1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Connect Your Cloud Platform to Prisma Cloud
    6. Onboard Your Azure Account
    7. Add an Azure Active Directory Tenant on Prisma Cloud

    Add an Azure Active Directory Tenant on Prisma Cloud

    Add your Azure Active Directory commercial tenant on Prisma Cloud to monitor for security violations and enforce compliance.
    Connecting Prisma ™ Cloud to your Azure commercial tenant (without management groups) enables you to ingest your Azure Active Directory metadata for security violations. These onboarding workflows provides you two options for onboarding your Azure Active Directory tenant without management groups: with Terraform to automatically create your Azure resources, or manually using Azure Portal.

    Add an Azure Active Directory Tenant—Automatic

    This workflow uses Terraform to automatically create your Azure Active Directory metadata to onboard to Prisma Cloud for continuous security monitoring.
    1. Select Azure as the cloud type to onboard.
      1. Select
        Settings
        Cloud Accounts
        Add Cloud Account
        Azure
        .
    2. Configure the initial onboarding options.
      • Cloud Account Name
        —Enter a descriptive name to represent the cloud account that you will onboard to Prisma Cloud.
      • Onboard
        —Select
        Azure Tenant
         to onboard your Azure AD tenant.
      • Azure Cloud Type
        —Select
        Commercial
         to onboard your Microsoft Azure (Commercial) account.
      • Onboard Azure Management Groups and Subscriptions
        —Deselect this option to exclude onboarding management groups and click
        Next
        .
      • Select Mode
        —Select
        Monitor
         to provide Prisma Cloud with read-only access, or
        Monitor and Protect
         for read-write access, and then click
        Next
        .
        The steps for Monitor and Monitor and Protect are identical onwards.
    3. Enter your Azure application data into Prisma Cloud.
      The Azure application details to capture are as follows:
      • Application (Client) ID
        —A public identifier for your app registration.
      • Application Client Secret
        —A secret string that the app uses to prove its identity when requesting a token. Also can be referred to as the application password.
      • Enterprise Application Object ID
        —A unique value for the enterprise application.
      1. Download the Terraform script from the Prisma Cloud user interface.
      2. Log in to Azure shell.
      3. Upload the Terraform script to Azure portal by clicking the
        Upload/Download
         files ( ) button in the Azure CLI.
      4. Run the following Terraform commands:
        • terraform init
        • terraform apply
        • Copy the
          Application (Client) ID
          ,
          Application Client Secret
          , and
          Enterprise Application Object ID
           to a secure location on your computer.
      5. Grant admin consent.
        • Click on the
          e_consent_link
           link which will redirect you to the
          API permissions
           section in Azure portal.
        • Click
          Grant admin consent for Default Directory
           and select
          Yes
          .
          A success message should appear with the text
          grant consent successful
          .
        • Verify that the status column has green check marks.
      6. Enter your
        Application (Client) ID
        ,
        Application Client Secret
        , and
        Enterprise Application Object ID
         details into the Prisma Cloud UI and click
        Next
        .
    4. Add account groups.
      Select the
      Account Groups
       you want to add and click
      Next
      . You must assign each cloud account to an account group, and to associate the account group with it to generate alerts when a policy violation occurs.
    5. Verify the
      Status
       and click
      Done
       to save your changes.
      If Prisma Cloud is able to validate the credentials by making an authentication call using the credentials provided in the previous step, it displays a green check mark.

    Add an Azure Active Directory Tenant—Manual

    Add your Azure Active Directory commercial tenant on Prisma Cloud to monitor the metadata for security violations and enforce compliance using the manual workflow.
    This uses the manual workflow of registering an app in Azure portal and connecting it to Prisma Cloud using APIs—this enables you to ingest your Azure Active Directory metadata so that you can monitor it for security violations.
    1. Select Azure as the cloud type to onboard.
      1. Select
        Settings
        Cloud Accounts
        Add Cloud Account
        Azure
        .
    2. Configure the initial onboarding options.
      • Cloud Account Name
        —Enter a descriptive name to represent the cloud account that you will onboard to Prisma Cloud.
      • Onboard
        —Select
        Azure Tenant
         to onboard your Azure AD tenant.
      • Azure Cloud Type
        —Select
        Commercial
         to onboard your Microsoft Azure (Commercial) account.
      • Onboard Azure Management Groups and Subscriptions
        —Deselect this option to exclude onboarding management groups and click
        Next
        .
      • Select Mode
        —Select
        Monitor
         to provide Prisma Cloud with read-only access, or
        Monitor and Protect
         for read-write access, and then click
        Next
        .
        Note: The steps for Monitor and Monitor and Protect are identical onwards.
    3. Enter your Directory (Tenant) ID and
      Next
      .
    4. Register an app on Azure Active Directory (Azure AD).
      To register an app on Azure AD, ensure that you have access to the following prerequisites:
      • A Prisma Cloud tenant with permissions to onboard a cloud account.
      • Access to Azure portal with the permissions to:
        • Create an app registration (service principal).
        • Create a custom role.
        • Assign IAM roles at the tenant root level.
        • Assign GraphAPI permissions at the tenant level.
        • Grant admin consent for Azure AD Graph APIs.
    5. Register a new app.
      1. Log in to Azure portal.
      2. Select
        Azure Active Directory
        App registrations
        + New registration
        .
      3. Enter the application name.
      4. Select the supported account types.
        You have the options of choosing from single tenant, multitenant, multitenant and personal Microsoft accounts, or personal Microsoft accounts only.
      5. Optional
        —Enter the Redirect URI.
        The authentication response of the app will be returned to this URI.
      6. Click
        Register
        .
      7. Copy
        Application (client) ID
         and
        Directory (tenant) ID
         to a secure location on your computer. You will later enter these details into the Prisma Cloud UI.
    6. Create the client secret.
      The client secret is a secret string that the application uses to prove its identity when requesting a token.
      1. Select
        Certificates & secrets
        + New client secret
        .
      2. Enter a client
        Description
        , select
        Expires
         to configure how long the client secret lasts, and
        Add
        .
      3. Copy
        Value
         to a secure location.
      Make sure that you copy
      Value
       and not
      Secret ID
      .
    7. Get the Object ID.
      1. Select
        Azure Active Directory
        Enterprise applications
        , and search for the app you previously created in the search box.
      2. Copy
        Object ID
         to a secure location on your computer.
        Make sure that you get the
        Object ID
         for the Prisma Cloud application from
        Enterprise Applications
        All applications
         on the Azure portal—not from
        App Registrations
        .
    8. Add the Microsoft Graph APIs.
      1. Navigate to the app you previously registered.
        Select
        Azure Active Directory
        App registrations
        , and select your app.
      2. Navigate to Microsoft Graph.
        Select
        API permissions
        + Add a permission
        Microsoft Graph
        Application permissions
        .
      3. Add the permissions.
        Enter the permission name in
        Select permissions
        , and select the name from
        Permission
        .
        Add the following permissions:
        • User.Read.All
        • Policy.Read.All
        • Group.Read.All
        • GroupMember.Read.All
        • Reports.Read.All
        • Directory.Read.All
        • Domain.Read.All
        • Application.Read.All
    9. Enter your account details.
      Enter your
      Application (Client) ID
      ,
      Application Client Secret
      , and
      Enterprise Application Object ID
      , and click
      Next
      .
    10. Add account groups.
      Navigate back to the Prisma Cloud UI, and select the
      Account Groups
       you want to add and click
      Next
      .You must assign each cloud account to an account group, and to associate the account group with it to generate alerts when a policy violation occurs.
    11. Verify the
      Status
       and
      Save
       to save your changes.
      If Prisma Cloud is able to validate the credentials by making an authentication call using the credentials provided in the previous step, it displays a green check mark for the Active Directory permissions status along with Azure Active Directory Authentication.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo