Setup Wizard

A downloadable executable that configures a TATER organization end to end. Pick the features you want, and the wizard downloads the right scripts, prompts you for the variables, runs the logins it needs, and writes the results back — all locally, so your credentials never leave your machine.

Local-first, zero-knowledge by design

The wizard runs on your machine and authenticates with your interactive logins (Microsoft Graph, Exchange Online, and Azure CLI device-code by default). Secrets — client secrets, tokens, certificate private keys — never transit TATER. Only non-secret results (app registration IDs, resource names, webhook URLs) are written back to your organization record, and only through a strict server-side allow-list.

Download & launch

Get the wizard from TATER Security → Get Started (the “TATER Setup Wizard” card), or directly:

Windows (x64) .exe — double-click to launch.
Linux x64 / Linux ARM64 — chmod +x tater-setup-linux-amd64 && ./tater-setup-linux-amd64

Already running the TATER agent on the machine? You don’t need a separate download — just run tater-agent.exe -setup.

On launch the wizard starts a small local web server on 127.0.0.1 and opens your browser to it. (Headless box? It prints the URL; open it from any browser that can reach that machine, or set TATER_SETUP_NO_BROWSER=1.)

1. Connect

Paste an organization API key (generate one in TATER Manage → Connections → API Keys). The wizard validates it by loading the Setup Catalog for your org. The API base defaults to https://api.tatersecurity.com/api.

2. Pick a feature

The catalog shows every configurable feature as a card with its estimated time and which logins it needs. Click one to open its form. Available features:

M365 Cloud Compliance Scanning — the full per-client scanning stack: an Entra app registration with the Graph + Exchange permissions, a sign-in certificate in Key Vault, an Azure Automation Account running the scan runbooks, and a webhook wired back to your org. Automates the entire 10-step provisioning checklist.
Endpoint Agent Deployment — generates an org-bound agent API key and the install command/package (MSI / Intune / install.sh).
Email-to-Ticket Intake — a shared mailbox, the Graph subscription, and the RBAC-for-Applications grant that turn email into Ops tickets.
SIEM Forwarding & Integrations — syslog (CEF) or HMAC-signed webhook forwarding, with a test-connection step.
Automated Remediation — the Run-Remediation runbooks + webhook so the Remediate button and MCP can dispatch fixes.
Power Automate Flow Monitoring — an app-only management app + saved connection so TATER watches your cloud flows.
Documentation Import — bulk-imports a folder of docs into Configuration Documentation.
M365 Authentication & User Lookup — read-only tenant credentials for the People picker, assignment search, and vendor discovery.

3. Fill the variables

Each feature has a typed form — tenant IDs, resource names, regions, mailbox addresses. Most fields come pre-filled with sensible defaults (auto-generated resource names, the TATER Security subscription, etc.); edit them if you have a naming standard. Fields marked “secret” (like a pasted client secret) stay on your machine and are never written back to TATER.

4. Run

Click Run setup. For each step the wizard:

downloads the script and verifies its SHA-256;
performs the login it needs — a device-code prompt appears in the live log; open the URL shown and enter the code (you complete the actual sign-in in your IdP);
runs the script with your variables, streaming output live;
posts only the non-secret results back to TATER.

Hybrid auth: device-code by default, paste as fallback

By default the wizard drives interactive device-code logins, so you never paste a long-lived secret. If interactive login is blocked (a locked-down jump box, CI), some features accept a pre-created client secret in the form instead.

Prerequisites

Run the wizard on a machine with the tooling each feature needs:

PowerShell 7+ (recommended) and the Microsoft Graph / Exchange Online / Az PowerShell modules for the scanning + email + identity features.
Azure CLI (az) for the features that create Azure resources (Automation Account, certificate, webhooks).
The appropriate admin roles in the target tenant (Global Administrator or Application + Privileged Role Administrator for app registrations; Exchange Administrator for email intake; Contributor on the subscription for the Automation Account).

Security model

The wizard never asks TATER for anything sensitive and never sends anything sensitive back. The result write-back is double-gated: a feature can only set the org fields it declares, and each of those must be on the server’s allow-list (scan + remediation resource names and webhook URLs). Every wizard step is recorded in your Activity Log under the setup-wizard channel. Scripts are downloaded over HTTPS from www.tatersecurity.com/Setup/ and SHA-256-verified before they run.

Azure Runbook Setup — what the M365 scanning feature provisions.
Agent Deployment — the endpoint agent the wizard packages.
Claude MCP Setup — configure the same features conversationally instead.