1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Administrator’s Guide (Compute)
    5. Agentless Scanning
    6. Onboard Accounts for Agentless Scanning
    7. Onboard Azure Accounts for Agentless Scanning

    Onboard Azure Accounts for Agentless Scanning

    Agentless scanning lets you inspect the risks and vulnerabilities of a cloud workload without having to install an agent or affecting the execution of the workload. Prisma Cloud gives you the flexibility to choose between agentless and agent-based security using Defenders. Currently, Prisma Cloud supports agentless scanning on Azure hosts, containers, and clusters for vulnerabilities and compliance. To learn more about how agentless scanning works, refer to our article on Agentless scanning architecture.
    This guide enables Agentless scanning for Prisma Cloud Enterprise Edition (PCEE or SaaS) in Azure. The procedure shows you how to complete the following tasks.

    Get the Needed Azure Account Details

    1. Log in to Azure with the Azure CLI.
    2. Query Azure for your tenant and subscription IDs. .
      az account list
    3. Copy the output which is similar to the following example. In the output, identify the tenantId tenant ID and the id of the subscription.
          "cloudName": "AzureCloud",
	    "homeTenantId": <This value is not needed>,
	    "id": <This is the subscription ID>,
	    "isDefault": true,
	    "managedByTenants": [],
    		    "name": "Azure",
	    "state": "Enabled",
	    "tenantId": <This is the tenant ID>,
	    "user": {
	      "name": "jdoe@example.onmicrosoft.com",
	      "type": "user"
           }

    Onboard Azure Cloud Account

    1. Log in to the Prisma Cloud administrative console.
    2. Select
      Settings > Cloud Accounts
      .
    3. Click
      Add Cloud Account
      .
    4. Select the
      Azure
       tile.
    5. Provide the following information in the
      Get Started
       page.
      1. Account Name
        : A unique identity for your Azure tenant in Prisma Cloud.
      2. Onboard
        : Select
        Azure Subscription
        .
      3. Azure Cloud Type
        : Choose either
        Commercial
         or
        Government
        .
    6. Click
      Next
      .
    7. Select the
      Security Capabilities
       you need. The
      Agentless Scanning
       and
      Serverless Function Scanning
       are enabled by default.
    8. Click
      Next
      .
    9. Provide the following information in the
      Configure Account
       page.
      1. Enter the value of the tenantId field in the Azure output as the
        Directory (Tenant) ID
        .
      2. Enter the value of the id field in the Azure output as the
        Subscription ID
        .
    10. Click
      Next
      .
    11. Complete the following steps to provide the information needed in the
      Account Details
       page.
      1. Click
        Download Terraform Script
         and save the script to a system with terraform installed that is authenticated to Azure via the Azure CLI.
      2. In that system, initialize the script with the following command.
         terraform init
      3. Apply the script with the following command and confirm when prompted.
        terraform apply
      5. Use those values to fill out the information in
        Account Details
         page.
    13. Select the account group in Prisma Cloud to associate with your Azure tenant in the
      Assign Account Groups
       page.
    14. Click
      Save
      .

    Configure Agentless Scanning

    1. Log in to the Prisma Cloud administrative console.
    2. Select
      Compute > Manage > Cloud Accounts
      .
    3. Click the edit button of your cloud account.
    4. Go to the
      Agentless Scanning
       section.
    5. Expand the
      Advanced settings
       and provide the following information.
      1. Enable
        Permissions check
         to verify that the custom role permissions are correct before running a scan.
      2. Enter a
        Proxy
         value if traffic leaving your Azure tenant uses a proxy.
      3. Under
        Scan scope
         you can choose
        All regions
         to scan for VMs in all Azure regions. If you choose
        Custom regions
        , enter the Azure region in which you want Prisma Cloud to scan for VMs.
      4. Enter tags under
        Exclude VMs by tags
         to further limit the scope of the scan.
      5. Choose whether or not to
        Scan non running hosts
      6. Choose whether or not to enable
        Auto-scale scanning
        . If you disable auto-scale, specify number of scanners Prisma Cloud should employ.
      7. Enter the
        Security group ID
         and
        Subnet ID
         that are created to allow the Prisma Cloud console to communicate back with Azure. If left blank, the default name of the created resource group is PCCAgentlessScanResourceGroup and the default name of the created security group is PCCAgentlessScanSecurityGroup.
    6. Click
      Next
      .
    7. In the
      Discovery features
       page, leave the
      Cloud discovery
       settings unchanged.
    8. Click
      Save
      .

    Start an Agentless Scan

    Agentless scans start immediately after onboarding the cloud account. By default, agentless scans are performed every 24 hours, but you can change the interval on the
    Manage > System > Scan
     page under
    Scheduling > Agentless
    .
    To manually start a scan, complete the following steps.
    1. Go to
      Compute > Manage > Cloud accounts
      .
    2. Click the scan icon on the top right corner of the accounts table.
    3. Click
      Start Agentless scan
      .
    4. Click the scan icon in the top right corner of the console to view the scan status.
    5. View the results.
      1. Go to
        Compute > Monitor > Vulnerabilities > Hosts
         or
        Compute > Monitor > Vulnerabilities > Images
        .
      2. Click on the
        Filter hosts
         text bar.
      3. Select the
        Scanned by
         filter.