Learn how to manage your Microsoft Security configuration with Salto.
You can manage one or more of the following services:
Microsoft Entra ID (Azure AD)
Microsoft Intune
Salto's Microsoft Security adapter allows you to:
Fetch and deploy common Microsoft Entra ID and Microsoft Intune configuration data. See the full list below.
Compare your tenants configuration.
Document configuration changes.
Monitor specific changes of interest, e.g., changes in conditional access policies and group assignments.
Back up & restore your configuration.
Supported Types
You can choose to manage Entra ID, Intune, or both. Please note that even if you decide not to manage Entra ID, Salto will still manage your tenant's groups to support group assignments in Intune.
Entra ID types
Conditional Access Policies
Named locations
Authentication Methods
Authentication Strengths
Enterprise Applications (Service Principals)
Delegated permission classifications
App role assignments
App Registrations (Applications)
Groups
App role assignments
Administrator roles (Directory Roles)
Role Definitions
Domains
Administrative Units
OAuth2 Permission Grants
Custom Security Attributes, includes:
Attribute Sets
Attribute Definitions
Allowed Attribute Values
Group Lifecycle Policy
Intune types
The following types are supported for all platforms (Android, IOS, Windows, maxOS, linux, etc.)
Applications
Application Configurations - Managed Apps
Application Configurations - Managed Devices
Application Protections
Device configurations
Device configurations - Setting Catalog
Device Compliances
Assignments Filters
Platform Scripts
Scope Tags
Connect your Microsoft tenant
To connect your Microsoft tenant to Salto, you must utilize OAuth for authentication. Here’s a step-by-step guide to help you through the process:
Configure your tenant
Register an app in your Entra Admin Center by following this guide.
Under the Redirect URI section, select 'Web' and set the redirect URI to:
https://app.salto.io/microsoft-security-oauth2-redirect
If you didn't set the Redirect URI when creating the app, or if you want to add another one, you can find it under
App Registrations -> YourNewApp -> Overview -> Redirect URIs
.
Add a client secret to your app by following this guide.
Don't forget to securely save it on creation, as client secret values cannot be viewed after creation.Assign the following roles to the user you will use for authentication. While authentication will still be possible without these roles, certain data retrieval or modification capabilities will be restricted:
Read-only access:
Global Reader
andAttribute Definition Reader
Read & write access:
Global Administrator
andAttribute Definition Administrator
.
In both access modes, the
Attribute Definition
role is only required if you manage Entra.
For authentication in Salto, you will need the Client Secret (which you saved earlier), the Tenant ID, and the Client ID, all available in the Overview section of the app you registered.
Connect with Salto
Now, you can connect your Microsoft tenant within Salto:
Navigate to the newly created environment and click 'Connect an application'.
Select Microsoft Security from the list.
Provide the Tenant ID, Client ID and Client Secret you obtained earlier.
Proceed to the consent screens.