Global Settings
Global Settings holds the organisation-wide controls that apply to every member of your account: the email-OTP login fallback, the trusted Microsoft Entra (Azure AD) tenant for single sign-on, and which finding types appear in the Vendor Risk Monitoring digest email. These are account-level switches, not per-user preferences.
Overview
The page is a single scrolling card split into three sections:
- Authentication — the Email OTP Fallback toggle.
- Single Sign-On (Azure AD) — the trusted Azure tenant GUID, with its own Save button.
- Vendor Risk Monitoring Alerts — five toggles that decide what the vendor digest email includes.
A Save Settings button at the bottom commits the Authentication and Vendor toggles together; a Reset button discards unsaved changes by re-fetching the stored values. The SSO field saves independently through its own Save SSO Settings button.
Administrators only
Global Settings is restricted to users with the administrator role. Members with any other role are redirected to the dashboard if they navigate here directly. The settings apply to the whole company, so a change made by one admin affects every member.
How it works
The mechanics behind each control matter more than the toggles themselves, because they change how people log in and what lands in their inbox.
Email OTP Fallback
When Email OTP Fallback is on, members who do not have authenticator-based (TOTP) two-factor configured are sent a one-time code by email and must enter it before reaching the dashboard. Members who already use an authenticator app are unaffected — they complete TOTP as usual and never see the email step.
The fallback only fires when the toggle is on and the user has no app-based 2FA. Once a member enters a valid email code, the OTP step is satisfied for that session for a fixed time-to-live; after it expires, the next sign-in prompts for a fresh code. This is account-wide coverage for the people who haven't yet set up an authenticator app — it is not a replacement for enforced 2FA.
OTP fallback vs. enforced 2FA
Email OTP Fallback is a backstop, not a policy. If your goal is to require a second factor for everyone, enforce app-based 2FA at the account level and use OTP only as a transitional safety net for members who haven't enrolled yet. Email codes are weaker than a TOTP app and should not be your primary second factor.
Single Sign-On — trusted Azure AD tenant
The Trusted Azure AD Tenant ID field binds your account to a single Microsoft Entra (Azure AD) directory. You paste your organisation's Directory (tenant) ID — a GUID you copy from the Entra admin center — and ShadowMap will only complete an Azure single sign-on when the incoming Microsoft token originates from that exact tenant.
This is an impersonation guardrail: without it, a token from any Azure directory that resolves to a known email could complete sign-in. With a trusted tenant set, a login attempt from a different directory is rejected at the callback even if the email matches.
- The value must be a valid GUID (
00000000-0000-0000-0000-000000000000). The same regex is enforced in the browser and on the server, so an invalid value is rejected with a 422 rather than silently stored. - Leaving the field blank clears it and disables the tenant check entirely. The page confirms this with a "Tenant check disabled" message.
- There is one trusted tenant per account; saving a new GUID replaces the previous one.
Where to find your tenant ID
In the Microsoft Entra admin center (or Azure portal), open Identity → Overview (or Azure Active Directory → Overview) and copy the Directory (tenant) ID. It is a GUID, not your domain name.
Vendor Risk Monitoring Alerts
The five toggles in this section do not generate alerts on their own. They control which finding categories are included in the Vendor Risk Overview email — the digest ShadowMap sends summarising risk across the third parties you monitor in Vendor Risk Management. Each enabled toggle adds its corresponding per-vendor count to the report; a disabled toggle removes that category from the digest entirely (the underlying data is still collected and visible in the product — only the email content changes).
Because the digest is assembled per vendor at send time, turning a category off simply omits that line for every vendor on the next run. There is no per-vendor override here; these are account-wide digest defaults. The email is sent on a daily schedule and summarises the previous day's findings, and it is only sent at all when at least one of these toggles is on and there is something to report.
Where the settings live
- Email OTP Fallback is stored as a company global preference and read during the login flow.
- The five vendor toggles are stored as company vendor-alert preferences and read by the vendor digest command when it runs.
