Keeper Security announced on June 25, 2026, that its new Keeper Teams App brings privileged access request and approval workflows directly into Microsoft Teams for organizations using Keeper Secrets Manager or KeeperPAM. The integration enables IT and security teams to manage and approve privileged access without ever leaving their collaboration hub.

Keeper has long championed a zero-knowledge security architecture, where all encryption and decryption happens on the client device and the company never has access to users' encryption keys or the secrets they protect. The Teams app extends that model to privileged access management (PAM), collapsing a process that once required separate consoles, ticketing systems, or email chains into a few clicks inside the Teams interface.

Zero-Knowledge PAM Meets Microsoft Teams

Privileged Access Management is a critical cybersecurity discipline that controls, monitors, and secures access to an organization's most sensitive systems and data. Typically, granting a user temporary elevated privileges means logging into a dedicated PAM console, submitting a ticket, or waiting for an email approval. Keeper's Teams App changes all that.

When a user needs to access a privileged resource—a database, a server, a cloud admin panel—they simply interact with the Keeper bot in a Teams channel or private chat. A request triggers a notification card to designated approvers, who can review the details (what resource, for how long, justification) and approve or deny inline. Once approved, the requester gains time-limited access, and all actions are logged for audit.

"Security teams live in collaboration tools like Teams and Slack," Darren Guccione, CEO and Co-founder of Keeper Security, said in a statement. "Bringing PAM approvals into that workflow eliminates the need to switch context, which means faster response times and less security fatigue."

How the Integration Works

The Keeper Teams App works with Keeper Secrets Manager (KSM) and the broader KeeperPAM platform. KSM is a cloud-based secrets management solution that uses zero-knowledge encryption to store infrastructure secrets such as API keys, certificates, and database passwords. KeeperPAM extends that with privileged session management, just-in-time access, and audit capabilities.

The Teams app is a front-end client for these services. It leverages the Microsoft Teams SDK and the Keeper backend to enable:

  • Request submission: Users type /keeper request and fill in details via an adaptive card.
  • Approval workflow: Approvers receive a Teams notification with a card showing request details. Buttons allow one-click approve or deny.
  • Audit trail: All requests, approvals, and accesses are logged in Keeper's Advanced Reporting and Alerts module and can be integrated with SIEM tools via syslog or REST API.
  • Zero-knowledge enforcement: Secret material never traverses the Teams channel in plaintext. Approval only grants access within Keeper's vault; the actual credential is decrypted on the user's device when used.

The app supports both desktop and mobile Teams clients, ensuring that approvers can respond from anywhere.

Why Zero-Knowledge Matters for PAM

Traditional privileged access tools often rely on a centralized secret store where the vendor holds encryption keys. This model creates a single point of failure: if the vendor is compromised, all customer secrets can be decrypted. Keeper's zero-knowledge approach eliminates that risk.

In Keeper's architecture, each user's master password derives a 256-bit AES key that encrypts their vault. The master password is never transmitted to Keeper's servers. When a user shares a secret, Keeper performs an encrypted key exchange using public-key cryptography, but the plaintext keys remain on the devices. For shared secrets, Keeper uses "record-level encryption" where each record has its own encryption key, and sharing involves encrypting that key with the recipient's public key.

Applied to PAM, even a privileged credential used for emergency access is never stored in a recoverable form on Keeper's infrastructure. Approving a PAM request in Teams simply triggers an encrypted key exchange between the requester and the secrets manager, all without Keeper ever seeing the plaintext credentials.

This design is crucial for compliance with frameworks like SOC 2, HIPAA, and GDPR, and it aligns with Executive Order 14028 on zero-trust architecture. Keeper states that its zero-knowledge model has been audited by independent security firms and is SOC 2 Type 2 compliant.

Deployment and Configuration

Setting up the Keeper Teams App requires an existing KeeperPAM or Keeper Secrets Manager subscription. Administrators deploy the app from the Teams admin center or Microsoft AppSource, then configure it via Keeper's admin console. Permissions are controlled through Keeper's role-based enforcement, which integrates with Microsoft Entra ID for identity federation and SCIM provisioning.

Once installed, end users must also have the Keeper desktop or mobile app installed, as the actual secret injection or retrieval still happens through Keeper's vault. The Teams app is purely an orchestration layer.

