Once you've added a Microsoft Security application connection to your environment, you can tailor its behavior to suit your specific setup and organizational needs.
To access the customization options:
Navigate to Environment Settings → Application Connections
Click the three dots next to the relevant Microsoft Security application
Select Edit Configuration File
For general guidance on editing the configuration file, refer to the Salto Configuration File article.
Excluding elements
You can edit the Salto Configuration File to exclude specific elements that you do not wish to view or manage with Salto. You can choose which types to exclude and which instances of these types to exclude. To do this, use the exclude list under the fetch section of the Salto Configuration File.
For example, this file excludes all conditional access policies which have "test" in their display name:
microsoft_security {
fetch = {
include = [
{
type = ".*"
}
]
exclude = [
{
type = "EntraConditionalAccessPolicy"
criteria = {
displayName = ".*test.*"
}
}
]
}
}Handling Assignment Differences Across Environments
When working across multiple environments, assignment fields can differ significantly. For instance, one environment might assign groups synced from an external resource, while another may not manage those groups at all. These differences can cause unnecessary diffs and missing referencesependencies when comparing configurations between environments.
By default, Salto deploys all fields as-is. This can be problematic if environments are not aligned in terms of apps, groups, user or devices.
To avoid noise and ensure successful deployments, Salto allows you to customize how assignment fields are handled, using either omission or fallback strategies.
Customizing Assignments Deployment
You can configure an assignment field strategy with two main options:
omit: The field will not be deployed.
If the field is required by Microsoft, Salto will automatically replace it with a placeholder (e.g.,["None"]).fallback(only forEntraConditionalAccessPolicy): You can provide a fallback value that will be used in place of the actual value (e.g.["All"])
⚠️ Caveat: modifying the same environment
Note: If you restore or modify a configuration in the same environment where the strategy is defined, Salto may still omit the fields. This might not align with the original intent of preserving the field’s value — use with care.
Cheatsheet - Common Use Cases
Conditional Access Policy:
Omit group assignments, include all users and all applications:
microsoft_security {
fetch = {
...
}
deploy = {
assignmentFieldsStrategy = {
EntraConditionalAccessPolicy = {
includeGroups = {
strategy = "omit"
}
excludeGroups = {
strategy = "omit"
}
includeUsers = {
strategy = "fallback"
fallbackValue = ["All"]
}
excludeUsers = {
strategy = "omit"
}
includeApplications = {
strategy = "fallback"
fallbackValue = ["All"]
}
excludeApplications = {
strategy = "omit"
}
}
}
}
}Intune types - for example Applications:
microsoft_security {
fetch = {
...
}
deploy = {
assignmentFieldsStrategy = {
IntuneApplication = {
assignments = {
strategy = "omit"
}
}
}
}
}
Supported Instance Types
You can define assignment field strategies for the following types:
EntraConditionalAccessPolicyIntuneApplicationIntuneApplicationConfigurationManagedAppIntuneApplicationConfigurationManagedDeviceIntuneApplicationProtectionIntuneDeviceConfigurationIntuneDeviceComplianceIntuneFilterIntunePlatformScriptIntuneScopeTag
For IntuneX types, only the assignments field can be customized.
For EntraConditionalAccessPolicy, more granular fields under the conditions block can be targeted:
includeUsers,excludeUsersincludeGroups,excludeGroupsincludeRoles,excludeRolesincludeDevices,excludeDevicesincludeApplications,excludeApplicationsincludeServicePrincipals,excludeServicePrincipals