1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Connect Your Cloud Platform to Prisma Cloud
    6. Onboard Your Azure Account
    7. Authorize Prisma Cloud to access Azure APIs

    Authorize Prisma Cloud to access Azure APIs

    Connecting Prisma™ Cloud to your Azure cloud account enables you to analyze and monitor traffic logs, and detect potential malicious network activity or compliance issues. During the built-in onboarding process you have the option of using one of the following three methods to create the required Azure resources to authorize Prisma Cloud to access Azure APIs:
    • Automated Terraform Script for Tenant Workflow (Recommended) This workflow automates the process of setting up the Prisma Cloud application on Azure Active Directory and enables read-only or read-write access to your Azure subscription.
    Azure China workflows do not support the use of Terraform templates.
    • Custom Roles to Authorize Prisma Cloud Access Using a manually created Custom Role you also have the option to enforce least access privilege to restrict access. To achieve this you will need to manually set up the Prisma Cloud application on Active Directory and Create a Custom Role to authorize access to Azure APIs.
    • Manually Authorize Prisma Cloud If your organization restricts the use of Terraform scripts, you can choose to manually create the required Azure resources for Prisma Cloud to call the Azure APIs.

    Automated Terraform Script for Tenant Workflow

    Follow the steps below to use the Automated Terraform script method to create the Azure Tenant resources for Prisma Cloud onboarding.
    1. Before you begin, ensure your system has Terraform installed and that it is also authenticated to Azure via the CLI.
    2. Download the Terraform script using Prisma Cloud Azure Onboarding User Interface or Azure Template Generation API.
      We recommend that you create a directory to store the Terraform template you download. This allows you to better manage the templates when you add new Azure resources to Prisma Cloud or update existing roles. Give this directory a unique name for example,
      onboard-tenant-<tenant-name>
      .
    3. Run the command
      terraform init > terraform apply
       and click
      Confirm
      .
    4. This generates outputs with the following values as shown below:
      Input these values in the associated UI fields as indicated:
      UI Field in Onboarding Workflow
      Terraform Output Keys
      Application (Client) ID
      b_application_id
      Application Client Secret
      c_application_key
      Enterprise Application Object ID
      e_service_principal_object_id
    5. Use the Azure portal to
      Grant admin consent
       for API permissions. This authorizes Prisma Cloud to access Azure resources. This is required to ingest Azure resources associated with subscriptions and management groups, only during the initial onboarding of your Azure accounts.
      1. On your Azure portal, clink on the
        e_consent_link
         to be redirected to the API permissions section.
      2. Click on
        Grant admin consent
         and select
        Yes
        . A success message appears indicating
        Grant Consent successful
        .
      3. Verify that the status column has green check marks.

    Automated Terraform Script for Subscription Workflow

    Follow the steps below to use the Automated Terraform script method to create the Azure Subscription resources for Prisma Cloud onboarding.
    1. Before you begin, ensure your system has Terraform installed and that it is also authenticated to Azure via the CLI.
    2. Download the Terraform script using Prisma Cloud Azure Onboarding User Interface or Azure Template Generation API.
      We recommend that you create a directory to store the Terraform template you download. This allows you to better manage the templates when you add new Azure resources to Prisma Cloud or update existing roles. Give this directory a unique name that indicates its purpose, for example,
      onboard-subscription-<subscription-name>
      .
    3. Run the command
      terraform init > terraform apply
       and click
      Confirm
      .
    4. This generates outputs with the following values as shown below:
      Input these values in the associated UI fields as indicated:
      UI Field in Onboarding Workflow
      Terraform Output Keys
      Application (Client) ID
      c_application_id
      Application Client Secret
      d_application_key
      Enterprise Application Object ID
      e__enterprise_application_object_id

    Terraform for Active Directory Workflow

    Follow the steps listed under the Tenant flow above. For step 2, remember to name the directory you use to store your Terraform template something intuitive such as,
    onboard-active-directory-<tenant-name>
    .

