1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Connect Your Cloud Platform to Prisma Cloud
    6. Onboard Your Azure Account
    7. Add an Azure Active Directory Account on Prisma Cloud

    Add an Azure Active Directory Account on Prisma Cloud

    Add your Azure Active Directory account on Prisma Cloud to retrieve information on your users.
    Connecting Prisma™ Cloud to monitor your Azure Active Directory enables you to retrieve information on your users who access resources deployed within your Azure subscription.
    This feature is available as a
    Limited GA
    , and to try it please contact Palo Alto Networks Customer Success.
    1. Authorize an Azure Active Directory application to read user profile information.
      1. Log in to the Azure portal.
      2. Select
        Azure Active Directory
        App Registrations
        .
      3. Select the application from the list and select
        API Permissions
        Add a Permission
        .
      4. Select
        Microsoft Graph
        Application Permissions
        This allows you to allow the application to access the Microsoft Graph APIs.
      5. Select the permission
        user.read.all
        , and
        Add Permission
        .
        The permission you added allows the app to read user profiles without a signed in user.
        This permission requires admin consent. An Azure AD tenant administrator must grant these permissions by making a call to the admin consent endpoint.
        azure-ad-api-permission.png
    2. Collect the details for the Active Directory app.
      1. Log in to the Azure portal.
      2. Get the
        Directory (tenant) ID
        .
        azure-ad-add-info.png
      3. Get the
        Application (client) ID
         and
        Object ID
        .
        You must enter the Object ID as the Enterprise Application Object ID in Step 3-d.
        azure-ad-info-2.png
      4. Get the
        Application Key
        .
        azure-ad-info-3.png
    3. Add your Azure Active Directory on Prisma Cloud.
      1. Access Prisma Cloud and select
        Settings
        Cloud Accounts
        Add New
        .
      2. Enter a
        Cloud Account Name
        .
      3. Select
        Onboard using Azure Active Directory
      4. Select
        Cloud Type
         Azure and the
        Commercial
         or
        Government
         environment where your AD resources are deployed, click
        Next
        .
      5. Enter your Azure
        Directory (Tenant) ID
        ,
        Application (Client) ID
        ,
        Application Client Secret
         and
        Enterprise Application Object ID
        .
        azure-ad-add-0.png
        azure-ad-add-1.png
      6. Select the
        Account Groups
         you want to add and click
        Next
        .
        You must assign each cloud account to an account group, and Create an Alert Rule to associate the account group with it to generate alerts when a policy violation occurs.
      7. Verify the
        Status
         and
        Done
         to save your changes.
        If Prisma Cloud is able to validate the credentials by making an authentication call using the credentials provided in the previous step, it displays a green check mark.
        add-azure-ad-status.png
    4. Verify that you can view the information on your Azure Active Directory users on Prisma Cloud.
      1. Log in to Prisma Cloud.
      2. Select
        Investigate
         and enter the following RQL query to view details on your Azure Active Directory users. 
        config where cloud.type = 'azure' AND api.name = 'azure-active-directory-user' AND json.rule = userType equals "Guest"
        azure-ad-20-8-1.png

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2020 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo