Add an Azure Active Directory Account on Prisma Cloud

Add your Azure Active Directory account on Prisma Cloud to retrieve information on your users.
Connecting Prisma™ Cloud to monitor your Azure Active Directory enables you to retrieve information on your users who access resources deployed within your Azure subscription.
This feature is available as a
Limited GA
, and to try it please contact Palo Alto Networks Customer Success.
  1. Authorize an Azure Active Directory application to read user profile information.
    1. Log in to the Azure portal.
    2. Select
      Azure Active Directory
      App Registrations
      .
    3. Select the application from the list and select
      API Permissions
      Add a Permission
      .
    4. Select
      Microsoft Graph
      Application Permissions
      This allows you to allow the application to access the Microsoft Graph APIs.
    5. Select the permission
      user.read.all
      , and
      Add Permission
      .
      The permission you added allows the app to read user profiles without a signed in user.
      This permission requires admin consent. An Azure AD tenant administrator must grant these permissions by making a call to the admin consent endpoint.
      azure-ad-api-permission.png
  2. Collect the details for the Active Directory app.
    1. Log in to the Azure portal.
    2. Get the
      Directory (tenant) ID
      .
      azure-ad-add-info.png
    3. Get the
      Application (client) ID
      and
      Object ID
      .
      You must enter the Object ID as the Enterprise Application Object ID in Step 3-d.
      azure-ad-info-2.png
    4. Get the
      Application Key
      .
      azure-ad-info-3.png
  3. Add your Azure Active Directory on Prisma Cloud.
    1. Access Prisma Cloud and select
      Settings
      Cloud Accounts
      Add New
      .
    2. Enter a
      Cloud Account Name
      .
    3. Select
      Onboard using Azure Active Directory
    4. Select
      Cloud Type
      Azure and the
      Commercial
      or
      Government
      environment where your AD resources are deployed, click
      Next
      .
    5. Enter your Azure
      Directory (Tenant) ID
      ,
      Application (Client) ID
      ,
      Application Client Secret
      and
      Enterprise Application Object ID
      .
      azure-ad-add-0.png
      azure-ad-add-1.png
    6. Select the
      Account Groups
      you want to add and click
      Next
      .
      You must assign each cloud account to an account group, and Create an Alert Rule to associate the account group with it to generate alerts when a policy violation occurs.
    7. Verify the
      Status
      and
      Done
      to save your changes.
      If Prisma Cloud is able to validate the credentials by making an authentication call using the credentials provided in the previous step, it displays a green check mark.
      add-azure-ad-status.png
  4. Verify that you can view the information on your Azure Active Directory users on Prisma Cloud.
    1. Log in to Prisma Cloud.
    2. Select
      Investigate
      and enter the following RQL query to view details on your Azure Active Directory users.
      config where cloud.type = 'azure' AND api.name = 'azure-active-directory-user' AND json.rule = userType equals "Guest"
      azure-ad-20-8-1.png

Recommended For You