Azure Cloud Account Onboarding Checklist

Use this checklist to set up the permissions and configuration to successfully onboard the Azure subscription to Prisma™ Cloud.
Prisma™ Cloud supports both Azure commercial and Azure Government. For Azure commercial, the onboarding flow enables you to provide your subscription details as inputs and generates a Terraform template, which you can download and run from the Azure Cloud Shell. The workflow automates the process of setting up the Prisma Cloud application on Azure Active Directory and enabling the permissions for read-only or read-write access to your Azure subscription. You will however, need to review and manually enable the permissions for Prisma Cloud to retrieve network traffic data from network security group (NSG) flow logs.
To successfully onboard and monitor the resources within your Azure Government subscription, use the following checklist to authorize the correct set of access rights to Prisma Cloud.
  • Collect your Azure Subscription ID from the Azure portal.
    Get your Azure Subscription ID. Make sure that you have Account Owner or Contributor privileges so that you can add Prisma Cloud as an application on your Azure Active Directory. To onboard your Azure subscription on Prisma Cloud, set up an Active Directory application object (Application Client ID) and an Enterprise Application Object ID that together enable API access. The process of setting up Prisma Cloud on Azure Active Directory will provide you with the keys and IDs that are required to establish an identity for sign-in and access to resources in your Azure subscription. The Enterprise Application Object ID defines the permissions and scope that is assumed by Prisma Cloud.
    Elevate access for a Global Administrator using Azure portal to enable Prisma Cloud access to Azure subscriptions or management groups. This is needed for ingesting resources associated with subscriptions and management groups only during the initial onboarding of your Azure accounts. You can disable this option after onboarding is complete.
    Review the graph API permissions which are used for tenant account onboarding to support the ingestion of Azure Active Directory APIs.
    API permissions
    Description
    Application.Read.All
    Read all applications.
    Directory.Read.All
    Read directory data.
    Domain.Read.All
    Read domains.
    Group.Read.All
    Read all groups.
    GroupMember.Read.All
    Read all group memberships.
    Policy.Read.All
    Read your organization’s policies.
    Reports.Read.All
    Read all usage reports.
    User.Read.All
    Read all users’ full profiles.
    Review the roles and associated permissions required for the following roles which are only applicable for Azure Subscriptions and Azure Management Groups:
  • Role
    Description
    Reader
    The Reader role at the subscription level is required for Prisma Cloud to monitor the configuration of existing Azure resources within your Azure subscription. Prisma Cloud requires this role to ingest configuration and activity logs.
    Reader and Data Access
    The Reader and Data Access role at the subscription level is required for Prisma Cloud to fetch flow logs and storage account attributes so that you can use Prisma Cloud policies that assess risks in your storage account. This role includes the permissions to access the storage account keys and authenticate to the storage account to access the data.
    • For Prisma Cloud to access flow logs stored in storage accounts that belong to subscriptions that are not monitored by Prisma Cloud, you must provide
      Reader and Data Access
      role on the storage accounts.
    • The Reader and Data Access role is not a superset of the Reader role. Although this role has read-write access, Prisma Cloud only uses these permissions to access and read the flow log from the storage account.
    Network Contributor
    to query flow log status
    The built-in Network Contributor role can manage network data necessary to access and read flow logs settings for all network security groups (NSGs) along with the details on the storage account to which the flow logs are written. It also enables auto-remediation of network-related incidents.
    Storage Account Contributor
    (
    Optional but required if you want to enable auto -remediation
    ) The Storage Account Contributor role is required on all storage accounts to allow auto-remediation of policy violations.
    Custom role with permissions
    (
    Optional but required if you want to enable ingestion of the listed services
    ) Create a custom role with the following permissions:
    • Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action
      —To ingest data from Azure Container Registry webhooks that are triggered when a container image or Helm chart is pushed to or deleted from a registry.
    • Microsoft.Web/sites/config/list/action
      —To ingest Authentication/Authorization data from Azure App Service that hosts websites and web applications. The Reader Role listed earlier is adequate to ingest configuration data from the Azure App Service.
    • Microsoft.Compute/virtualMachines/runCommand/action
      —To support manual onboarding of Prisma Cloud instances on Azure Government and Azure China regions. This additional permission is added in Azure Management Group and Subscription read-write Terraform scripts.
    Prisma Cloud provides a JSON file that makes it easier for you to create a custom role with the read-only permissions required to monitor your Azure resources.
  • Enable Prisma Cloud to ingest Azure Key Vault resources.
    The following Azure resources need to have the
    Get
    and
    List
    permissions enabled in the Key Management Operations on Azure Portal for Prisma Cloud to ingest them:
    • azure-key-vault-list
    • azure-key-vault-certificate
    Select
    All services
    Key vaults
    (key vault name)
    Access policies
    + Add Access Policy
    . For
    Key permissions
    ,
    Secret permissions
    , and
    Certificate permissions
    , add the
    Get
    and
    List
    Key Management Operations.
  • Enable Prisma Cloud to obtain network traffic data from network security group (NSG) flow logs: NSG flow logs are a feature of Network Watcher, which allows you to view information about ingress and egress IP traffic through an NSG.
    • Create one or more network security groups if you have none.
    • Create Azure Network Watcher instances for the virtual networks in every region where you collect NSG flow logs.
      Network Watcher enables you to monitor, diagnose, and view metrics to enable and disable logs for resources in an Azure virtual network.
    • Create storage accounts to collect NSG flow logs. If you are storing flow logs in a storage account that belongs to a different subscription than the one that is generating the flow logs and is being onboarded, Prisma Cloud can ingest flow logs only when:
      • The subscriptions belong to the same Azure AD or Root Management Group (for example, Azure Org).
      • The Service Principle that you use to onboard the subscription on Prisma Cloud has access to read the contents of the storage account.
    • Add only the IP addresses for your Prisma Cloud instance from NAT Gateway IP Addresses for Prisma Cloud. For example, if your instance is on
      app.prismacloud.io
      use the IP addresses associated with that.
      On the Azure Portal, you must include the source and the DR Prisma Cloud IP addresses for your Prisma Cloud instance. Select
      Azure services
      Storage accounts
      (your storage account)
      Networking
      Selected networks
      .
      Replace
      your storage account
      with the name of your actual storage account in Azure portal.
    • Enable Network Watcher and register Microsoft.InsightsResource Provider.
      Microsoft.Insights is the resource provider namespace for Azure Monitor, which provides features such as metrics, diagnostic logs, and activity logs.
    • Enable NSG flow logs version 1 or 2, based on the regions where NSG flow logs version 2 is supported on Azure.
    • Verify that you can view the flow logs.

Recommended For You