Configuring Zero Trust

If you did not install Zero Trust with the Apply All Tanium recommended configurations option, you must enable and configure certain features.

(Tanium Core Platform 7.4.5 or later only) You can set the Zero Trust action group to target the No Computers filter group by enabling restricted targeting before adding Zero Trust to your Tanium licenseimporting Zero Trust. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Zero Trust action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Zero Trust with automatic configuration, the following default settings are configured:

The following default settings are configured:

Setting Default value
Action group
  • Restricted targeting disabled (default): All Computers computer group
  • Restricted targeting enabled: No Computers computer group

(Optional) Configure the Zero Trust action group

Importing the Zero Trust module automatically creates an action group to target specific endpoints. If you did not use automatic configuration or you enabled restricted targeting when you imported Zero Trust, the action group targets All Computers.

If you used automatic configuration and restricted targeting was disabled when you imported Zero Trust, configuring the Zero Trust action group is optional.

Select the computer groups to include in the Zero Trust action group.

Clear the selection for All Computers and make Make sure that all operating systems that are supported by Zero Trust are included in the Zero Trust action group.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click Tanium Zero Trust.
  3. Select the computer groups that you want to include in the action group and click Save.
    If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.

Configure IAM provider settings

Set up Zero Trust to send data to your IAM provider.

Configure Entra ID

In the Microsoft Azure portal, create an app registration, configure the app permission, and then create an Azure client ID and secret for Zero Trust to use for authentication.

  1. Register Zero Trust with Entra ID.

    For detailed steps, see Microsoft Azure documentation: Quickstart: Register an application. You do not need to configure the optional Redirect URI.

    1. Go to App registrations and click New Registration.
    2. Enter a name for the Zero Trust registration, and then select the supported account types. When finished, click Register.
    3. Record the Application (client) ID for the new registration.
  2. Grant the necessary API permission.
    1. From the App registration, go to API permissions and select Add a permission.
    2. From the Request API permissions panel, select Microsoft Graph.
    3. Select Application permissions.
    4. Select the Device.ReadWrite.All permission and then click Add permissions.
  3. If administrator consent is required, make sure your Entra ID admin provides consent before you proceed to the next step.
  4. Add a client secret.
    For detailed steps, see Microsoft Azure documentation: Quickstart: Add a client secret

    Zero Trust also supports the use of certificates.

    1. From the App registration, go to Certificates & secrets.
    2. Enter a description for the client secret, select an expiration date, and then click Add.
    3. After you add the client secret, record the Value for the client secret and save it to a secure location. You cannot see this value again after you leave this page.

Configure Zero Trust

  1. From the Tanium Zero Trust menu, go to Overview.
  2. Click Settings and open the Microsoft Entra ID tab.
  3. Enter the following information:
    Microsoft Entra ID Tenant IDThe tenant ID for your Entra ID.
    Microsoft Entra ID App IDThe application (client) ID of the application that interacts with Entra ID through the Microsoft Graph API.
    AuthenticationSelect the authentication type for your Entra ID.
    • If you select Secret, enter the value of the client secret in the provider field.
    • If you select Certificate, upload the client certificate and enter the certificate password.

    If you change any settings for your IAM provider, you must re-enter the certificate password.

  4. Click Save.

Set up Zero Trust users

You can use the following set of predefined user roles to set up Zero Trust users.

To review specific permissions for each role, see User role requirements.

On installation, Zero Trust creates a Zero Trust user to automatically manage the Zero Trust service account. Do not edit or delete the Zero Trust user.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Zero Trust Operator

Assign the Zero Trust Operator role to users who manage the configuration and deployment of zero trust rules. Users with the Zero Trust Operator role can view all audit log entries, regardless of their assigned computer management group permissions.

Zero Trust User

Assign the Zero Trust User role to users who need to view rules.

Do not assign the Zero Trust Service Account and Zero Trust Service Account - All Content Sets roles to users. These roles are for internal purposes only.