Add an Azure Active Directory Tenant With Management Groups
Add your Azure commercial tenant to Prisma Cloud with
optional management groups so that you can group your organization’s
cloud resources into a logical hierarchy.
Connecting Prisma™ Cloud to your Microsoft
Azure (commercial) tenant with optional management groups enables
you to ingest the cloud resources and configuration metadata so
that Prisma Cloud can group these cloud resources into a logical
hierarchy. You have two options for onboarding your Azure Active
Directory (Azure AD) tenant to Prisma Cloud: with Terraform which automatically
creates your Azure resources, or through Azure portal which enables you
to manually creates your Azure resources.
Add Azure Active Directory Tenant With Management Groups—Automatic
Connect your Azure Active Directory Tenant
with management groups to Prisma Cloud using the automatic workflow.
- Select Azure as the cloud type to onboard on Prisma Cloud.
- Select.SettingsCloud AccountsAdd Cloud AccountAzure
- Configure the initial onboarding options.
- Cloud Account Name—Enter a descriptive name to represent the cloud account that you will onboard to Prisma Cloud.
- Onboard—SelectAzure Tenantto onboard your Azure AD tenant.
- Azure Cloud Type—SelectCommercialto onboard your Microsoft Azure (Commercial) account.
- Onboard Azure Management Groups and Subscriptions—Leave this check box enabled to achieve all the Azure Management Groups and Subscriptions associated with the tenant.
- Select Mode—SelectMonitorto provide Prisma Cloud with read-only access, orMonitor and Protectfor read-write access, and then clickNext.Note: The steps for Monitor and Monitor and Protect are identical onwards.
- Enter your Directory (Tenant) ID.
- Log in to Azure Portal.
- Click the clipboard (
) icon to copy the
Tenant ID, and then paste it into the Prisma Cloud UI and clickNext.
- Enter your Azure application data into Prisma Cloud.The Azure application details to capture are as follows:
- Application (Client) ID—A public identifier for your app registration.
- Application Client Secret—A secret string that the app uses to prove its identity when requesting a token. Also can be referred to as the application password.
- Enterprise Application Object ID—A unique value for the enterprise application.
- Download the Terraform script from the Prisma Cloud user interface.
- Log in to Azure shell.
- Elevate access for a Global Administrator to enable Prisma Cloud access to Azure subscriptions or management groups.
- Upload the Terraform script to Azure portal by clicking the Upload/Download files (
) button in the Azure CLI.
- Run the following Terraform commands:
- terraform init
- terraform apply
- Copy theApplication (Client) ID,Application Client Secret, andEnterprise Application Object IDto a secure location on your computer.
- Grant admin consent.
- Click on thee_consent_linklink which will redirect you to theAPI permissionssection in Azure portal.
- ClickGrant admin consent for Default Directoryand selectYes.A success message should appear with the textgrant consent successful.
- Verify that the status column has green check marks.
- Enter yourApplication (Client) ID,Application Client Secret, andEnterprise Application Object IDdetails into the Prisma Cloud UI.
- Optional—Enable Network Security Group Flow Logs.If you want to view the NSG flow logs on Prisma Cloud, ensure thatIngest and Monitor Network Security Group Flow Logsis enabled.If you enable this option on Prisma Cloud, authenticate into Azure Portal and complete the following tasks:
- Create a storage account on Azure for NSG flow logs.Your Azure storage account stores the flow logs that are required for Prisma Cloud to monitor and analyze network traffic. When Prisma Cloud ingests the data in these logs, you can interact with the information in Prisma Cloud. For example, you can run queries against the data, visualize network topology, and investigate traffic flows between two instances. You can also apply network policies to this traffic.If you do not have regulatory guidelines that specify a log retention period to which you must adhere, we recommend you set retention to at least 15 days.
- ClickNext.
- Choose monitored subscriptions.Choose if you want to monitor all subscriptions, select a few, or exclude some.These options will only appear if you enableOnboard Azure Management Groups and Subscriptions. You have the option to modify these settings after you onboarded your Azure account.
- All Subscriptions—Use this option to automatically onboard all new subscriptions or management groups underroot: x
- Include a subset—Use this option to select only a few subscription and management groups to be monitored. You can select them from the hierarchy:
- Exclude a subset—Use this option to exclude only a few subscription and management groups to be monitored. You can select them from the hierarchy:
- Select theDefault Account Groupyou want to add and clickNext.You must assign each cloud account to an account group, and Create an Alert Rule for Run-Time Checks to associate the account group with it to generate alerts when a policy violation occurs.
- Verify theStatusandDoneto save your changes.If Prisma Cloud is able to validate the credentials by making an authentication call using the credentials provided in the previous step, it displays green check marks.
Add Azure Active Directory Tenant With Management Groups—Manual
Connect your Azure Active Directory Tenant
with management groups to Prisma Cloud using the manual workflow.
- Select Azure as the cloud type to onboard on Prisma Cloud.
- Select.SettingsCloud AccountsAdd Cloud AccountAzure
- Configure the initial onboarding options.
- Cloud Account Name—Enter a descriptive name to represent the cloud account that you will onboard to Prisma Cloud.
- Onboard—SelectAzure Tenantto onboard your Azure AD tenant.
- Azure Cloud Type—SelectCommercialto onboard your Microsoft Azure (Commercial) account.