    Custom Roles to Authorize Prisma Cloud Access

    In addition to the automated Terraform authorization method, you also have the option to create a custom role so that enforce the principal of least access privileges to limit user access to the bare minimum. To create a custom role on Azure, you must have an Azure Active Directory Premium 1 or Premium 2 license plan.
    1. Create a custom role using Azure CLI. You can create custom roles using Azure PowerShell, Azure CLI, or the REST API. The following instructions use the Azure CLI command (run on PowerShell or on the DOS command prompt) to create the custom role.
    2. Install the Azure CLI and log in to Azure.
    3. Download the JSON files which contains the permissions:
      Microsoft recommends using a wildcard to configure NSG flow log permissions (Microsoft.Network/networkWatchers/queryFlowLogStatus/*), listed in the JSON files. Refer to Microsoft documentation for more details.
    4. Open a text editor (such as Notepad) and save the custom role JSON files from the above links in the JSON format and give it a descriptive name.
    5. Depending on whether you are creating a custom role for the Tenant or Subscription workflow, complete the following steps:
      1. Tenant Workflow: Edit the saved custom role JSON file in a text editor and update the value for AssignableScopes with the value below and save your changes:
        AssignableScopes": [
  "providers/Microsoft.Management/managementGroups/<tenant-id>"
  ]
      2. Subscription Workflow: Edit the saved custom role JSON file in a text editor and update the value for AssignableScopes with the value below and save your changes:
        AssignableScopes": [
     "/subscriptions/<subscription-id>"
  ]
    6. Log in to the Azure portal from the same local system where the JSON file was saved and complete the following steps:
      1. Open a PowerShell window or a DOS Command Prompt Window.
      2. Go to the directory where you stored the JSON file.
      3. Enter the following Azure CLI command (replacing the JSON filename to match the name of your custom role JSON file):
        1. Commercial
          az role definition create --role-definition "azure_prisma_cloud_lp_read_only.json"
        2. Government
          az role definition create --role-definition "azure_prisma_cloud_read_only_role_gov.json"
          • China
            az role definition create --role-definition "azure_prisma_cloud_read_only_role_china.json"
            The command generates the sample output below indicating successful creation of a custom role:
            {"assignableScopes": [    "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"  ],
 "description": "Allows Reading Flow Logs Settings",
 "id": "/subscriptions/16dfdbcc-e407-4fbe-9096-e7a97ee23fb5/providers/Microsoft.Authorization/roleDefinitions/088c8f48-201c-4f8d-893f-7716a8d58fa1",  "name": "088c8f48-201c-4f8d-893f-7716a8d58fa1",
 "permissions": [{      "actions": [        "<a list of all actions>"],      "dataActions": [],      "notActions": [],      "notDataActions": []    }],  "roleName": "Flow Log Settings Reader",  "roleType": "CustomRole",  "type": "Microsoft.Authorization/roleDefinitions"]

    Assign the Custom Role

    Complete the following steps to
    assign the custom role to an app registration
    , add role assignments and configure it to access the flow logs:
    1. Log in to the Microsoft Azure Portal.
    2. Follow the navigation path for your selected workflow:
      1. Tenant scope: Navigate to
        All Services > Management Groups
        . Click on
        Tenant Root Group
        .
      2. Subscription scope: Navigate to
        All services > Subscriptions
    3. Select
      Access control (IAM) > Add role assignment
      .
    4. Verify that you can see the newly created custom role in the
      Roles
       drop-down.
    5. Assign the custom role to the Prisma Cloud app registration. Enable the permission to query flow log status and save your changes.

    Manually Authorize Prisma Cloud

    If your organization restricts the use of Terraform templates, you also have the option to manually onboard your Azure Active Directory (AD), Government or Azure China account resources to Prisma Cloud by creating an app registration (service principal) on Azure. Here is a preview of the required steps based on your chosen onboarding flow:
    Azure Tenant
     . Create a custom role at the tenant level. . Assign IAM roles at the tenant root level. . Assign GraphAPI permissions at the tenant level. . Grant admin consent for Azure AD Graph APIs.
     *Azure Subscription*
. Create a custom role at the Subscription level.
. Assign IAM roles at the subscription level.
    Azure Active Directory
     . Assign GraphAPI permissions at the tenant level. . Grant admin consent for Azure AD Graph APIs.

    Prerequisites

    • A Prisma Cloud tenant with permissions to onboard a cloud account.
    • Access the Azure portal with permissions to register an application and create and assign roles.

