.
- Historical Scan: Historical scans are not yet supported (coming soon).
- Source Listing: Monitored Microsoft Teams channels are not yet listed on the Perimeter page (coming soon).
- Monitored Perimeter: Customization of the monitored perimeter is not supported. All channels are monitored by default.
- Team Perimeter: Customization of a team perimeter with Microsoft Teams channels is not supported. Users must be in All-incidents team to view and access Microsoft Teams incidents.
- Source Visibility: The visibility of channels is partially determined. Private channels are considered
private, while public and shared channels are consideredpublicin both the UI and API. - Presence Check: The presence check feature is not supported. All occurrences are considered
presentin both the UI and API. - Group Chats: Group chats are not scanned.
- File Attachments: File attachments are not scanned.
- Occurrence Previews: Previews of occurrences are not supported.
Privacy
Country-specific laws and regulations may require you to inform your Microsoft Teams users that your channels are being scanned for secrets. Here is a suggestion for a message you may want to use:
As part of our internal information security process, the company scans the Microsoft Teams channels for potential secrets leaks using GitGuardian. All data collected will be processed for the purpose of detecting potential leaks. To find out more about how we manage your personal data and to exercise your rights, please refer to our employee/partner privacy notice. Please note that only channels relating to the company’s activity and business may be monitored and that users shall refrain from sharing personal or sensitive data not relevant to the channel’s purpose.