Pricing for KeeperPAM starts at a per-user subscription; exact costs are available from Keeper's sales team.

Benefits for IT and Security Teams

  • Faster Incident Response: During a security incident, an on-call engineer can request emergency access to a production server directly from the incident channel in Teams, and a lead can approve it instantly.
  • Reduced Shadow IT: By embedding security into the collaboration tool that employees already use, organizations reduce the temptation to bypass approvals via SMS or unsecured side-channels.
  • Improved Compliance: Every request and approval is captured in an immutable log, satisfying auditors.
  • Seamless User Experience: No training required for the Teams interface, lowering the barrier to adopting strong PAM practices.
  • Integration with Microsoft Ecosystem: The app respects Microsoft 365 security settings, such as sensitivity labels and data loss prevention policies, when used within Teams.

Real-World Use Cases

Consider a DevOps engineer needing to rotate a database credential. Instead of opening a ticket, they ask in the #db-admins channel, receive approval, and Keeper's rotation engine automatically updates the password. Or a finance user needing temporary read-only access to a sensitive report: the request is approved by a manager during a Teams call, and access is granted for 15 minutes.

Keeper also highlights its zero-trust network access (ZTNA) integration. When a PAM request includes access to an internal application, Keeper can broker a session through its own ZTNA proxy, ensuring that the user never directly touches the application network. This can all be triggered from the Teams approval.

The Technical Architecture Deep Dive

Under the hood, the Keeper Teams App uses the latest Microsoft Teams JavaScript client library (v2) and the Graph API to deliver a native feel. Approval cards are rich adaptive cards that can display dynamic information like resource name, access type, and expiration time.

When an approval is granted, Keeper's backend orchestrates the just-in-time provisioning. For a database credential, KSM temporarily injects the secret into the requester's vault. That secret is encrypted with the requester's public key and can only be decrypted by their device. Once the access period expires, the secret is automatically revoked and the key exchange is torn down.

All session activity can be recorded and played back using Keeper's session recording capabilities, which capture commands and visual changes without storing plaintext credentials. These recordings are also encrypted and accessible only to authorized auditors.

Contrast with Native Microsoft PIM

Microsoft already offers privileged access management within its ecosystem through Entra Privileged Identity Management (PIM), which provides just-in-time role activation for Azure resources. However, PIM is deeply tied to Azure AD managed identities and doesn't natively extend to on-premises systems, multi-cloud environments, or non-Azure secrets. Keeper's integration bridges that gap, managing secrets across heterogeneous environments while leveraging Teams for the approval workflow.

Additionally, Microsoft's zero-trust model does not include a native zero-knowledge encryption guarantee for stored secrets. Keeper fills that niche for organizations with strict encryption requirements or data sovereignty concerns.

Industry Trend: Collaboration-Centric Security

Keeper is not alone in recognizing that security workflows should live where collaboration happens. Competitors like CyberArk and BeyondTrust offer Slack and Teams integrations, but Keeper claims its zero-knowledge architecture gives it a unique advantage for organizations with strict encryption or data sovereignty requirements.

The announcement comes as regulatory pressure around privileged access intensifies. According to the 2025 Verizon Data Breach Investigations Report, 74% of breaches involved the human element, including misuse of privileges. Streamlining PAM while maintaining security is no longer optional.

Gartner recently predicted that "by 2026, 70% of organizations will use zero-trust principles for privileged access, up from 30% in 2023." Keeper's Teams integration makes that transition smoother by embedding security into an already familiar interface.

What's Next for Keeper Security

Keeper plans to expand the Teams integration to include more automation triggers. For example, when a DevOps pipeline fails, a PAM request could be auto-generated in the project's Teams channel. The company also hinted at deeper integration with Microsoft Sentinel and Microsoft Defender for Cloud, allowing security alerts to spawn PAM requests for investigation.

Keeper's roadmap includes support for adaptive approval policies based on risk signals from Microsoft Intune or Entra Conditional Access. For instance, if a user's device is non-compliant, approval might be denied or require additional verification.

The Keeper Teams App is available starting June 25, 2026, for all KeeperPAM and Keeper Secrets Manager customers at no additional cost. Organizations can download it from Microsoft AppSource or the Keeper admin portal.

As the line between collaboration and security continues to blur, integrations like this point toward a future where security is not a separate task but an inherent part of how teams work together.