Skip to content

Integrating with Microsoft Entra ID

The Shadow AI Remediation platform is deployed in Microsoft Entra ID as a multi-tenant application. Shadow AI Remediation uses Microsoft Entra ID API to authenticate end users and administrators logging into the Shadow AI Remediation platform and to gather information on applications integrated with Microsoft Entra ID and their permissions.

Once integrated with Microsoft Entra ID, Shadow AI Remediation can:

  • Allow the browser extension and Shadow AI Remediation administrators to authenticate against the IdP.
  • Read the list of SaaS applications that have been installed in your organization, and parse SSO logs to continuously detect SSO’ed accounts.
  • Support listing user accounts, user groups, application, and related user activity in the admin portal.
  • Review the IdP configuration, such as MFA settings and last password rotation dates.

You will first create an application integration in Microsoft Entra ID to configure authentication, and then create a Privileged Role Administrator.

To establish trust with Microsoft Entra ID, an Azure Active Directory Administrator with the Privileged role administrator role is required.

To configure authentication:

  1. Log into the Shadow AI Remediation admin console at https://app.savvy.security/ using your admin credentials.
  2. Go to Settings > General Settings.
  3. Select the Identity Provider tab.
  4. Select +Add.
  5. Select Azure AD.
  6. Select Connect.
  7. If your are an Azure Active Directory Administrator with an admin privileged role, select Open link.
    • Select the checkbox to accept the permissions requested by Shadow AI Remediation. For a full list of requested permissions, refer to Requested Permissions.
    • A confirmation page is displayed confirming trust has been successfully established.
  8. If you are not an Azure Active Directory Administrator with an admin privileged role, select Copy link.
    • Ask your Microsoft Entra ID administrator with an admin privileged role, to click on the copied link and establish trust.
    • Once trust is established, select Connect.
  9. A green dot is displayed confirming that connection was established.

Shadow AI Remediation admins can now access the Shadow AI Remediation portal. For more information refer to Accessing Shadow AI Remediation.

Requested Permissions

The following table shows the permissions required by Shadow AI Remediation applications from Microsoft Entra ID.

Microsoft Permission name Description
Directory.Read.All Read directory data
User.Read.All Read all users' full profiles
Application.Read.All Read all applications
AuditLog.Read.All Read all audit logs
Policy.Read.All Read all organizational policies (e.g., Conditional Access, authentication, token policies)
UserAuthenticationMethod.Read.All Read all users' registered authentication methods (e.g., phone, FIDO2, Authenticator app)
email
openid
profile
User.Read		 Log in (OpenID Connect 2.0) and read user's profile

Creating a Privileged Role Administrator in Azure Active Directory

  1. Log in to Azure Portal at https://portal.azure.com/.
  2. Under Azure Services, select Azure Active Directory.
  3. Select Users and select the user that will be used for the Shadow AI Remediation authorization.
  4. From the left panel, select Assigned roles.
  5. Select Add assignment and select the checkbox besides Privileged role administrator.

The role is now assigned to the user. To verify, check that the Resource Name is set to Directory and the Assignment Path is set to Direct.