Add an Azure Active Directory Tenant With Management Groups

Add your Azure commercial tenant to Prisma Cloud with optional management groups so that you can group your organization’s cloud resources into a logical hierarchy.
Connecting Prisma™ Cloud to your Microsoft Azure (commercial) tenant with optional management groups enables you to ingest the cloud resources and configuration metadata so that Prisma Cloud can group these cloud resources into a logical hierarchy. You have two options for onboarding your Azure Active Directory (Azure AD) tenant to Prisma Cloud: with Terraform which automatically creates your Azure resources, or through Azure portal which enables you to manually creates your Azure resources.

Add Azure Active Directory Tenant With Management Groups—Commercial

Connect your Azure Active Directory Tenant with management groups to Prisma Cloud using the automatic workflow.
  1. Select Azure as the cloud type to onboard on Prisma Cloud.
    1. Select
      Settings
      Cloud Accounts
      Add Cloud Account
      Azure
      .
  2. Configure the initial onboarding options.
    • Cloud Account Name
      —Enter a descriptive name to represent the cloud account that you will onboard to Prisma Cloud.
    • Onboard
      —Select
      Azure Tenant
      to onboard your Azure AD tenant.
    • Azure Cloud Type
      —Select
      Commercial
      to onboard your Microsoft Azure (Commercial) account.
    • Onboard Azure Management Groups and Subscriptions
      —Leave this check box enabled to achieve all the Azure Management Groups and Subscriptions associated with the tenant.
    • Select Mode
      —Select
      Monitor
      to provide Prisma Cloud with read-only access, or
      Monitor and Protect
      for read-write access, and then click
      Next
      .
      Note: The steps for Monitor and Monitor and Protect are identical onwards.
  3. Enter your Directory (Tenant) ID.
    1. Log in to Azure Portal.
    2. Click the clipboard ( ) icon to copy the
      Tenant ID
      , and then paste it into the Prisma Cloud UI and click
      Next
      .
  4. Enter your Azure application data into Prisma Cloud.
    The Azure application details to capture are as follows:
    • Application (Client) ID
      —A public identifier for your app registration.
    • Application Client Secret
      —A secret string that the app uses to prove its identity when requesting a token. Also can be referred to as the application password.
    • Enterprise Application Object ID
      —A unique value for the enterprise application.
    1. Download the Terraform script from the Prisma Cloud user interface.
    2. Log in to Azure shell.
    3. Upload the Terraform script to Azure portal by clicking the Upload/Download files ( ) button in the Azure CLI.
    4. Run the following Terraform commands:
      • terraform init
      • terraform apply
      • Copy the
        Application (Client) ID
        ,
        Application Client Secret
        , and
        Enterprise Application Object ID
        to a secure location on your computer.
    5. Grant admin consent.
      • Click on the
        e_consent_link
        link which will redirect you to the
        API permissions
        section in Azure portal.
      • Click
        Grant admin consent for Default Directory
        and select
        Yes
        .
        A success message should appear with the text
        grant consent successful
        .
      • Verify that the status column has green check marks.
    6. Enter your
      Application (Client) ID
      ,
      Application Client Secret
      , and
      Enterprise Application Object ID
      details into the Prisma Cloud UI.
    7. Optional
      —Enable Network Security Group Flow Logs.
      If you want to view the NSG flow logs on Prisma Cloud, ensure that
      Ingest and Monitor Network Security Group Flow Logs
      is enabled.
      If you enable this option on Prisma Cloud, authenticate into Azure Portal and complete the following tasks:
      • Your Azure storage account stores the flow logs that are required for Prisma Cloud to monitor and analyze network traffic. When Prisma Cloud ingests the data in these logs, you can interact with the information in Prisma Cloud. For example, you can run queries against the data, visualize network topology, and investigate traffic flows between two instances. You can also apply network policies to this traffic.
        If you do not have regulatory guidelines that specify a log retention period to which you must adhere, we recommend you set retention to at least 15 days.
  5. Click
    Next
    .
  6. Choose monitored subscriptions.
    Choose if you want to monitor all subscriptions, select a few, or exclude some.
    These options will only appear if you enable
    Onboard Azure Management Groups and Subscriptions
    . You have the option to modify these settings after you onboarded your Azure account.
    • All Subscriptions
      —Use this option to automatically onboard all new subscriptions or management groups under
      root: x
    • Include a subset
      —Use this option to select only a few subscription and management groups to be monitored. You can select them from the hierarchy:
    • Exclude a subset
      —Use this option to exclude only a few subscription and management groups to be monitored. You can select them from the hierarchy:
  7. Select the
    Default Account Group
    you want to add and click
    Next
    .
    You must assign each cloud account to an account group, and Create an Alert Rule for Run-Time Checks to associate the account group with it to generate alerts when a policy violation occurs.
  8. Verify the
    Status
    and
    Done
    to save your changes.
    If Prisma Cloud is able to validate the credentials by making an authentication call using the credentials provided in the previous step, it displays green check marks.

Add Azure Active Directory Tenant With Management Groups—Manual

Connect your Azure Active Directory Tenant with management groups to Prisma Cloud using the manual workflow.
  1. Select Azure as the cloud type to onboard on Prisma Cloud.
    1. Select
      Settings
      Cloud Accounts
      Add Cloud Account
      Azure
      .
  2. Configure the initial onboarding options.
    • Cloud Account Name
      —Enter a descriptive name to represent the cloud account that you will onboard to Prisma Cloud.
    • Onboard
      —Select
      Azure Tenant
      to onboard your Azure AD tenant.
    • Azure Cloud Type
      —Select
      Commercial
      to onboard your Microsoft Azure (Commercial) account.
    • Onboard Azure Management Groups and Subscriptions
      —Leave this check box enabled to achieve all the Azure Management Groups and Subscriptions associated with the tenant.
    • Select Mode
      —Select
      Monitor
      to provide Prisma Cloud with read-only access, or
      Monitor and Protect
      for read-write access, and then click
      Next
      .
      Note: The steps for Monitor and Monitor and Protect are identical onwards.
  3. Enter your Directory (Tenant) ID.
    1. Log in to Azure Portal.
    2. Click the clipboard ( ) icon to copy the
      Tenant ID
      , and then paste it into the Prisma Cloud UI and click
      Next
      .
  4. Enter your Azure application data into Prisma Cloud.
    The Azure application details to capture are as follows:
    • Application (Client) ID
      —A public identifier for your app registration.
    • Application Client Secret
      —A secret string that the app uses to prove its identity when requesting a token. Also can be referred to as the application password.
    • Enterprise Application Object ID
      —A unique value for the enterprise application.
    • (
      Optional
      )
      Enable Network Security Flow Logs
      —If you want to view NSG flow logs on Prisma Cloud, ensure that
      Ingest and Monitor Network Security Group Flow Logs
      is selected.
    If
    Ingest and Monitor Network Security Group Flow Logs
    is selected on Prisma Cloud, authenticate into Azure portal and complete the following steps:
    • Your Azure storage account stores the flow logs that are required for Prisma Cloud to monitor and analyze network traffic. When Prisma Cloud ingests the data in these logs, you can interact with the information in Prisma Cloud. For example, you can run queries against the data, visualize network topology, and investigate traffic flows between two instances. You can also apply network policies to this traffic.
      If you do not have regulatory guidelines that specify a log retention period to which you must adhere, we recommend you set retention to at least 15 days.
  5. Click
    Next
    .
  6. Register an app on Azure Active Directory (Azure AD).
    To register an app on Azure AD, ensure that you have access to the following prerequisites:
    • A Prisma Cloud tenant with permissions to onboard a cloud account.
    • Access to Azure portal with the permissions to:
      • Create an app registration (service principal).
      • Create a custom role.
      • Assign IAM roles at the tenant root level.
      • Assign GraphAPI permissions at the tenant level.
      • Grant admin consent for Azure AD Graph APIs.
  7. Register a new app.
    1. Log in to Azure portal.
    2. Select
      Azure Active Directory
      App registrations
      + New registration
      .
    3. Enter the application name.
    4. Select the supported account types.
      You have the options of choosing from single tenant, multitenant, multitenant and personal Microsoft accounts, or personal Microsoft accounts only.
    5. Optional
      —Enter the Redirect URI.
      The authentication response of the app will be returned to this URI.
    6. Click
      Register
      .
    7. Copy
      Application (client) ID
      and
      Directory (tenant) ID
      to a secure location on your computer. You will later enter these details into the Prisma Cloud UI.
  8. Create the client secret.
    The client secret is a secret string that the application uses to prove its identity when requesting a token.
    1. Select
      Certificates & secrets
      + New client secret
      .
    2. Enter a client
      Description
      , select
      Expires
      to configure how long the client secret lasts, and