- Onboard Azure Management Groups and Subscriptions—Leave this check box enabled to achieve all the Azure Management Groups and Subscriptions associated with the tenant.
- Select Mode—SelectMonitorto provide Prisma Cloud with read-only access, orMonitor and Protectfor read-write access, and then clickNext.Note: The steps for Monitor and Monitor and Protect are identical onwards.
- Enter your Directory (Tenant) ID.
- Log in to Azure Portal.
- Click the clipboard (
) icon to copy the
Tenant ID, and then paste it into the Prisma Cloud UI and clickNext.
- Enter your Azure application data into Prisma Cloud.The Azure application details to capture are as follows:
- Application (Client) ID—A public identifier for your app registration.
- Application Client Secret—A secret string that the app uses to prove its identity when requesting a token. Also can be referred to as the application password.
- Enterprise Application Object ID—A unique value for the enterprise application.
- (Optional)Enable Network Security Flow Logs—If you want to view NSG flow logs on Prisma Cloud, ensure thatIngest and Monitor Network Security Group Flow Logsis selected.
IfIngest and Monitor Network Security Group Flow Logsis selected on Prisma Cloud, authenticate into Azure portal and complete the following steps:- Create a storage account on Azure for NSG flow logs.Your Azure storage account stores the flow logs that are required for Prisma Cloud to monitor and analyze network traffic. When Prisma Cloud ingests the data in these logs, you can interact with the information in Prisma Cloud. For example, you can run queries against the data, visualize network topology, and investigate traffic flows between two instances. You can also apply network policies to this traffic.If you do not have regulatory guidelines that specify a log retention period to which you must adhere, we recommend you set retention to at least 15 days.
- ClickNext.
- Register an app on Azure Active Directory (Azure AD).To register an app on Azure AD, ensure that you have access to the following prerequisites:
- A Prisma Cloud tenant with permissions to onboard a cloud account.
- Access to Azure portal with the permissions to:
- Create an app registration (service principal).
- Create a custom role.
- Assign IAM roles at the tenant root level.
- Assign GraphAPI permissions at the tenant level.
- Grant admin consent for Azure AD Graph APIs.
- Follow the instructions in the Azure Cloud Account Onboarding Checklist to elevate access for a Global Administrator.
- Create the client secret.The client secret is a secret string that the application uses to prove its identity when requesting a token.
- Select.Certificates & secrets+ New client secret
- Enter a clientDescription, selectExpiresto configure how long the client secret lasts, andAdd.
- CopyValueto a secure location.
Make sure that you copyValueand notSecret ID. - Get the Object ID.
- Select, and search for the app you previously created in the search box.Azure Active DirectoryEnterprise applications
- CopyObject IDto a secure location on your computer.Make sure that you get theObject IDfor the Prisma Cloud application fromon the Azure portal—not fromEnterprise ApplicationsAll applicationsApp Registrations.
- Add roles to the root group.The following roles should be added to the root group:
- To add these roles, clickHomeunder header to get back to azure portal.
- Add role assignment.
- Select.Management groupsTenant Root Group(your azure subscription)Access control (IAM)Role assignments+ AddAdd role assignment
- Search by role—Enter the name of the role you want to search for in the search box—for example—reader. Click on the role name in the results, and thenNext.
- Select members—ModifyAssign access toto assign the role to aUser, group, or service principal—or—Managed identity. Click+Select membersand then type in the name of the app you previously created in the search box to assign the role to your app. ClickSelectand thenNext.
- ClickReview + assign.
- Repeat these steps to add theReader and Data Access,Network Contributor, andStorage Account Contributorroles.
- Verify that all the roles have been added.
- SelectRole assignments.
- Enter the name of your app in the search form and view the roles that have been added.
- Add the Microsoft Graph APIs.
- Navigate to the app you previously registered.Select, and select your app.Azure Active DirectoryApp registrations
- Navigate to Microsoft Graph.Select.API permissions+ Add a permissionMicrosoft GraphApplication permissions
- Add the permissions.Enter the permission name inSelect permissions, and select the name fromPermission.Add the following permissions:
- User.Read.All
- Policy.Read.All
- Group.Read.All
- GroupMember.Read.All
- Reports.Read.All
- Directory.Read.All
- Domain.Read.All
- Application.Read.All
- Grant admin consent for Default Directory.
- Select.Grant admin consent for Default DirectoryYes
- Verify that the permissions are granted.You should see green check marks under theStatuscolumn.
- Choose monitored subscriptions.Choose if you want to monitor all subscriptions, select a few, or exclude some.These options will only appear if you enableOnboard Azure Management Groups and Subscriptions. You have the option to modify these settings after you onboarded your Azure account.
- All Subscriptions—Use this option to automatically onboard all new subscriptions or management groups underroot: x
- Include a subset—Use this option to select only a few subscription and management groups to be monitored. You can select them from the hierarchy:
- Exclude a subset—Use this option to exclude only a few subscription and management groups to be monitored. You can select them from the hierarchy:
- Select theDefault Account Groupyou want to add and clickNext.You must assign each cloud account to an account group, and Create an Alert Rule for Run-Time Checks to associate the account group with it to generate alerts when a policy violation occurs.
- Verify theStatusandDoneto save your changes.If Prisma Cloud is able to validate the credentials by making an authentication call using the credentials provided in the previous step, it displays green check marks.
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.