Activation & Onboarding
  • Activation & Onboarding
  • AI Runtime Security Documentation
  • All Documentation
>
Azure Cloud Account Onboarding Prerequisites
Focus
Download PDF
Focus
  1. Home
  2. AI Runtime Security
  3. Activation & Onboarding
  4. Onboard and Activate a Cloud Account in Strata Cloud Manager
  5. Onboard Cloud Account in Azure
  6. Azure Cloud Account Onboarding Prerequisites
Download PDF
AI Runtime Security

Azure Cloud Account Onboarding Prerequisites

Table of Contents

Azure Cloud Account Onboarding Prerequisites

Prerequisites for onboarding a cloud account in Azure.
This section outlines the prerequisites for onboarding an Azure cloud account in Strata Cloud Manager.
On this page, you will:
  • Create Azure Storage Account
  • Enable Virtual Network Flow Logs for vNet
  • Enable Audit Logs for Azure OpenAI Traffic
  • Grant Access to Storage Account from IP Addresses
  • Assign Azure Roles
    if you want to onboard more than one Azure subscription on the same tenant.
Where Can I Use This?What Do I Need?
  • AI Runtime Security in Azure

Create Azure Storage Account

  1. Sign in to your Azure portal.
  2. In the left panel, click on Create a resource.
  3. Search for the Storage account and select it.
  4. Click Create.
  5. Select your Subscription and Resource Group (or create a new one).
  6. Enter a unique Storage account name.
  7. Choose the Region for your storage account.
  8. Select the Performance (Standard or Premium) and Replication options.
  9. Under Networking tab:
    • Under Network access, select Enable public access from selected virtual networks and IP addresses.
    • Add the following IP addresses: 
      34.71.64.3
34.28.60.186
      Code copied to clipboard
       
      Unable to copy due to lack of browser support.
    Refer to Create an Azure storage account for more configurations.
  10. Click Review + create.
  11. Click Create to deploy a Storage account.

Enable Virtual Network Flow Logs for vNet

  1. Sign in to the Azure portal.
  2. To enable Network Watcher, go to the Azure Portal, search for Network Watcher, select your region, and click Enable.
  3. In the Network Watcher pane, select Flow Logs from the left panel.
  4. Click on + Add flow log.
  5. Select your Subscription from the dropdown menu.
  6. Under Flow log type, choose Virtual network.
  7. Select or create a Storage Account where you want to store the logs.
  8. Enter 30 in the Retention (days) field. (This is the maximum number of days that we display the logs in the Strata Cloud Manager discovery dashboard).
  9. Click Review + Create to review your settings, then click Create to apply the configuration.

Enable Audit Logs for Azure OpenAI Traffic

  1. Go to the Azure portal and open your OpenAI resource.
  2. In the navigation pane, select Diagnostic settings → Add diagnostic setting.
  3. Enter Diagnostic setting name.
  4. In the list of log categories, select Request and Response Logs.
  5. Select to enable Archive to a storage account.
  6. Select the applicable Subscription for the Azure Event Hub.
  7. Select the Storage account to store the logs.
  8. Save your settings.
    Flow logs and audit logs must be older than 3 hours to be scanned, as Azure continuously overwrites the log file in the storage account. To prevent loss of logs, we only scan files three hours after their creation time, since discovery won't rescan files that have already been processed.

Grant Access to Storage Account from IP Addresses

  1. Go to Storage Accounts in the Azure portal.
  2. Select your Storage Account.
  3. Under Security + networking, click on Networking in the left panel.
  4. Under Firewalls and virtual networks, select Enabled from selected virtual networks and IP addresses.
  5. Under Firewall, add the following IP addresses in the storage account: 
    34.71.64.3
34.28.60.186
    Code copied to clipboard
     
    Unable to copy due to lack of browser support.
  6. Click Save to apply the changes.

Assign Azure Roles

To onboard more than one Azure subscription on the same tenant, assign the following roles on the application that your onboarding Terraform has installed in your Azure tenant.
  1. Go to the Azure Portal and select your subscriptions.
  2. In the left panel, navigate to Access Control (IAM).
  3. Click on the Role assignments tab.
  4. Click + Add -> Add role assignment.
  5. Select the roles for each of the required roles:
    • Azure Kubernetes Service Cluster User Role
    • Storage Blob Data Reader
    • Reader
  6. Click Next.
  7. Click Select members, search for the app using the app object ID or the app name.
    The application name is suffixed by "panw".
  8. Select the application, and then click Select.
  9. Click Next.
  10. Click Review + assign to complete the process.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.