Collaborate in Microsoft Teams (Public preview)
Azure Sentinel supports a direct integration with Microsoft Teams, enabling you to jump directly into teamwork on specific incidents.
Integrating with Microsoft Teams directly from Azure Sentinel enables your teams to collaborate seamlessly across the organization, and with external stakeholders.
Use Microsoft Teams with an Azure Sentinel incident team to centralize your communication and coordination across the relevant personnel. Incident teams are especially helpful when used as a dedicated conference bridge for high-severity, ongoing incidents.
Organizations that already use Microsoft Teams for communication and collaboration can use the Azure Sentinel integration to bring security data directly into their conversations and daily work.
An Azure Sentinel incident team always has the most updated and recent data from Azure Sentinel, ensuring that your teams have the most relevant data right at hand.
In order to create teams from Azure Sentinel:
The user creating the team must have Incident write permissions in Azure Sentinel. For example, the Azure Sentinel Responder role is an ideal, minimum role for this privilege.
The user creating the team must also have permissions to create teams in Microsoft teams.
Use an incident team to investigate
Investigate together with an incident team by integrating Microsoft Teams directly from your incident.
To create your incident team:
In Azure Sentinel, in the Threat management > Incidents grid, select the incident you're currently investigating.
At the bottom of the incident pane that appears on the right, select Actions > Create team.
The New team pane opens on the right. Define the following settings for your incident team:
Team name: Automatically defined as the name of your incident. Modify the name as needed so that it's easily identifiable to you.
Description: Enter a meaningful description for your incident team.
Add groups: Select one or more Azure AD groups to add to your incident team. Individual users aren't supported in this page. If you need to add individual users, do so in Microsoft Teams after you've created the team.
If you regularly work with the same teams, you may want to select the star to save them as favorites.
Favorites are automatically selected the next time you create a team. If you want to remove it from the next team you create, either select Delete , or select the star again to remove the team from your favorites altogether.
When you're done adding groups, select Create to create your incident team.
The incident pane refreshes, with a link to your new incident team under the Team name title.
Select your Teams integration link to switch into Microsoft Teams, where all of the data about your incident is listed on the Incident page tab.
Continue the conversation about the investigation in Teams for as long as needed. You have the full incident details directly in teams.
When you close an incident, the related incident team you've created in Microsoft Teams is archived. If the incident is ever re-opened, the related incident team is also re-opened in Microsoft Teams so that you can continue your conversation, right where you left off.
For more information, see: