Microsoft Teams Jira 2-way integration security details
Security details about 2-way integration of Microsoft Teams and Jira On-Premises.
All communication with Move Work Forward systems is TLS/SSL encrypted using a AWS managed certificate.
For 2-way integration to work, the Move Work Forward’s system should be able to access your Jira, which means:
your Jira DNS name should be resolvable or you use an IP address (we can add an entry to the DNS to resolve it).
your Jira or network appliances in-between permit connectivity on port 443 (SSL) from the Move Work Forward systems.
Things to know from the Jira side
When Advanced Microsoft Teams Jira Connector is installed, it creates an Application Link for the Move Work Forward middleware system. It permits Jira components to call to the external system.
Important: you can delete the Application Link if you don’t plan to use 2-way integration.
Important: the Application Link will be created if you do decide to use 2-way integration in the future while mapping user accounts.
When you register your Jira tenant (System → Microsoft Teams → Bot Settings → Register). There is an API call to the Move Work Forward middleware system to register your Jira tenant. For a call to work, outgoing Internet access to the Move Work Forward system should be permitted. Tenant registration tenant call sends some security information for the Move Work Forward systems to be able to connect to Jira, BUT not all information is sent. The missing part is sent after the user account mapping.
When registering, the URL should be publicly accessible to Move Work Forward systems and your users. It is a base Jira URL for different actions and API calls.
When the users map Microsoft Teams and Jira accounts (using
connectcommand in Microsoft Teams bot chat), they are redirected to the protected Jira page when they Allow/Deny the usage of their Jira account when doing things in Jira (act-on-behalf permission). During this time, the user keys are securely sent to the Move Work Forward system for encrypted storage. As a result, Move Work Forward has four keys required to act on behalf of the user in Jira.
Our system will try to connect to your Jira and call the server info endpoint to verify that our system can connect to your Jira (including network and authentication checks).
If you need more details, please feel free to contact us.
Things to know from the Move Work Forward side
The sensitive information is sent via TLS/SSL connection and encrypted at rest using AWS KMS managed RSA256 tenant-specific keys.
Only the CEO/Founder of Move Work Forward can access the production systems.
Move Work Forward system stores the following data:
host base URL
who mapped Jira to Microsoft Teams
when the mapping has happened
If you need to delete your data mapping in our system, please contact us.
You need to enable outgoing traffic to
https://tenant.moveworkforward.net from your Jira nodes.
For the UI to load the Login to Microsoft Teams button, you need to make sure the end user machine can access the following domains/URLs:
Move Work Forward system is deploying in the
US-EAST-1 region of AWS. Our system is 100% Serverless, so we rely on Amazon for all security patches on OS levels.
We use the following AWS components:
AWS API Gateway
AWS Key Management Service
AWS Certificate Manager
AWS Dynamo DB
AWS Cloud Watch
AWS Route 53
AWS Global Accelerator
AWS Cloud Front
AWS Network Gateways and NAT Gateways
If you need our infra to be deployed to another region, please let us know.