Skip to main content
All CollectionsSalto for other applications
Salto for Microsoft Security - Entra ID and Intune overview
Salto for Microsoft Security - Entra ID and Intune overview
Support avatar
Written by Support
Updated over 2 months ago

Learn how to manage your Microsoft Security configuration with Salto.
You can manage one or more of the following services:

  • Microsoft Entra ID (Azure AD)

  • Microsoft Intune

Salto's Microsoft Security adapter allows you to:

  • Fetch and deploy common Microsoft Entra ID and Microsoft Intune configuration data. See the full list below.

  • Compare your tenants configuration.

  • Document configuration changes.

  • Monitor specific changes of interest, e.g., changes in conditional access policies and group assignments.

  • Back up & restore your configuration.

Supported Types

You can choose to manage Entra ID, Intune, or both. Please note that even if you decide not to manage Entra ID, Salto will still manage your tenant's groups to support group assignments in Intune.

Entra ID types

  • Conditional Access Policies

    • Named locations

  • Authentication Methods

  • Authentication Strengths

  • Enterprise Applications (Service Principals)

    • Delegated permission classifications

    • App role assignments

  • App Registrations (Applications)

  • Groups

    • App role assignments

  • Administrator roles (Directory Roles)

  • Role Definitions

  • Domains

  • Administrative Units

  • OAuth2 Permission Grants

  • Custom Security Attributes, includes:

    • Attribute Sets

    • Attribute Definitions

    • Allowed Attribute Values

  • Group Lifecycle Policy

Intune types

The following types are supported for all platforms (Android, IOS, Windows, maxOS, linux, etc.)

  • Applications

  • Application Configurations - Managed Apps

  • Application Configurations - Managed Devices

  • Application Protections

  • Device configurations

  • Device configurations - Setting Catalog

  • Device Compliances

  • Assignments Filters

  • Platform Scripts

  • Scope Tags

Connect your Microsoft tenant

To connect your Microsoft tenant to Salto, you must utilize OAuth for authentication. Here’s a step-by-step guide to help you through the process:

Configure your tenant

  1. Register an app in your Entra Admin Center by following this guide.

    1. Under the Redirect URI section, select 'Web' and set the redirect URI to: https://app.salto.io/microsoft-security-oauth2-redirect

    2. If you didn't set the Redirect URI when creating the app, or if you want to add another one, you can find it under App Registrations -> YourNewApp -> Overview -> Redirect URIs.

  2. Add a client secret to your app by following this guide.
    Don't forget to securely save it on creation, as client secret values cannot be viewed after creation.

  3. Assign the following roles to the user you will use to authenticate. Without these roles, you will still be able to authenticate, but you will not be able to get/modify some of the data:

    1. Global Administrator

    2. Attribute Definition Administrator.

    3. One of the following roles: Conditional Access Administrator, Security Administrator, Security Reader.

    4. One of the following roles: Global Reader, Authentication Administrator, Privileged Authentication Administrator.

    5. Authentication Policy Administrator.

For authentication in Salto, you will need the Client Secret (which you saved earlier), the Tenant ID, and the Client ID, all available in the Overview section of the app you registered.

Connect with Salto

Now, you can connect your Microsoft tenant within Salto:

  1. Navigate to the newly created environment and click 'Connect an application'.

  2. Select Microsoft Security from the list.

  3. Provide the Tenant ID, Client ID and Client Secret you obtained earlier.

  4. Proceed to the consent screens.

Did this answer your question?