Customers in our Office 365 government clouds, GCC, GCCH, and DoD, are continuing to evolve how they do business in the hybrid workplace. As Microsoft Teams is the primary tool for communication and collaboration, customers are looking to improve productivity by integrating their business processes directly into Microsoft Teams via third-party party (3P) applications or line-of-business (LOB)/homegrown application integrations.
Common business processes integrated into Microsoft Teams can range from Information Technology (IT) Service Management (ITSM), Content Approval Workflows, to Human Resources requests. Just know that your commonly used business processes and non-Microsoft software services are now surfacing inside of Microsoft Teams!
The common scenario we’ve heard from our customers is: “There are some daily-used non-Microsoft applications that we would like to incorporate into Microsoft Teams. Is it accredited to use in our O365 government cloud? Where should I check?”
With current trends, we wanted to provide a reference on where to look when you are planning for integration within Teams.
Option 1: 3P Applications in Teams for Government
Step 1: Check the Teams App Store
One of the first places most customers check is the Teams App Store for available apps suitable for their business needs. Searching the app store using keywords such as, ‘GCC’ or ‘government,’ you can find applications specifically built for the government industry. Applications in the Teams App Store have gone through the rigorous Microsoft Teams store validation process for compliance and testing.
*Please note: GCC High and DoD tenants do not have a public Teams App Store but are able to side load apps into their Tenant specific app store.
Each app has a store tile which provides an app description, included capabilities and features, plus the permissions the app requires for use.
Image above depicts MyHub for GCC and the description of the MyHub product.
Image above depicts Adobe Sign for Government and the Adobe Sign app features.
Step 2: Check Security & Compliance for the Teams App
While the information from the Teams App Store might be enough for some organizations, there may be further investigation required on how the application handles data and up to security/compliance.
The Microsoft Teams Apps Security and Compliance Docs page provides customers key information to assess and manage risk for the Microsoft Teams 3P app under consideration. By clicking on each topic in the screenshot below, it will display the related information. Below is an example showcasing the information for Adobe Acrobat Sign.
Compliance
While all sections are important, one of the most common tabs frequently visited by government agencies is the Compliance tab where one can check if a 3P app is FedRAMP-compliant. Link to an example of a FedRAMP-compliant Teams app.
Image referencing FedRAMP compliance above.
Identity
Another common tab is the Identity tab which provides information around Graph permissions.
Image showing the privileges under Identity tab above.
Step 3: Validating Product Compliance on the FedRAMP website
The Federal Risk and Authorization Management Program (FedRAMP), is a standardized approach to security assessment for cloud service offerings with the intent to deploy to Federal agencies. FedRAMP makes it possible for agencies and cloud service providers to reuse authorizations.
*Please Note: Microsoft does not own or manage the FedRAMP site or program. FedRAMP is United States federal government-wide program (owned by GSA) that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services*
Using the FedRAMP Marketplace, you can look up approved products/providers for your own and other agencies.
Image depicting sorting/filtering options in FedRAMP marketplace above.
Using the FedRAMP site:
The left column in the Marketplace provides a search function to query based on your needs. For the Products tab, search based on the product name or company. For the Agencies tab, search by organization name.
Image depicting filter and search bar above.
When filtering by product, key areas to consider are marked on the image below, which include, Impact Level, Current Status, etc.
Image depicting FedRAMP key focal areas above using ServiceNow as an example.
Furthermore, other agencies using specific products will be listed under the FedRAMP site, as well. This provides a Agency-to-Agency reference when looking for deployment guidance and lessons learned. The Agencies using this product will be located at the bottom of the Product offering page. Example of FedRAMP product page.
Image depicting other Agencies using a specific product above.
To filter by Product, use the Product Marketplace link. To filter by Agency, use the Agencies Marketplace link.
Option 2: Line of Business (LOB)/Homegrown Teams Apps
Microsoft Teams allows developers within your organization to build, test, and deploy custom apps for organization's internal users. Such apps are called custom apps or Line of Business (LOB) apps. Your organization may commission the creation of custom apps for org-specific requirements. For more information, click here.
Customers in GCC High and DoD do not have access to the Teams public app store and will therefore need to get app packages directly from software vendors. For example, ServiceNow is able to provide a Teams app package that points to their FedRAMP accredited environments. In this type of scenario, customers wonder how they can validate this app package for security risks/requirements. Most of the app packages that customers are receiving from vendors point to FedRAMP accredited services and endpoints, just like the above ServiceNow example. If your agency has an existing Authority To Operate (ATO) with the vendor, sideloading that app into Teams may fall under the same ATO umbrella and may not need a separate review. Note, apps in Teams are simply connecting to an existing service endpoint that may already have been approved for use on your network.
If your organization would like to build your own custom app, learn more by visiting our new Teams App Camp!
Summary
We covered looking at 3rd party applications from the Teams App Store, reviewing Microsoft Teams Apps Security and Compliance to assess and manage risk, and finally, reviewing the FedRAMP site for accreditation for Agency-to-Agency references.
For customers that use non-Microsoft services today and would like to see those integrations brought into Teams, please contact your Product Vendor to request the application and express the desired supported cloud, as well as, your Microsoft account team for awareness and options.
If your agency wants to build their own app Teams application and/or engage with Teams Engineering, please contact your Microsoft account team for coordination.