Collaborate in Microsoft Teams (Public preview)

Azure Sentinel supports a direct integration with Microsoft Teams, enabling you to jump directly into teamwork on specific incidents.

Important

Integration with Microsoft Teams is is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Overview

Integrating with Microsoft Teams directly from Azure Sentinel enables your teams to collaborate seamlessly across the organization, and with external stakeholders.

Use Microsoft Teams with an Azure Sentinel incident team to centralize your communication and coordination across the relevant personnel. Incident teams are especially helpful when used as a dedicated conference bridge for high-severity, ongoing incidents.

Organizations that already use Microsoft Teams for communication and collaboration can use the Azure Sentinel integration to bring security data directly into their conversations and daily work.

An Azure Sentinel incident team always has the most updated and recent data from Azure Sentinel, ensuring that your teams have the most relevant data right at hand.

Required permissions

In order to create teams from Azure Sentinel:

  • The user creating the team must have Incident write permissions in Azure Sentinel. For example, the Azure Sentinel Responder role is an ideal, minimum role for this privilege.

  • The user creating the team must also have permissions to create teams in Microsoft teams.

  • Any Azure Sentinel user, including users with the Reader, Responder, or Contributor roles, can gain access to the created team by requesting access.

Use an incident team to investigate

Investigate together with an incident team by integrating Microsoft Teams directly from your incident.

To create your incident team:

  1. In Azure Sentinel, in the Threat management > Incidents grid, select the incident you're currently investigating.

  2. At the bottom of the incident pane that appears on the right, select Actions > Create team.

    Create a team to collaborate in a incident team.

    The New team pane opens on the right. Define the following settings for your incident team:

    • Team name: Automatically defined as the name of your incident. Modify the name as needed so that it's easily identifiable to you.

    • Description: Enter a meaningful description for your incident team.

    • Add groups: Select one or more Azure AD groups to add to your incident team. Individual users aren't supported in this page. If you need to add individual users, do so in Microsoft Teams after you've created the team.

      Tip

      If you regularly work with the same teams, you may want to select the star to save them as favorites.

      Favorites are automatically selected the next time you create a team. If you want to remove it from the next team you create, either select Delete , or select the star again to remove the team from your favorites altogether.

  3. When you're done adding groups, select Create to create your incident team.

    The incident pane refreshes, with a link to your new incident team under the Team name title.

    Click the Teams integration link added to your incident.

  4. Select your Teams integration link to switch into Microsoft Teams, where all of the data about your incident is listed on the Incident page tab.

    Incident page in Microsoft Teams.

Continue the conversation about the investigation in Teams for as long as needed. You have the full incident details directly in teams.

Tip

  • If you need to add individual users to your team, you can do so in Microsoft Teams using the Add more people button on the Posts tab.

  • When you close an incident, the related incident team you've created in Microsoft Teams is archived. If the incident is ever re-opened, the related incident team is also re-opened in Microsoft Teams so that you can continue your conversation, right where you left off.

Next steps

For more information, see: