Table of Contents

Azure Credentials

This section discusses Azure credentials.

Authenticate with Azure using a certificate

You can authenticate with Azure using a certificate as a secret. As with password authentication, the certificate is stored with the Azure service principal. For more information, see the Microsoft docs here.
  1. Log into Compute Console.
  2. Go to
    Manage > Cloud accounts
  3. Click
    Add account
  4. In
    Select cloud provider
    , choose
  5. Enter a name for the credential.
  6. In
    , select
  7. In
    , enter your service principal’s certificate in PEM format.
    The certificate must include the private key. Concatenate public cert with private key (e.g., cat client-cert.pem client-key.pem).
  8. Enter a tenant ID.
  9. Enter a client ID.
  10. Enter a subscription ID.
  11. Click
  12. In
    Scan account
    , disable
    Agentless scanning
  13. Click
  14. Click
    Add account
  15. Validate the credential.
    Your Azure credential is now available to be used in the various integration points in the product, including registry scanning, serverless function scanning, and so on. If authentication with a certificate is supported, it’s shown in the credential drop-down in the setup dialog. For example, the following screenshot shows the setup dialog for scanning Azure Container Registry:
    After setting up your integrations, you can review how and where the credential is being used by going to
    Manage > Authentication > Credentials store
    and clicking on the credential.

Create an Azure Service Principal

Create an Azure Service Principal so that Prisma Cloud Console can scan your Azure tenant for microservices. To get a service key:
  1. Download and install the Azure CLI.
  2. Create a service principal and configure its access to Azure resources.
    $ az ad sp create-for-rbac \ --name <user>-twistlock-azure-cloud-discovery-<contributor|reader> \ --role <reader|contributor> \ --scopes /subscriptions/<yourSubscriptionID> \ --sdk-auth
    value depends upon the type of scanning:
    • contributor = Cloud Discovery + Azure Container Registry Scanning + Azure Function Apps Scanning
    • reader = Cloud Discovery + Azure Container Registry Scanning
  3. Copy the output of the command and save it to a text file. You will use the output as the
    Service Key
    when creating an Azure credential.
    { "clientId": "bc968c1e-67g3-4ba5-8d05-f807abb54a57", "clientSecret": "5ce0f4ec-5291-42f8-gbe3-90bb3f42ba14", "subscriptionId": "ae01981e-e1bf-49ec-ad81-80rf157a944e", "tenantId": "d189c61b-6c27-41d3-9749-ca5c9cc4a622", "activeDirectoryEndpointUrl": "", "resourceManagerEndpointUrl": "", "activeDirectoryGraphResourceId": "", "sqlManagementEndpointUrl": "", "galleryEndpointUrl": "", "managementEndpointUrl": "" }

Storing the credential in Prisma Cloud

Store the service principal’s credentials in Console so that Prisma Cloud can authenticate with Azure for scanning.
  1. Open Console, and go to
    Manage > Authentication > Credentials Store
  2. Click
    Add credential
    , and enter the following values:
    1. Enter a descriptive
      for the credential.
    2. In the
      field, select
    3. Enter the
      Service Key
      Copy and paste the contents of the text file you saved earlier when you created the service principal.
    4. Save
      your changes.

Recommended For You