Quickstart: Deploy Salem

This Quickstart guide was developed for Salem users who leverage Azure, Entra ID and MS Teams. If your use case deviates from this requirement please contact Salem Support at [email protected] for install instructions.

✦ An active Azure subscription, including Microsoft Entra ID
✧ An active Microsoft 365 license that includes Microsoft Teams 
✦ An active Whitehat Cybersecurity Team
✧ Optimism and a little Blackbox Magic 

Please reach out to [email protected] with any questions.

Create App Registration

  1. From a web browser, go to the Azure Portal and sign in.

  2. From the Azure portal, search for and select "Microsoft Entra ID".

GIF displaying how to find Entra ID form the Azure Portal
  1. In the top left, select 'Add' and then 'App registration'

Image of how to start the creation of a new Entra ID App Registration
  1. From the Register an application page: ✦ Enter a name ✧ Select account type (Note: Single tenant is typically the best option) ✧ Enter Redirect URI. Platform type 'Web' with a value of 'https://token.botframework.com/.auth/web/redirect'

  2. Select 'Register'

  3. Record the Application ID, Object ID, and Directory ID for future use.

  1. In the newly created App registration resource, select 'Certificates & secrets' in the menu on the left.

GIF demonstration of creating a new app secret for the new Salem App Registration
  1. Create 'New client secret'

    Select a reasonable expiry time, if the secret expires, users will no longer be able to logon to Salem

  2. Note down the secret value

  1. Select "App Roles"

  1. Create Application Roles ✧ There are three Salem roles (salem.user, salem.analyst, salem.admin) and you an create AD roles that contain any combination of these roles. For now, create a new role: ✦ Display Name: Salem_Admins ✧ Allowed Member Types: Users/Groups ✦ Value: salem.analyst,salem.admin ✧ Description: Users with this role will have both analyst and admin permissions

Image of creating a new app role for the Salem App Registration

Add API Permissions

  1. Select "API permissions" from the left-side menu

  2. Add Offline Access permission by ✧ Select "Add a permission" ✦ Select "Microsoft Graph" ✧ Select "Delegated permission" ✦ Search for and select "offline_access" ✧ Select Add permission

Image of selecting API permissions to add to the Salem Entra ID App Registration
  1. (Optional) Grant Addmin consent for these permissions This can only be done by a user with the Global Administrator role. This is REQUIRED if any of the permissions listed indicate that admin consent is required

Image of the API permission menu from the new Salem App Registration

  1. Return to Microsoft Entra ID in the Azure portal

  2. Select "Enterprise applications"

  1. Search for and select the name of the app registration you just created

  2. Select "Users and groups"

  3. Add user/group ✧ Select a user or group ✦ Select the role created above ✧ Continue adding individual users as needed.

If this setting is left as its default, users who aren't assigned roles to use Salem can authenticate successfully with default access. Users with default access will be able to authenticate to Salem but receive a message that they have no application-level role. To simplify the experience for everyone, requiring assignment will prevent unassigned users from being able to authenticate at any level to the Salem application.

  1. Select Properties from the left side menu

  2. Toggle "Assignment required?" to Yes

Image to require assignment setting in the Enterprise Applicaiton

  1. From the Azure portal, search for and select 'Marketplace'.

GIF showing how to find the Azure Marketplace from the Azure Portal
  1. Use the search feature to find "Salem the AI Cyber Analyst for SOC Automation".

  2. Select and Create ✧ App configuration details should have been noted when creating the app registration ✦ Under 'Network Configuration', provide a non-overlapping class C IP address (meaning an IP address block not in use in any network you may connect to Salem). These IP addresses will be used if you peer the Salem Vnet to other Vnets in your Azure subscription. Network peering will allow you to send and receive information from Salem without needing to connect to the Internet. Some communication between Azure services will continue to use Azure network routing. ✧ It may take 30 minutes or more to fully provision Salem

  1. Customize Salem App Manifest ✧ The latest app manifest can be found here ✦ Add in the Deployment ID, and Salem Bot Name. These values can be found from the Salem app in Azure under Parameters and Outputs. This ID is NOT the ID of the App registration

  2. Create App package ✧ create a zip archive containing the manifest.json, Salem_color.png, and Salem_outline.png files at the root level of the archive.

  3. From Microsoft Teams, navigate to "Apps", then select "Manage your apps"

  4. Select "Upload an app"

  5. If you are a Teams admin, you will have the option to Upload an app directly to your organization. If you are not an admin, you will need to submit the app to your org for approval. When submitting an app to your organization, your admins should receive a notification, but it's probably best to follow up with them directly about app approval.

Image of upload a Teams app widget
  1. (Optional) MS teams allows admins to select specific users and groups who can access the Salem Application. The default access settings will depend on your organizations policies. If you are requesting approval from a Teams Admin, indicate who you expect to have access to Salem to ensure the access control is set appropriately.

Teams App Access Controls

Last updated