Add an Azure Active Directory Tenant—Manual

Select Azure as the cloud type to onboard.

Select
Settings
Cloud Accounts
Add Cloud Account
Azure
.

Configure the initial onboarding options.

Cloud Account Name
—Enter a descriptive name to represent the cloud account that you will onboard to Prisma Cloud.
Onboard
—Select
Azure Tenant
to onboard your Azure AD tenant.
Azure Cloud Type
—Select
Commercial
to onboard your Microsoft Azure (Commercial) account.
Onboard Azure Management Groups and Subscriptions
—Deselect this option to exclude onboarding management groups and click
Next
.
Select Mode
—Select
Monitor
to provide Prisma Cloud with read-only access, or
Monitor and Protect
for read-write access, and then click
Next
.
Note: The steps for Monitor and Monitor and Protect are identical onwards.



Enter your Directory (Tenant) ID and

Next

.



Register an app on Azure Active Directory (Azure AD).

To register an app on Azure AD, ensure that you have access to the following prerequisites:

A Prisma Cloud tenant with permissions to onboard a cloud account.
Access to Azure portal with the permissions to:
Create an app registration (service principal).
Create a custom role.
Assign IAM roles at the tenant root level.
Assign GraphAPI permissions at the tenant level.
Grant admin consent for Azure AD Graph APIs.

Register a new app.

Log in to Azure portal.
Select
Azure Active Directory
App registrations
+ New registration
.
Enter the application name.
Select the supported account types.
You have the options of choosing from single tenant, multitenant, multitenant and personal Microsoft accounts, or personal Microsoft accounts only.
Optional
—Enter the Redirect URI.
The authentication response of the app will be returned to this URI.
Click
Register
.

Copy
Application (client) ID
and
Directory (tenant) ID
to a secure location on your computer. You will later enter these details into the Prisma Cloud UI.

Create the client secret.

The client secret is a secret string that the application uses to prove its identity when requesting a token.

Select
Certificates & secrets
+ New client secret
.
Enter a client
Description
, select
Expires
to configure how long the client secret lasts, and
Add
.
Copy
Value
to a secure location.



Make sure that you copy

Value

and not

Secret ID

.

Get the Object ID.

Select
Azure active directory
Enterprise applications
, and search for the app you previously created in the search box.

Copy
Object ID
to a secure location on your computer.
Make sure that you get the
Object ID
for the Prisma Cloud application from
Enterprise Applications
All applications
on the Azure portal—not from
App Registrations
.

Add the Microsoft Graph APIs.

Navigate to the app you previously registered.

Select

Azure Active Directory

App registrations

, and select your app.

Navigate to Microsoft Graph.

Select

API permissions

+ Add a permission

Microsoft Graph

Application permissions

.

Add the permissions.

Enter the permission name in

Select permissions

, and select the name from

Permission

.



Add the following permissions:

User.Read.All

Policy.Read.All

Group.Read.All

GroupMember.Read.All

Reports.Read.All

Directory.Read.All

Domain.Read.All

Application.Read.All

Enter your account details.

Enter your

Application (Client) ID

,

Application Client Secret

, and

Enterprise Application Object ID

, and click

Next

.



Add account groups.

Navigate back to the Prisma Cloud UI, and select the

Account Groups

you want to add and click

Next

.You must assign each cloud account to an account group, and to associate the account group with it to generate alerts when a policy violation occurs.

Verify the

Status

and

Done

to save your changes.

If Prisma Cloud is able to validate the credentials by making an authentication call using the credentials provided in the previous step, it displays a green check mark.