>
    Strata Copilot
    Set Up Cloud Storage on Microsoft Azure to Save Evidence
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Administration
    4. Monitor Enterprise DLP
    5. Save Evidence for Investigative Analysis with Enterprise DLP
    6. Set Up Cloud Storage on Microsoft Azure to Save Evidence
    Download PDF
    Enterprise DLP

    Set Up Cloud Storage on Microsoft Azure to Save Evidence

    Table of Contents

    Set Up Cloud Storage on Microsoft Azure to Save Evidence

    Configure cloud storage on Microsoft Azure to save evidence for investigative analysis with Enterprise Data Loss Prevention (E-DLP).
    On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
    You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • Prisma Browser
    • Enterprise Data Loss Prevention (E-DLP) license
      Review the Supported Platforms for details on the required license for each enforcement point.
    Or any of the following licenses that include the Enterprise DLP license
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    • Data Security license
    Microsoft Azure users can configure a blob storage bucket to automatically upload all files that match an Enterprise Data Loss Prevention (E-DLP) data profile.
    To store files scanned by Enterprise DLP, you must create a storage account and Identity and Access Management (IAM) role that allows Enterprise DLP access to automatically store files. Files uploaded to your storage account are automatically named using a unique Report ID for each file. The Report ID is used to search and download specific files for more in-depth investigation.
    Enterprise DLP automatically sends email alerts to the data security administrator who originally connected Enterprise DLP to the storage bucket and to the data security admin who last modified the storage bucket settings in case of connection issues. Enterprise DLP sends the email alert every 48 hours until you restore the connection between Enterprise DLP and the storage bucket.
    Files not scanned while Enterprise DLP is disconnected from your storage bucket can't be stored and are lost. This means that all impacted files are not available for download. However, your data security administrator can still view all snippet data associated with the DLP incident.
    Enterprise DLP automatically resumes forwarding files to your storage bucket after you restore the connection.
    1. Review the setup prerequisites for Enterprise DLP and enable the required ports, fully qualified domain names (FQDN), and IP addresses on your network.
    2. Log in to the Microsoft Azure portal as an administrator.
      Administrator-level privileges are required to add the Enterprise DLP evidence storage application using Cloud Shell and to configure access to the storage account for file uploads.
    3. (Optional) From the portal menu, select Storage groups and click Create to create a new storage group.
      You can also search for storage groups.
      The storage group is required to associate the storage account you create next for storing matched files.
      Skip this step if you have an existing resource group that you want to associate with the storage account.
    4. From the portal menu, select Storage accounts and click Create to create a new storage account.
      You can also search for storage accounts.
    5. Obtain the App-ID, Tenant ID, and blob service endpoint URL.
      You need this information to add the Palo Alto Networks Enterprise DLP application to your Microsoft Azure tenant and to configure connectivity to Enterprise DLP.
      • Palo Alto Networks Enterprise DLP App ID - 65def4b7-bae6-4bff-ab73-63fe8c9a3c8d
      1. Obtain your Tenant ID.
        1. From the portal menu, select Azure Active Directory.
          You can also search for azure active directory.
        2. In the Basic Information section, copy the Tenant ID.
      2. Obtain the blob service endpoint URL.
        1. From the portal menu, select Storage accounts and select the storage account you want to use to save files for evidence analysis.
        2. Select SettingsEndpoints and copy the Blob service endpoint URL.
    6. Add the Palo Alto Networks Enterprise DLP application.
      1. Open Cloud Shell.
        Click the Cloud Shell icon in the top-right corner of the Microsoft Azure portal.
      2. Add the Palo Alto Networks Enterprise DLP application.
        Connect-AzureAD -TenantID <Your_Tenant_ID>
        New-AzureADServicePrincipal -AppId 65def4b7-bae6-4bff-ab73-63fe8c9a3c8d
        It might take a few minutes for Microsoft Azure to add a new application to your Azure tenant.
      3. Close the Cloud Shell.
      4. Search for and select Enterprise applications.
      5. For the Application type, choose All applications.
      6. Search for the Palo Alto Networks Enterprise DLP application name to verify you successfully added the application.
    7. Configure permissions for the Palo Alto Networks Enterprise DLP application.
      1. Select the Palo Alto Networks Enterprise DLP application name.
      2. Select SecurityPermissions and click Grant Admin consent.
      3. Select the administrator email in the Microsoft login prompt.
      4. Accept the permissions request to allow Enterprise DLP to view your Azure storage accounts.
        It might take a few minutes for the permissions to be granted to Enterprise DLP.
        You still need to grant Enterprise DLP permission to write to a specific storage account.
      5. Verify that the Azure Storage and Microsoft Graph API names are displayed in the Admin consent section.
      6. From the portal menu, select Storage accounts and select the storage account you want to use to save files for evidence analysis.
      7. Select Access Control (IAM)AddAdd Role AssignmentStorage Blob Data Owner and click Next.
      8. Select to assign access to User, group, or service principal and click Select members.
      9. Search for and select the Palo Alto Networks Enterprise DLP application.
      10. Click Review + assign to allow Enterprise DLP to write to the storage account.
        It can take up to 10 minutes for the write permissions to be granted to Enterprise DLP.
    8. Configure the evidence storage connection on Strata Cloud Manager.
      1. Log in to Strata Cloud Manager.
        Access to evidence storage settings and files on Strata Cloud Manager is allowed only for an account administrator or app administrator role with Enterprise DLP read and write privileges.
      2. Select ConfigurationData Loss PreventionSettingsSensitive Data and navigate to Evidence Storage.
      3. Select the enforcement points for which you want to enable Evidence Storage for.
        You can enable evidence storage for Prisma Browser, Prisma Access, and Endpoint DLP.
      4. Select Configure Regional BucketAzure
      5. Select the Region(s) from which you want to forward evidence files to the storage bucket.
        You can associate storage accounts in different Azure regions with your DLP regions. When DLP incidents are generated in the regions you select here, Enterprise DLP forwards the incident evidence to the storage bucket.
      6. Review the Instructions - Azure and click Next.
      7. In Input Bucket Details, enter the Microsoft Azure Tenant ID.
      8. Enter the Storage Endpoint.
        This is the blob service endpoint URL that you obtained for the storage account.
      9. Click Connect to connect Enterprise DLP to your storage bucket.
      10. Review the Connection Status to verify Enterprise DLP successfully connected to your storage bucket.
        As part of the setup process, Enterprise DLP uploads a Palo_Alto_Networks_DLP_Connection_Test.txt file to your storage bucket to test and verify connectivity.
        Save the storage bucket settings if Enterprise DLP successfully connected.
        Select Previous and edit the bucket connection settings if Enterprise DLP can't connect to your storage bucket.
    9. (Email DLP only) Select ConfigurationSaaS SecuritySettingsEmail DLP Settings and enable Evidence Storage for Email DLP.
      Enterprise DLP won't forward evidence files for Email DLP traffic matches unless you enable this setting.
    10. Enable Sensitive Files for your enforcement points.
      You can enable evidence storage of sensitive files for Prisma Access, NGFW, and Endpoint DLP. Enable evidence storage when prompted to confirm.
    11. Download Files for Evidence Analysis.

    © 2026 Palo Alto Networks, Inc. All rights reserved.