Add Azure Active Directory Tenant With Management Groups—Manual

Select Azure as the cloud type to onboard on Prisma Cloud.

Access Prisma Cloud.
Select
Settings
Cloud Accounts
Add Cloud Account
Azure
.

Configure the initial onboarding options.

Cloud Account Name
—Enter a descriptive name to represent the cloud account that you will onboard to Prisma Cloud.
Onboard
—Select
Azure Tenant
to onboard your Azure AD tenant.
Azure Cloud Type
—Select
Commercial
to onboard your Microsoft Azure (Commercial) account.
Onboard Azure Management Groups and Subscriptions
—Leave this check box enabled to achieve all the Azure Management Groups and Subscriptions associated with the tenant.
Select Mode
—Select
Monitor
to provide Prisma Cloud with read-only access, or
Monitor and Protect
for read-write access, and then click
Next
.
Note: The steps for Monitor and Monitor and Protect are identical onwards.



Enter your Directory (Tenant) ID.

Log in to Azure Portal.
Click the clipboard ( ) icon to copy the
Tenant ID
, and then paste it into the Prisma Cloud UI and click
Next
.

Enter your Azure application data into Prisma Cloud.

The Azure application details to capture are as follows:

Application (Client) ID
—A public identifier for your app registration.
Application Client Secret
—A secret string that the app uses to prove its identity when requesting a token. Also can be referred to as the application password.
Enterprise Application Object ID
—A unique value for the enterprise application.
(
Optional
)
Enable Network Security Flow Logs
—If you want to view NSG flow logs on Prisma Cloud, ensure that
Ingest and Monitor Network Security Group Flow Logs
is selected.



If

Ingest and Monitor Network Security Group Flow Logs

is selected on Prisma Cloud, authenticate into Azure portal and complete the following steps:

Enable Network Watcher and register Insights provider.
Create a storage account on Azure for NSG flow logs.
Your Azure storage account stores the flow logs that are required for Prisma Cloud to monitor and analyze network traffic. When Prisma Cloud ingests the data in these logs, you can interact with the information in Prisma Cloud. For example, you can run queries against the data, visualize network topology, and investigate traffic flows between two instances. You can also apply network policies to this traffic.
If you do not have regulatory guidelines that specify a log retention period to which you must adhere, we recommend you set retention to at least 15 days.
Enable NSG flow logs.

Click

Next

.

Register an app on Azure Active Directory (Azure AD).

To register an app on Azure AD, ensure that you have access to the following prerequisites:

A Prisma Cloud tenant with permissions to onboard a cloud account.
Access to Azure portal with the permissions to:
Create an app registration (service principal).
Create a custom role.
Assign IAM roles at the tenant root level.
Assign GraphAPI permissions at the tenant level.
Grant admin consent for Azure AD Graph APIs.

Follow the instructions in the Azure Cloud Account Onboarding Checklist to elevate access for a Global Administrator.

Create the client secret.

The client secret is a secret string that the application uses to prove its identity when requesting a token.

Select
Certificates & secrets
+ New client secret
.
Enter a client
Description
, select
Expires
to configure how long the client secret lasts, and
Add
.
Copy
Value
to a secure location.



Make sure that you copy

Value

and not

Secret ID

.

Get the Object ID.

Select
Azure Active Directory
Enterprise applications
, and search for the app you previously created in the search box.

Copy
Object ID
to a secure location on your computer.
Make sure that you get the
Object ID
for the Prisma Cloud application from
Enterprise Applications
All applications
on the Azure portal—not from
App Registrations
.

Add roles to the root group.

The following roles should be added to the root group:

Reader
Reader and Data Access
Network Contributor
Storage Account Contributor
Optional
custom role

To add these roles, click

Home

under header to get back to azure portal.

Add role assignment.

Select
Management groups
Tenant Root Group
(your azure subscription)
Access control (IAM)
Role assignments
+ Add
Add role assignment
.
Search by role
—Enter the name of the role you want to search for in the search box—for example—
reader
. Click on the role name in the results, and then
Next
.
Select members
—Modify
Assign access to
to assign the role to a
User, group, or service principal
—or—
Managed identity
. Click
+Select members
and then type in the name of the app you previously created in the search box to assign the role to your app. Click
Select
and then
Next
.
Click
Review + assign
.

Repeat these steps to add the
Reader and Data Access
,
Network Contributor
, and
Storage Account Contributor
roles.

Verify that all the roles have been added.

Select

Role assignments

.

Enter the name of your app in the search form and view the roles that have been added.



Add the Microsoft Graph APIs.

Navigate to the app you previously registered.

Select

Azure Active Directory

App registrations

, and select your app.

Navigate to Microsoft Graph.

Select

API permissions

+ Add a permission

Microsoft Graph

Application permissions

.

Add the permissions.

Enter the permission name in

Select permissions

, and select the name from

Permission

.



Add the following permissions:

User.Read.All

Policy.Read.All

Group.Read.All

GroupMember.Read.All

Reports.Read.All

Directory.Read.All

Domain.Read.All

Application.Read.All

Grant admin consent for Default Directory.

Select

Grant admin consent for Default Directory

Yes

.

Verify that the permissions are granted.

You should see green check marks under the

Status

column.



Choose monitored subscriptions.

Choose if you want to monitor all subscriptions, select a few, or exclude some.

These options will only appear if you enable

Onboard Azure Management Groups and Subscriptions

. You have the option to modify these settings after you onboarded your Azure account.

All Subscriptions

—Use this option to automatically onboard all new subscriptions or management groups under

root: x



Include a subset

—Use this option to select only a few subscription and management groups to be monitored. You can select them from the hierarchy:



Exclude a subset

—Use this option to exclude only a few subscription and management groups to be monitored. You can select them from the hierarchy:



Select the

Default Account Group

you want to add and click

Next

.



You must assign each cloud account to an account group, and Create an Alert Rule for Run-Time Checks to associate the account group with it to generate alerts when a policy violation occurs.

Verify the

Status

and

Done

to save your changes.

If Prisma Cloud is able to validate the credentials by making an authentication call using the credentials provided in the previous step, it displays green check marks.