Azure Cloud Account Onboarding Checklist

Use this checklist to set up the permissions and configuration to successfully onboard the Azure subscription to Prisma™ Cloud.
Prisma™ Cloud supports both Azure commercial and Azure Government. For Azure commercial, the onboarding flow enables you to provide your subscription details as inputs and generates a Terraform template, which you can download and run from the Azure Cloud Shell. The workflow automates the process of setting up the Prisma Cloud application on Azure Active Directory and enabling the permissions for read-only or read-write access to your Azure subscription. You will however, need to review and manually enable the permissions for Prisma Cloud to retrieve network traffic data from network security group (NSG) flow logs.
To successfully onboard and monitor the resources within your Azure Government subscription, use the following checklist to authorize the correct set of access rights to Prisma Cloud.
  • Collect your Azure Subscription ID from the Azure portal.
    Get your Azure Subscription ID. Make sure that you have Account Owner or Contributor privileges so that you can add Prisma Cloud as an application on your Azure Active Directory. To onboard your Azure subscription on Prisma Cloud, set up an Active Directory application object (Application Client ID) and an Enterprise Application Object ID that together enable API access. The process of setting up Prisma Cloud on Azure Active Directory will provide you with the keys and IDs that are required to establish an identity for sign-in and access to resources in your Azure subscription. The Enterprise Application Object ID defines the permissions and scope that is assumed by Prisma Cloud.
    Review the graph API permissions which are used for tenant account onboarding to support the ingestion of Azure Active Directory APIs.
    API permissions
    Read all applications.
    Read directory data.
    Read domains.
    Read all groups.
    Read all group memberships.
    Read your organization’s policies.
    Read all usage reports.
    Read all users’ full profiles.
    Review the roles and associated permissions required for the following roles which are only applicable for Azure Subscriptions and Azure Management Groups:
  • Role
    The Reader role at the subscription level is required for Prisma Cloud to monitor the configuration of existing Azure resources within your Azure subscription. Prisma Cloud requires this role to ingest configuration and activity logs.
    Reader and Data Access
    The Reader and Data Access role at the subscription level is required for Prisma Cloud to fetch flow logs and storage account attributes so that you can use Prisma Cloud policies that assess risks in your storage account. This role includes the permissions to access the storage account keys and authenticate to the storage account to access the data.
    • For Prisma Cloud to access flow logs stored in storage accounts that belong to subscriptions that are not monitored by Prisma Cloud, you must provide
      Reader and Data Access
      role on the storage accounts.
    • The Reader and Data Access role is not a superset of the Reader role. Although this role has read-write access, Prisma Cloud only uses these permissions to access and read the flow log from the storage account.
    Network Contributor
    or a
    custom role
    to query flow log status
    The built-in Network Contributor role can manage network data necessary to access and read flow logs settings for all network security groups (NSGs) along with the details on the storage account to which the flow logs are written. It also enables auto-remediation of network-related incidents.
    You can use the built-in role or create a custom role to allow Prisma Cloud to fetch flow log status. As a best practice, Create a Custom Role on Azure to Enable Prisma Cloud to Access Flow Logs and use the least privilege principal to enable access only to the required permissions. The network contributor built-in role provides a much broader set of permissions than required by Prisma Cloud.
    To create a custom role, you must have the
    permission on all AssignableScopes, such as Owner or User Access Administrator.
    You can then use the Azure CLI to create a custom role with the
    permission to query the status of flow logs.
    Storage Account Contributor
    Optional but required if you want to enable auto -remediation
    ) The Storage Account Contributor role is required on all storage accounts to allow auto-remediation of policy violations.
    Custom role with permissions
    Optional but required if you want to enable ingestion of the listed services
    ) Create a custom role with the following permissions:
    • Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action
      —To ingest data from Azure Container Registry webhooks that are triggered when a container image or Helm chart is pushed to or deleted from a registry.
    • Microsoft.Web/sites/config/list/action
      —To ingest Authentication/Authorization data from Azure App Service that hosts websites and web applications. The Reader Role listed earlier is adequate to ingest configuration data from the Azure App Service.
    • Microsoft.Compute/virtualMachines/runCommand/action
      —To support manual onboarding of Prisma Cloud instances on Azure Government and Azure China regions. This additional permission is added in Azure Management Group and Subscription read-write Terraform scripts.
    Prisma Cloud provides a JSON file that makes it easier for you to create a custom role with the read-only permissions required to monitor your Azure resources.
  • Enable Prisma Cloud to obtain network traffic data from network security group (NSG) flow logs: NSG flow logs are a feature of Network Watcher, which allows you to view information about ingress and egress IP traffic through an NSG.
    • Create one or more network security groups if you have none.
    • Create Azure Network Watcher instances for the virtual networks in every region where you collect NSG flow logs.
      Network Watcher enables you to monitor, diagnose, and view metrics to enable and disable logs for resources in an Azure virtual network.
    • Create storage accounts to collect NSG flow logs. If you are storing flow logs in a storage account that belongs to a different subscription than the one that is generating the flow logs and is being onboarded, Prisma Cloud can ingest flow logs only when:
      • The subscriptions belong to the same Azure AD or Root Management Group (i.e. Azure Org).
      • The Service Principle that you use to onboard the subscription on Prisma Cloud has access to read the contents of the storage account.
    • Enable Network Watcher and register Microsoft.InsightsResource Provider.
      Microsoft.Insights is the resource provider namespace for Azure Monitor, which provides features such as metrics, diagnostic logs, and activity logs.
    • Enable NSG flow logs version 1 or 2, based on the regions where NSG flow logs version 2 is supported on Azure.
    • Verify that you can view the flow logs.

Recommended For You