Where to Start with Microsoft Teams Apps in Gov Clouds
Published Sep 27 2022 10:00 AM 9,654 Views
Microsoft

Customers in our Office 365 government clouds, GCC, GCCH, and DoD, are continuing to evolve how they do business in the hybrid workplace. As Microsoft Teams is the primary tool for communication and collaboration, customers are looking to improve productivity by integrating their business processes directly into Microsoft Teams via third-party party (3P) applications or line-of-business (LOB)/homegrown application integrations. 

 

Common business processes integrated into Microsoft Teams can range from Information Technology (IT) Service Management (ITSM), Content Approval Workflows, to Human Resources requests. Just know that your commonly used business processes and non-Microsoft software services are now surfacing inside of Microsoft Teams! 

 

The common scenario we’ve heard from our customers is: “There are some daily-used non-Microsoft applications that we would like to incorporate into Microsoft Teams. Is it accredited to use in our O365 government cloud? Where should I check?  

 

With current trends, we wanted to provide a reference on where to look when you are planning for integration within Teams. 

 

Option 1: 3P Applications in Teams for Government 

 

Step 1: Check the Teams App Store 

 

One of the first places most customers check is the Teams App Store for available apps suitable for their business needs. Searching the app store using keywords such as, ‘GCC’ or ‘government,’ you can find applications specifically built for the government industry. Applications in the Teams App Store have gone through the rigorous Microsoft Teams store validation process for compliance and testing.  

 

*Please note: GCC High and DoD tenants do not have a public Teams App Store but are able to side load apps into their Tenant specific app store 

 

Each app has a store tile which provides an app description, included capabilities and features, plus the permissions the app requires for use.  

 

RimaReyes_0-1664295393696.png

Image above depicts MyHub for GCC and the description of the MyHub product. 

 

RimaReyes_1-1664295393697.png

Image above depicts Adobe Sign for Government and the Adobe Sign app features. 

 

 

Step 2: Check Security & Compliance for the Teams App 

 

While the information from the Teams App Store might be enough for some organizations, there may be further investigation required on how the application handles data and up to security/compliance.  

 

The Microsoft Teams Apps Security and Compliance Docs page provides customers key information to assess and manage risk for the Microsoft Teams 3P app under consideration. By clicking on each topic in the screenshot below, it will display the related information. Below is an example showcasing the information for Adobe Acrobat Sign. 

 

App Security Clickthru.gif

 

 

 

Compliance 

While all sections are important, one of the most common tabs frequently visited by government agencies is the Compliance tab where one can check if a 3P app is FedRAMP-compliant. Link to an example of a FedRAMP-compliant Teams app. 

 

RimaReyes_3-1664295393699.png

 

 

Image referencing FedRAMP compliance above.  

 

 

Identity 

Another common tab is the Identity tab which provides information around Graph permissions. 

 

RimaReyes_4-1664295393700.png

 

 

Image showing the privileges under Identity tab above. 

 

 

Step 3: Validating Product Compliance on the FedRAMP website 

 

The Federal Risk and Authorization Management Program (FedRAMP), is a standardized approach to security assessment for cloud service offerings with the intent to deploy to Federal agencies. FedRAMP makes it possible for agencies and cloud service providers to reuse authorizations.  

 

*Please Note: Microsoft does not own or manage the FedRAMP site or program. FedRAMP is United States federal government-wide program (owned by GSA) that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services* 

 

Using the FedRAMP Marketplace, you can look up approved products/providers for your own and other agencies.  

 

FedRAMP Sorting.gif

 

Image depicting sorting/filtering options in FedRAMP marketplace above. 

 

 

Using the FedRAMP site: 

 

The left column in the Marketplace provides a search function to query based on your needs. For the Products tab, search based on the product name or company. For the Agencies tab, search by organization name.  

RimaReyes_6-1664295393701.png

Image depicting filter and search bar above. 

 

 

When filtering by product, key areas to consider are marked on the image below, which include, Impact Level, Current Status, etc. 

 

RimaReyes_7-1664295393703.png

Image depicting FedRAMP key focal areas above using ServiceNow as an example.  

 

Furthermore, other agencies using specific products will be listed under the FedRAMP site, as well. This provides a Agency-to-Agency reference when looking for deployment guidance and lessons learned. The Agencies using this product will be located at the bottom of the Product offering page. Example of FedRAMP product page. 

 

RimaReyes_8-1664295393705.png

Image depicting other Agencies using a specific product above. 

 

To filter by Product, use the Product Marketplace link. To filter by Agency, use the Agencies Marketplace link. 

 

Option 2: Line of Business (LOB)/Homegrown Teams Apps 

 

Microsoft Teams allows developers within your organization to build, test, and deploy custom apps for organization's internal users. Such apps are called custom apps or Line of Business (LOB) apps. Your organization may commission the creation of custom apps for org-specific requirements. For more information, click here. 

 

Customers in GCC High and DoD do not have access to the Teams public app store and will therefore need to get app packages directly from software vendors. For example, ServiceNow is able to provide a Teams app package that points to their FedRAMP accredited environments.  In this type of scenario, customers wonder how they can validate this app package for security risks/requirements. Most of the app packages that customers are receiving from vendors point to FedRAMP accredited services and endpoints, just like the above ServiceNow example. If your agency has an existing Authority To Operate (ATO) with the vendor, sideloading that app into Teams may fall under the same ATO umbrella and may not need a separate review. Note, apps in Teams are simply connecting to an existing service endpoint that may already have been approved for use on your network.  

 

If your organization would like to build your own custom app, learn more by visiting our new Teams App Camp! 

 

Summary 

 

We covered looking at 3rd party applications from the Teams App Store, reviewing Microsoft Teams Apps Security and Compliance to assess and manage risk, and finally, reviewing the FedRAMP site for accreditation for Agency-to-Agency references.  

 

For customers that use non-Microsoft services today and would like to see those integrations brought into Teams, please contact your Product Vendor to request the application and express the desired supported cloud, as well as, your Microsoft account team for awareness and options. 

 

If your agency wants to build their own app Teams application and/or engage with Teams Engineering, please contact your Microsoft account team for coordination.  

 

1 Comment
Version history
Last update:
‎Sep 27 2022 10:52 AM
Updated by: