>
    Strata Copilot
    Onboard Azure Cloud Account in Strata Cloud Manager
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Activation & Onboarding
    4. Onboard and Activate a Cloud Account in Strata Cloud Manager
    5. Onboard Cloud Account in Azure
    6. Onboard Azure Cloud Account in Strata Cloud Manager
    Download PDF
    Prisma AIRS

    Onboard Azure Cloud Account in Strata Cloud Manager

    Table of Contents

    Onboard Azure Cloud Account in Strata Cloud Manager

    Onboard your Azure cloud account in Strata Cloud Manager.
    Where Can I Use This?What Do I Need?
    • Creating an Azure Service Account for Strata Cloud ManagerIntegration
    Onboard Azure cloud account in Strata Cloud Manager. Create and download an onboarding Terraform template. When you apply this template in your cloud environment, it generates a service account with sufficient permissions. These permissions enable discovery within your cloud environment, granting access to network flow logs, asset inventory details, and other essential cloud resources.
    If you are using AI Agent Discovery, you need to onboard a new Terraform template. When you apply this template in your cloud environment, it generates a service account with sufficient permissions. These permissions enable AI Agent Discovery within your cloud environment, granting access to network flow logs, asset inventory details, and other essential cloud resources. See the section Download New Terraform for AI Agent Discovery.
    1. Log in to Strata Cloud Manager.
    2. Navigate to AI Security → AI Runtime→ AI Runtime Firewall. (If you are onboarding for the first time, click Get Started.
    3. If you have previously onboarded a cloud account; from the top right corner, click the Cloud Account Manager (cloud) icon.
    4. Select Add Cloud Account.
    5. Select Cloud Service Provider as Azure and select Next.
    6. Enter basic information:
      • A unique Name to identify your onboarded cloud account. (Limit the name to 32 characters).
      • Azure Tenant ID.
      • Azure Subscription ID.
      Refer to the section on how to get subscription and tenant IDs in the Azure portal.
      To discover Kubernetes-related clusters when the container workloads are identified by the "Cluster Name" application definition method, enable "Bring your own Azure virtual network."
      Follow these steps in the Azure portal:
      1. Navigate to Kubernetes services → [Your Cluster]→ Settings→ Networking.
      2. Under Network configuration, select Azure CNI Overlay as the Network plugin.
      3. Enable Bring your own Azure virtual network.
    7. Click Next.
    8. Specify the permissions to apply to this Azure account. For a list of the specific permissions enabled, see Azure Required Permissions.
      • Discovery—this option is pre-selected and cannot be disabled. This allows Prisma AIRS to identify and monitor assets in your Azure environment.
      • Fully orchestrated security VNet—provides the necessary permissions for Prisma AIRS to read and write in your security VNet account.
      • Fully automated traffic redirection application VNets—provides the necessary permissions for Prisma AIRS to read and write in your application VNet account. Fully automated traffic redirection application VNets requires that you enable Fully orchestrated security VNet.
      • IP-Tag Harvesting—grants the necessary permissions to collect IP address-to-tag information to enforce tag-based security policy that adapts to IP address changes in your Azure environment.
    9. In Application Definition, configure how your assets will be grouped for discovery.
      Enhanced application definition options provide granular boundary criteria using workload-specific methods such as tags, subnets, and namespaces that align with your application deployment patterns and business logic.
      1. Your selected application boundaries determine which applications appear in the deployment workflow. For all workload types, Prisma AIRS AI Runtime firewall maps applications to their VPCs, and the firewall protects traffic at the VPC level. The namespace shows applications from Pods/Cluster workloads, while VPC/VNETs display applications from virtual machine workloads.
      2. For container workloads, regardless of the application definition method you select (namespace, cluster, or tag), please annotate all pods if you want to add protection with the Palo Alto Networks-specific label "paloaltonetworks.com/firewall": "pan-fw". This annotation is needed to secure the pods, in addition to defining the application boundaries.
      1. Enhanced application definition options provide granular boundary criteria using workload-specific methods such as tags, subnets, and namespaces that align with your application deployment patterns and business logic.
        When using tag-based application boundaries, if your cloud provider allows tags with only keys (no values), you should use the application name as the tag key.
        WorkloadsApplication Definition MethodChoose When
        Container Workloads
        (Default boundary: namespace)
        • Namespace
        • Cluster Name
        • Tag
        • Applications are separated by Kubernetes namespaces for logical isolation.
        • Applications span multiple namespaces but remain within a single cluster.
        • Applications require custom grouping based on business logic, regardless of infrastructure.
        Virtual Machines
        (Default boundary: VPC/VNET)
        • Subnet Name
        • VPC/VNET
        • Tag
        • VMs are organized by network segments that align with application boundaries.
        • You prefer a broader network perimeter-based application grouping (default).
        • Uses key-value pairs for business-context-driven application organization.
        Serverless Compute
        (Default boundary VPC/VNET)
        • Subnet Name
        • VPC/VNET
        • Tag
        • Functions are deployed in specific subnet boundaries within the application domain.
        • You want to group all functions within the same network level using VPC/VNET boundaries.
        • Uses key-value pairs for flexible business requirement-based grouping.
    10. In Application Definition, configure how your assets will be grouped for discovery.
      Enhanced application definition options provide granular boundary criteria using workload-specific methods such as tags, subnets, and namespaces that align with your application deployment patterns and business logic.
    11. Input Storage Account Name (Enter only lowercase letters and numbers; the name must be between 3 and 24 characters).
      This is the storage account name that you created in the Azure Cloud Account Onboarding Prerequisites step.
    12. Download Terraform.
    13. Execute Terraform. Save and unzip the downloaded Terraform zip file.
    14. Navigate to the panw-discovery-<tsgid>-onboarding/azr folder and follow the `README.md` instructions to apply the Terraform in Azure to create the resources and add the role assignments.
      #Login to the Azure tenant from CLI and replace the "Tenant_Id" with your tenant_id value
az login -t <Tenant_Id>

#Replace the value with your subscription_id that is being onboarded
az account set -s <Subscription_id>

#Deploy the Terraform
terraform init
terraform plan
terraform apply
    15. Log in to Azure Portal. Make sure you see the logs in Azure Storage Account → Data Storage → Containers → Insight flow logs and verify the date and hour.
    16. Select Done.
      This validates the successful creation of a service account in Azure.
    17. You can now view and manage the onboarded cloud accounts in Strata Cloud Manager.
    18. To discover your protected and unprotected cloud assets, see the page on discovering your cloud resources.
      Initial data should populate on Strata Cloud Manager in about 15 minutes and the flow logs may have a delay of about 3 hrs to show up on the Strata Cloud Manager dashboard.
      Next, protect the network traffic flow by deploying Prisma AIRS AI Runtime firewall or VM-Series firewall in Azure.

    Download New Terraform for AI Agent Discovery

    This section describes how to download an onboarding Terraform template when using AI Agent Discovery. When you apply this template in your cloud environment, it generates a service account with sufficient permissions. These permissions enable AI Agent Discovery within your cloud environment, granting access to network flow logs, asset inventory details, and other essential cloud resources.
    When you onboard an Azure cloud account, consider the following:
    • For new accounts, you'll need to onboard a cloud account if one is not present in the tenant.
    • For existing accounts in an enabled state, you need to re-apply the Terraform to provide AI Agent Discovery access for existing onboarded accounts. This process updates the inline discovery permissions. To re-apply the onboarding Terraform, refer to Step 12 (Download Terraform) above:
    • For existing accounts in a disabled state (that is, cloud accounts that are disabled), attempts to re-enable the account results in failed validation. To resolve this issue, download the onboarding Terraform before enabling the account again.

    © 2026 Palo Alto Networks, Inc. All rights reserved.