Scan Microsoft Teams for secrets

Beta feature

This feature is currently available as a beta release. Beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features with production workflows, as features may not function seamlessly and you may encounter unexpected issues.

Connect Microsoft Teams as a data source to HCP Vault Radar to monitor Teams channels for sensitive data and secrets.

If you are new to HCP Vault Radar, checkout the HCP Vault Radar quickstart tutorial series.

Prerequisites

HCP IAM user with the HCP owner or admin role
Access to the Microsoft 365 tenant that contains the Teams data you want to scan
Enable admin consent workflow in the Microsoft 365 tenant (if tenant-wide consent is restricted)
Permission to register an application in Microsoft Entra ID (for agent scan)
Vault Radar agent deployed and running. Refer to the HCP Vault Radar operations tutorials (for agent scan)

Add a Microsoft Teams data source

Log into the HCP Portal with an HCP IAM user that has the HCP owner or admin role.
Click Vault Radar.
Click Settings.
Click Data Sources.
Select HCP Vault Radar Scan.
Under Team Collaboration, click Microsoft Teams.
Click Connect to Microsoft Teams. This starts the Microsoft sign-in and consent flow.
Sign in with an account of the tenant you want to scan.
Review the requested permissions and click Accept.
Administrator consent may be required
If your organization restricts tenant-wide consent, Microsoft displays a message that asks you to request approval from an administrator.
HCP Vault Radar displays the message Authenticated to Microsoft Teams.
Click Next.
Select either All teams and channels or Select teams and channels to monitor.
Click Finish to start onboarding and scanning the selected Teams channels.

Before you configure the Microsoft Teams data source in HCP Vault Radar, you need to register an application in Microsoft Entra ID and configure the required permissions.

Register a Microsoft Entra application

For step-by-step instructions on registering an app, see Quickstart: Register an application.

Sign in to the Microsoft Entra admin center with an account that can register applications.
Navigate to Entra ID > App registrations.
Click New registration.
Enter a name for the application, such as HashiCorp Vault Radar.
For Supported account types, select single tenant or multitenant based on your organization's needs.
Click Register.

Enable ID token issuance

In the Microsoft Entra application, open Authentication (Preview) > Settings.
Under Implicit grant and hybrid flows, select ID tokens.
Click Save.

Configure Microsoft Graph permissions

Complete the following steps in the Microsoft Entra app registration in Microsoft Entra ID so Vault Radar can read the Teams content it scans and sign users in.

For a guide to adding API permissions to an app, see Quickstart: Configure app access to web APIs.

Navigate to Entra ID > App registrations, and then select your client application
Select API permissions.
Click Add a permission.
Select Microsoft Graph.
Add the following permissions:
- Microsoft Graph application permissions:
  - Team.ReadBasic.All to list teams.
  - Channel.ReadBasic.All to list channels.
  - ChannelMessage.Read.All to read channel messages.
  - Organization.Read.All to read organization information, such as the tenant name.
- Delegated permissions (scopes):
  - openid to sign users in.
  - profile to view user's basic profile.
  - offline_access to allow the application to maintain access to the Microsoft Graph API when the user is not signed in.
Grant admin consent for the tenant after you add the permissions. Refer to the Microsoft documentation for granting tenant-wide admin consent.

Create a client secret and store the values

In the Microsoft Entra application, navigate to Certificates & secrets.
Click New client secret.
Copy the client secret value and store it as an environment variable on the agent host.
```
$ export MICROSOFT_TEAMS_CLIENT_SECRET="<client-secret-value>"
```
Copy the Application (client) ID and store it as an environment variable on the agent host.
```
$ export MICROSOFT_TEAMS_CLIENT_ID="<application-client-id>"
```
Copy the Directory (tenant) ID and store it securely.
You will enter this value directly in the HCP Portal when you add the Microsoft Teams data source.

Add a Microsoft Teams data source

Log into the HCP Portal with an HCP IAM user that has the HCP owner or admin role.
Click Vault Radar.
Click Settings.
Click Data Sources.
Select HCP Vault Radar Agent Scan.
Under Team Collaboration, click Microsoft Teams.
Enter the following information:
- Microsoft Entra tenant ID: The Directory (tenant) ID for the Microsoft Entra application.
- Microsoft Entra client ID: The environment variable path where you stored the client ID on the agent host.
  Example:
```
env://MICROSOFT_TEAMS_CLIENT_ID
```
- Microsoft Entra client secret: The environment variable path where you stored the client secret on the agent host.
  Example:
```
env://MICROSOFT_TEAMS_CLIENT_SECRET
```
Click Next.
Select either All channels or Select channels to monitor.
Click Finish to start onboarding and scanning the selected Teams channels.

Assign a group to a resource

Once you add a data source, an HCP user with the admin role must assign a group to each of the monitored resources within each data source. You can assign each resource to only one group.

Note

Users with the HCP IAM admin role do not need to be a member of other groups. Accounts with the admin role have full access to Vault Radar.

If you do not already have a group, refer to the Identity and Access Management groups documentation to create a group.

Navigate to the Project dashboard.
Click Access control (IAM).
Click Add new assignment.
Search the name of the group in the Search for an assignee search field.
Click the group name in the search results.
Click the Select service pulldown menu and select Vault Radar.
Click the Select role pulldown menu and select the Vault Radar Developer role.
Click Save.
Click Back to Dashboard.
Click Vault Radar.
Click Resources.
Select the resource you want to assign to a group and click Assign groups.
Click the Assign resoruce to group pulldown menu.
Select the group that requires access to the resource.
Select either the Viewer or Contributor role.
Click OK.

Update data source

Navigate to Settings.
Click Data Sources
Click the vertical ellipsis to the right of the data source..
To update the monitored data sources, click Edit data sources.
To update the token, click Edit data source host details.
To delete the data source host, click Delete data source host.

Tutorials

Learn how to evaluate and implement HCP Vault Radar in your environment with our tutorials.

HCP Vault Radar quickstart - Follow HashiCups, a fictitious coffee company, as they onboard HCP Vault Radar and scan their data sources for secrets.
HCP Vault Radar operations - Learn how HashiCups operations team uses HCP Vault Radar advanced features to scan data sources with the Vault Radar agent, and correlates findings with HCP Vault to manage secrets.
HCP Vault Radar developer - Learn how HashiCups developers use HCP Vault Radar advanced features to understand secret exposure, identify potential risks, and prevent leaked secrets during the software development lifecycle.