- The trusted Azure tenant is stored directly on the company record and read by the SSO callback.
Only the settings shown on this page are persisted — the page deliberately mirrors exactly what the backend saves, so a successful save reflects a real change.
Understanding the settings
| Setting | Section | Effect when ON | Effect when OFF |
|---|---|---|---|
| Email OTP Fallback | Authentication | Members without app-based 2FA must enter an emailed one-time code at login | No email step; members without 2FA sign in with password only (subject to any other policy) |
| Trusted Azure AD Tenant ID | Single Sign-On | Azure SSO accepts logins only from the specified Entra tenant | Blank value disables the tenant check; any Azure directory may complete SSO |
| Data Breach Alerts | Vendor Risk Monitoring | Breached-password findings appear in the vendor digest email | Category omitted from the digest |
| Vulnerability Alerts | Vendor Risk Monitoring | New or worsening vulnerability findings appear in the digest | Category omitted from the digest |
| Phishing Alerts | Vendor Risk Monitoring | Phishing and impersonation findings appear in the digest | Category omitted from the digest |
| Dark Web Discussion Alerts | Vendor Risk Monitoring | Dark web discussion hits appear in the digest | Category omitted from the digest |
| Telegram Alerts | Vendor Risk Monitoring | Telegram conversation findings appear in the digest | Category omitted from the digest |
Configuring the settings
- Open Settings → Global Settings as an administrator.
- Authentication — toggle Email OTP Fallback on if you want members without an authenticator app to receive an email code at login.
- Vendor Risk Monitoring Alerts — enable the categories you want in the vendor digest email, and disable the ones you consider noise.
- Click Save Settings. To abandon unsaved changes in these two sections, click Reset to restore the last saved values.
- Single Sign-On (Azure AD) — to enforce a trusted tenant, paste your Directory (tenant) ID GUID into the field, then click Save SSO Settings. To remove the restriction, clear the field and save.
The SSO field saves separately
The trusted-tenant field has its own Save SSO Settings button and validation messages. It is not committed by the main Save Settings button at the bottom of the page — save each section with its own button.
Common questions
Does Email OTP Fallback affect members who already use an authenticator app? No. The email code only applies to members without app-based 2FA. Anyone with TOTP configured completes their authenticator step as normal and never sees the email step.
Is Email OTP Fallback the same as enforcing two-factor authentication? No. It is a fallback that emails a code to members who have not set up an authenticator. It does not force anyone to enrol in app-based 2FA. Treat it as a transitional safety net, not a 2FA policy.
What happens if I leave the Azure tenant field blank? The tenant check is disabled. Azure single sign-on will accept a login from any directory rather than restricting it to one trusted tenant. Setting a GUID re-enables the restriction.
My tenant GUID was rejected. Why? The value must match the GUID format exactly (eight-four-four-four-twelve hex characters). The format is validated in the browser and again on the server; a malformed value returns an error instead of being saved. Copy the Directory (tenant) ID from the Entra admin center rather than typing a domain name.
I turned off a Vendor Risk Monitoring toggle — did I stop collecting that data? No. The toggles only control what appears in the Vendor Risk Overview email. The findings are still gathered and remain visible in the Vendor Risk Management module; the toggle just removes that category from the digest.
Why can't my colleague see this page? Global Settings is administrator-only. Non-administrators are redirected to the dashboard. Ask an admin to make the change, or have your account owner adjust the colleague's role.
Do these settings apply to just me or the whole account? The whole account. Every control here is a company-wide default, which is why the page is limited to administrators.
Related
- Account Security — where individual members set up their own authenticator-based two-factor authentication, the personal counterpart to the account-wide Email OTP Fallback.
- Members — manage who has the administrator role required to edit Global Settings.
- Alert Preferences — configure news, CVE, and threat-feed notification settings that are separate from these global defaults.
- Vendor Risk Management — the module whose digest email is shaped by the Vendor Risk Monitoring Alerts toggles on this page.
- Roles & Permissions — how the administrator role gates access to account-level settings like this one.