    Steps

    1. Elevate access for a Global Administrator on the Azure portal. This allows Prisma Cloud to access Azure subscriptions or management groups. This is required for ingesting resources associated with subscriptions and management groups only during the initial onboarding of your Azure accounts. You have the option to disable this after onboarding is complete.
    2. Follow the steps below to
      Register a new application
      .
      1. Log in to Azure portal.
      2. Select
        Azure Active Directory
        App registrations
        + New registration
        .
      3. Enter the application name.
      4. Select the supported account types.
        Choose from single tenant, multitenant, multitenant and personal Microsoft accounts, or personal Microsoft accounts only.
      5. Optional
        —Enter the Redirect URI.
        The authentication response of the app will be returned to this URI.
      6. Click
        Register
        .
      7. Copy
        Application (client) ID
         and
        Directory (tenant) ID
         to a secure location on your computer. You will later enter these details into the Prisma Cloud UI.
    3. Create the client secret.
      The client secret is a secret string that the application uses to prove its identity when requesting a token.
      1. Select
        Certificates & secrets
        + New client secret
        .
      2. Enter a client
        Description
        , select
        Expires
         to configure how long the client secret lasts, and
        Add
        .
      3. Copy
        Value
         to a secure location. Make sure that you copy
        Value
         and not
        Secret ID
        .
    4. Get the Object ID.
      1. Select
        Azure Active Directory
        Enterprise applications
        , and search for the app you previously created in the search box.
      2. Copy
        Object ID
         to a secure location on your computer. Make sure that you get the
        Object ID
         for the Prisma Cloud application from
        Enterprise Applications
        All applications
         on the Azure portal—not from
        App Registrations
        .
    5. Add roles to the root group.
      The following roles should be added to the root group:
      • Reader
      • Reader and Data Access
      • Network Contributor
      • Storage Account Contributor
      • Key Vault Crypto Service Encryption User for Agent-based Workload Protection
      • Create Custom Roles for Agentless Scanning, and Serverless Scanning (These functions are not supported for Azure China.)
    6. Verify that all the roles have been added.
      1. Select
        Role assignments
        .
      2. Enter the name of your app in the search form and confirm that the roles that have been added.
    7. Assign the created roles. Skip this step if your following the Azure Active Directory onboarding flow.
      1. Complete the steps below to add role assignments.
        1. For Tenant workflow: Select
          Management groups > Tenant Root Group > Access control (IAM) > Role assignments > + Add > Add role assignment
          .
        2. For Subscription workflow: Select
          All Services > Subscriptions > Access Control (IAM) > Role assignments > + Add > Add role assignment
          .
        3. Enter the name of the role, for example, Reader, in the search box. Click on the role name in the results, and select
          Next
          .
        4. Assign members to the role, navigate to
          Select members > Assign access
          . Under
          Assign Access to
          , select
          Assign the role to a User, group, or service principal
          .
        5. Click
          + Select members
           and then enter the name of the app you previously created, in the search box to assign the role to your app.
        6. Click
          Select
           and then
          Next
          .
        7. Select
          Review + Assign
           to complete adding the role assignment.
        8. Confirm that all the newly created roles were added.
    8. Add the Microsoft Graph APIs.
      1. Navigate to the app you previously registered. Select
        Azure Active Directory
        App registrations
        , and select your app.
      2. Navigate to Microsoft Graph. Select
        API permissions
        + Add a permission
        Microsoft Graph
        Application permissions
        .
      3. Add the permissions. Enter the permission name in
        Select permissions
        , and select the name from
        Permission
        . Add the following permissions:
        • User.Read.All
        • Policy.Read.All
        • Group.Read.All
        • GroupMember.Read.All
        • Reports.Read.All
        • Directory.Read.All
        • Domain.Read.All
        • Application.Read.All
          If you have enabled additional functions like Agentless Scanning or Workload Protection additional permissions will be required. Review the
          Roles and Permissions
           list for the required permissions.
    9. Grant admin consent for Default Directory.
      1. Select
        Grant admin consent for Default Directory
        Yes
        .
      2. Verify that the permissions are granted.
      3. Confirm that you can see green check marks under the
        Status
         column.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo