>
    Strata Copilot
    Onboard a Microsoft Teams App to SSPM
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Onboard SaaS Apps Supported by SSPM
    4. Onboard a Microsoft Teams App to SSPM
    Download PDF
    SaaS Security

    Onboard a Microsoft Teams App to SSPM

    Table of Contents

    Onboard a Microsoft Teams App to SSPM

    Connect a Microsoft Teams instance to SSPM to detect posture risks.
    This Microsoft Teams connector, which uses a Microsoft Entra (formerly Azure) service principal to access the Microsoft Graph API for scans, was introduced in June 2025. This connector replaces an earlier connector that also leveraged the Microsoft Graph API (removed in May 2025) and a connector that used data extraction techniques for scans (removed in June 2025). This new connector enables SSPM to detect significantly more application settings. If you already connected SSPM to your Microsoft Teams app instance using one of these earlier connectors, your established connection will continue to work. However, if there is any change to the configuration information that you provided to SSPM (such as an updated login password), you will need to onboard the Microsoft Teams app instance again using this new connector.
    For SSPM to detect posture risks in your Microsoft Teams instance, you must onboard your Microsoft Teams instance to SSPM. Through the onboarding process, SSPM connects to a Microsoft API and, through the API, scans your Microsoft Teams instance at regular intervals.
    SSPM can get access to your Microsoft Teams instance through a Microsoft Entra (formerly Azure) service principal, which represents a Microsoft Entra application that you create. When you register this application, Microsoft Entra creates the associated service principle that SSPM will use to connect to the API.
    ItemDescription
    Tenant IDA globally unique identifier (GUID) for your Microsoft Entra tenant.
    Client IDSSPM will access a Microsoft API through a Microsoft Entra service principal that represents an application that you create. Microsoft Entra generates the client ID to uniquely identify the application and its associated service principal.
    Client SecretSSPM will access a Microsoft API through a Microsoft Entra service principal that represents an application that you create. Microsoft Entra generates the client Secret, which SSPM uses to authenticate to the service principal.
    To onboard your Microsoft Teams instance, you complete the following actions:
    1. Log in to the administrator account that you will use to create your Microsoft Entra application and its associated service principal.
      Required Permissions: The administrator must be able to grant access to the API scopes required by SSPM. In SSPM, the Microsoft Teams onboarding screen lists the scopes that SSPM requires.
      After SSPM connects to your Microsoft Teams instance, it will perform an initial scan of your instance, and will then run scans at regular intervals. For SSPM to run these scans, the service principal must remain available. If you delete the service account, the scans will fail and you will need to onboard Microsoft Teams again.
      1. Open a web browser to the Microsoft Entra admin center.
      2. Log in to the administrator account.
    2. Create and register your Microsoft Entra application.
      1. From the left navigation pane in the Microsoft Entra admin center, select Enterprise applications.
      2. On the Enterprise applications page, select the action to create a New application.
      3. On the All applications page, select Create your own application.
      4. On the Create your own application flyout dialog, complete the following actions:
        1. Specify a name for the application.
        2. Select Register an application to integrate with Microsoft Entra ID (App you're developing).
        3. Create.
      5. On the Register an application window, complete the following actions:
        1. For supported account types, select Accounts in this organizational directory only.
        2. Register.
        Registering the application automatically creates its associated service principal.
    3. Configure API permissions for your application.
      Configure your application to enable access only to the scopes that SSPM requires. The API permissions that you will configure for your application depend on whether you want SSPM to have read-permissions only or read and write permissions.
      1. Identify the scopes that SSPM requires.
        In SSPM, the Microsoft Teams onboarding screen lists the scopes that SSPM requires. To get the required scopes, you will begin the onboarding process in SSPM, but you will not complete the process.
        1. From the Add Application page in SSPM (Posture SecurityApplicationsAdd Application), click the Microsoft Teams tile.
        2. On the Posture Security tab, Add New instance.
          The onboarding page lists the API scopes that SSPM requires for read access and for read and write access. Copy the API scopes that you want to allow. You will add these permissions to your application.
          Don’t continue to the next step unless you have copied the permissions. Later, you will add these permissions to your application.
        3. Because you won't be completing the onboarding process until after you have finished configuring your application, Cancel Onboarding.
      2. From the left navigation pane in the Microsoft Entra admin center, select Enterprise applications.
      3. From the list of applications on the All applications page, open your application.
      4. From the details page for your application, select Permissions.
      5. On the Permissions page for your application, click the Application registration link, which will take you to the API permissions page for your application.
      6. On the API permissions page, Add a permission.
      7. On the Request API permissions flyout dialog, select Microsoft GraphApplication Permissions.
      8. Select each of the API scopes that you obtained from the Microsoft Teams onboarding screen in SSPM and Add permissions.
      9. On the API permissions page, verify that all the scopes were added as application permissions.
        The scopes you added should all have a type of Application. Only the User.Read permission, which Microsoft Entra added automatically when you registered the application, will have a type of Delegated.
      10. On the API permissions page, select Grant admin consent for your organization.
    4. Copy the application credentials (client ID and client secret) for your application.
      1. Copy the client ID.
        1. From the details page for your application, select Overview.
        2. From the overview page, copy the client ID from the Application (client) ID field and paste it into a text file.
          Don’t continue to the next step unless you have copied the client ID. You will need this information later to assign the service principal to the Global Reader role. You will also provide this information to SSPM during the onboarding process.
      2. Create and copy the client secret.
        1. From the details page for your application, select Certificates & secretsClient secrets.
        2. Create a New client secret.
        3. Copy the Value of the new client secret and paste it into a text file.
          Don’t continue to the next step unless you have copied the client secret. You will need to provide this information to SSPM during the onboarding process.
    5. Identify your tenant ID.
      1. From the left navigation pane in the Microsoft Entra admin center, select Home.
      2. Copy the tenant ID and paste it into a text file.
        Don’t continue to the next step unless you have copied your tenant ID. You will provide this information to SSPM during the onboarding process.
    6. Assign your Microsoft Entra application to the Global Reader role.
      1. From the left navigation pane in the Microsoft Entra admin center, select Identity Roles & adminsRoles & admins.
      2. On the Roles and administrators page, make sure the All roles tab is selected.
      3. From the list of administrative roles, locate the Global Reader role.
        To quickly locate the Global Reader role, you can use the search field to filter the list.
      4. After you locate the Global Reader role in the list, click its name to view the Assignments page for the Global Reader roll. Don't select the check box next to the role.
        The Assignments page list all the identities currently assigned to that role.
      5. Click + Add assignments.
      6. On the Add assignments page, locate your service principal.
        To locate the service principal, paste its client ID into the search field.
      7. Select the check box next to the service principal and Add it to the Global Reader role.
    7. Connect SSPM to your Microsoft Teams instance.
      In SSPM, complete the following steps to enable SSPM to connect to your Microsoft Teams instance.
      1. Log in to Strata Cloud Manager.
      2. Select ConfigurationSaaS SecurityPosture SecurityApplicationsAdd Application and click the Microsoft Teams tile.
      3. On the Posture Security tab, Add New instance.
      4. Enter the application credentials (client ID and client secret) and your tenant ID.
      5. Connect.

    © 2025 Palo Alto Networks, Inc. All rights reserved.