Configuring Zero Trust
If you did not install Zero Trust with the Apply All Tanium recommended configurations option, you must enable and configure certain features.
When you import Zero Trust with automatic configuration, the following default settings are configured:
The following default settings are configured:
Importing the Zero Trust module automatically creates an action group to target specific endpoints. If you did not use automatic configuration or you enabled restricted targeting when you imported Zero Trust, the action group targets All Computers.
If you used automatic configuration and restricted targeting was disabled when you imported Zero Trust, configuring the Zero Trust action group is optional.
Select the computer groups to include in the Zero Trust action group.
- From the Main menu, go to Administration > Actions > Action Groups.
- Click Tanium Zero Trust.
- Select the computer groups that you want to include in the action group and click Save.
If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.
Set up Zero Trust to send data to your IAM provider.
Configure Entra ID
In the Microsoft Azure portal, create an app registration, configure the app permission, and then create an Azure client ID and secret for Zero Trust to use for authentication.
- Register Zero Trust with Entra ID.
For detailed steps, see Microsoft Azure documentation: Quickstart: Register an application. You do not need to configure the optional Redirect URI.
- Grant the necessary API permission.
- If administrator consent is required, make sure your Entra ID admin provides consent before you proceed to the next step.
- Add a client secret.
For detailed steps, see Microsoft Azure documentation: Quickstart: Add a client secret
Zero Trust also supports the use of certificates.
- From the App registration, go to Certificates & secrets.
- Enter a description for the client secret, select an expiration date, and then click Add.
- After you add the client secret, record the Value for the client secret and save it to a secure location. You cannot see this value again after you leave this page.
Configure Zero Trust
- From the Tanium Zero Trust menu, go to Overview.
- Click Settings and open the Microsoft Entra ID tab.
- Enter the following information:
Option Description Microsoft Entra ID Tenant ID The tenant ID for your Entra ID. Microsoft Entra ID App ID The application (client) ID of the application that interacts with Entra ID through the Microsoft Graph API. Authentication Select the authentication type for your Entra ID.
- If you select Secret, enter the value of the client secret in the provider field.
- If you select Certificate, upload the client certificate and enter the certificate password.
If you change any settings for your IAM provider, you must re-enter the certificate password.
- Click Save.
You can use the following set of predefined user roles to set up Zero Trust users.
To review specific permissions for each role, see User role requirements.
On installation, Zero Trust creates a Zero Trust user to automatically manage the Zero Trust service account. Do not edit or delete the Zero Trust user.
For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.
Zero Trust Operator
Assign the Zero Trust Operator role to users who manage the configuration and deployment of zero trust rules. Users with the Zero Trust Operator role can view all audit log entries, regardless of their assigned computer management group permissions.
Zero Trust User
Assign the Zero Trust User role to users who need to view rules.
Do not assign the Zero Trust Service Account and Zero Trust Service Account - All Content Sets roles to users. These roles are for internal purposes only.
Last updated: 9/22/2023 8:58 AM | Feedback