Salto uses the OAuth2 authentication method, which relies on client credentials with delegated permissions.

For setup instructions, see this help doc.

API Permissions

When authenticating Salto, you're prompted to consent to the following API permissions, which are required for managing Entra ID, Intune, or both.

For Entra ID:

AdministrativeUnit.ReadWrite.All
Application.ReadWrite.All
AppRoleAssignment.ReadWrite.All
CustomSecAttributeDefinition.ReadWrite.All
Directory.ReadWrite.All
Domain.ReadWrite.All
Policy.Read.All
Policy.ReadWrite.AuthenticationMethod
Policy.ReadWrite.ConditionalAccess
Policy.ReadWrite.PermissionGrant
RoleManagement.ReadWrite.Directory
UserAuthenticationMethod.ReadWrite.All

For Intune:

DeviceManagementApps.ReadWrite.All
DeviceManagementConfiguration.ReadWrite.All
DeviceManagementRBAC.ReadWrite.All
User.Read

Assigned Roles for Delegated Credentials

While no roles are required to authenticate Salto (besides granting admin consent for the API permissions listed above), roles are necessary to fetch or update specific parts of the data.

Our recommendation:

Grant read permissions to team credentials.
Grant write permissions to private credentials based on the user's roles in Entra.

Private credentials are personal and tied to each individual Salto user.

Fetch operations are performed using team credentials, regardless of the user initiating the fetch. Deployments, however, use the private credentials of the deployer.

Roles Required for Full Data Access and Deployment

To fetch all supported data:

Global Reader
Attribute Definition Reader (Entra only, not needed for Intune)

To deploy all supported changes:

Global Administrator
Attribute Definition Administrator (Entra only, not needed for Intune)

If you prefer granular role assignments, the following outlines the required roles for various operations, as detailed in the Microsoft Graph documentation.

For a breakdown of the actions enabled for each Entra ID built-in role, refer to this documentation.

Required Roles by resource (Salto type name) and operation

When multiple roles are listed under the same operation, assigning any one of them is sufficient.

Note: If a resource type is not listed here, it means that no special roles are required for its operations.

EntraGroup

Fetch:
- No specific role is required.
Deploy (Delete role-assignable groups not created by the user):
- Privileged Role Administrator
- Global Administrator

EntraGroup__appRoleAssignments

Fetch:
- Directory Readers
Deploy:
- Directory Writer
- Hybrid Identity Administrator
- Identity Governance Administrator
- Privileged Role Administrator
- User Administrator
- Application Administrator
- Cloud Application Administrator

EntraServicePrincipal

Fetch:
- Directory Readers
- Directory Writer
- Hybrid Identity Administrator
- Identity Governance Administrator
- Privileged Role Administrator
- User Administrator
- Application Administrator
- Cloud Application Administrator
Deploy:
- Directory Writer
- Hybrid Identity Administrator
- Identity Governance Administrator
- Privileged Role Administrator
- User Administrator
- Application Administrator
- Cloud Application Administrator

EntraOauth2PermissionGrant

Fetch:
- Global Reader
- Directory Readers
- Application Administrator
- Application Developer
- Cloud Application Administrator
- Directory Writers
- User Administrator
- Privileged Role Administrator
Deploy:
- Application Developer
- Cloud Application Administrator
- Directory Writers
- User Administrator
- Privileged Role Administrator

EntraCustomSecurityAttribute - set, definition, allowed values

Fetch:
- Attribute Assignment Reader
- Attribute Definition Reader
- Attribute Assignment Administrator
- Attribute Definition Administrator
Deploy:
- Attribute Definition Administrator

By default, Global Administrator and other administrator roles don't have permissions to read, define, or assign custom security attributes

EntraAuthenticationStrengthPolicy

Fetch:
- Conditional Access Administrator
- Security Administrator
- Security Reader
Deploy:
- Conditional Access Administrator
- Security Administrator

EntraDirectoryRole

Fetch:
- User Administrator
- Helpdesk Administrator
- Service Support Administrator
- Billing Administrator
- Mailbox Administrator
- Directory Readers
- Directory Writers
- Application Administrator
- Security Reader
- Security Administrator
- Privileged Role Administrator
- Cloud Application Administrator
- Customer LockBox Access Approver
- Dynamics 365 Administrator
- Power BI Administrator
- Azure Information Protection Administrator
- Desktop Analytics Administrator
- License Administrator
- Microsoft Managed Desktop Administrator
- Authentication Administrator
- Privileged Authentication Administrator
- Teams Communications Administrator
- Teams Communications Support Engineer
- Teams Communications Support Specialist
- Teams Administrator
- Insights Administrator
- Compliance Data Administrator
- Security Operator
- Kaizala Administrator
- Global Reader
- Volume Licensing Business Center User
- Volume Licensing Service Center User
- Modern Commerce Administrator
- Microsoft Store for Business User
- Directory Reviewer
Deploy (Add/remove members or activate directory role):
- Privileged Role Administrator

EntraDirectoryRoleTemplate

Fetch:
- Global Reader
Deploy:
- Not supported

Domain

Fetch:
- User Administrator
- Helpdesk Administrator
- Service Support Administrator
- Billing Administrator
- Mailbox Administrator
- Directory Readers
- Directory Writers
- AdHoc License Administrator
- Application Administrator
- Security Reader
- Security Administrator
- Privileged Role Administrator
- Cloud Application Administrator
- Customer LockBox Access Approver
- Dynamics 365 Administrator
- Power BI Administrator
- Azure Information Protection Administrator
- Desktop Analytics Administrator
- License Administrator
- Microsoft Managed Desktop Administrator
- Privileged Authentication Administrator
- Teams Communications Administrator
- Teams Communications Support Engineer
- Authentication Administrator
- Teams Communications Support Specialist
- Teams Administrator
- Insights Administrator
- Compliance Data Administrator
- Security Operator
- Kaizala Administrator
- Global Reader
- Volume Licensing Business Center User
- Volume Licensing Service Center User
- Modern Commerce Administrator
- Microsoft Store for Business User
- Directory Reviewer
- Domain Name Administrator
Deploy:
- Update:
  - Domain Name Administrator
  - Security Administrator
  - External Identity Provider Administrator
- Create/Delete:
  - Domain Name Administrator

Administrative Unit

Fetch:
- Directory Readers
- Global Reader
- Privileged Role Administrator
Deploy:
- Privileged Role Administrator

EntraAuthenticationMethodPolicy

Fetch:
- Global Reader
- Authentication Policy Administrator
Deploy:
- Authentication Policy Administrator

Conditional Access Policy (Including Named Locations)

Fetch:
- Global Secure Access Administrator (read standard properties)
- Security Reader
- Security Administrator
- Global Reader
- Conditional Access Administrator
Deploy:
- Security Administrator
- Conditional Access Administrator

Intune - all types (except groups)

Fetch:
- Security Operator
- Security Reader
Deploy:
- Intune Administrator