      Add
      .
    3. Copy
      Value
      to a secure location.
    Make sure that you copy
    Value
    and not
    Secret ID
    .
  9. Get the Object ID.
    1. Select
      Azure active directory
      Enterprise applications
      , and search for the app you previously created in the search box.
    2. Copy
      Object ID
      to a secure location on your computer.
      Make sure that you get the
      Object ID
      for the Prisma Cloud application from
      Enterprise Applications
      All applications
      on the Azure portal—not from
      App Registrations
      .
  10. Add roles to the root group.
    The following roles should be added to the root group:
    • Reader
    • Reader and Data Access
    • Network Contributor
    • Storage Account Contributor
    • Optional
    1. To add these roles, click
      Home
      under header to get back to azure portal.
    2. Add role assignment.
      • Select
        Management groups
        Tenant Root Group
        (your azure subscription)
        Access control (IAM)
        Role assignments
        + Add
        Add role assignment
        .
      • Search by role
        —Enter the name of the role you want to search for in the search box—for example—
        reader
        . Click on the role name in the results, and then
        Next
        .
      • Select members
        —Modify
        Assign access to
        to assign the role to a
        User, group, or service principal
        —or—
        Managed identity
        . Click
        +Select members
        and then type in the name of the app you previously created in the search box to assign the role to your app. Click
        Select
        and then
        Next
        .
      • Click
        Review + assign
        .
      • Repeat these steps to add the
        Reader and Data Access
        ,
        Network Contributor
        , and
        Storage Account Contributor
        roles.
  11. Verify that all the roles have been added.
    1. Select
      Role assignments
      .
    2. Enter the name of your app in the search form and view the roles that have been added.
  12. Add the Microsoft Graph APIs.
    1. Navigate to the app you previously registered.
      Select
      Azure Active Directory
      App registrations
      , and select your app.
    2. Navigate to Microsoft Graph.
      Select
      API permissions
      + Add a permission
      Microsoft Graph
      Application permissions
      .
    3. Add the permissions.
      Enter the permission name in
      Select permissions
      , and select the name from
      Permission
      .
      Add the following permissions:
      • User.Read.All
      • Policy.Read.All
      • Group.Read.All
      • GroupMember.Read.All
      • Reports.Read.All
      • Directory.Read.All
      • Domain.Read.All
      • Application.Read.All
  13. Grant admin consent for Default Directory.
    1. Select
      Grant admin consent for Default Directory
      Yes
      .
    2. Verify that the permissions are granted.
      You should see green check marks under the
      Status
      column.
  14. Choose monitored subscriptions.
    Choose if you want to monitor all subscriptions, select a few, or exclude some.
    These options will only appear if you enable
    Onboard Azure Management Groups and Subscriptions
    . You have the option to modify these settings after you onboarded your Azure account.
    • All Subscriptions
      —Use this option to automatically onboard all new subscriptions or management groups under
      root: x
    • Include a subset
      —Use this option to select only a few subscription and management groups to be monitored. You can select them from the hierarchy:
    • Exclude a subset
      —Use this option to exclude only a few subscription and management groups to be monitored. You can select them from the hierarchy:
  15. Select the
    Default Account Group
    you want to add and click
    Next
    .
    You must assign each cloud account to an account group, and Create an Alert Rule for Run-Time Checks to associate the account group with it to generate alerts when a policy violation occurs.
  16. Verify the
    Status
    and
    Done
    to save your changes.
    If Prisma Cloud is able to validate the credentials by making an authentication call using the credentials provided in the previous step, it displays green check marks.

Recommended For You