Azure Cloud Account Onboarding Checklist

Use this checklist to set up the permissions and configuration to successfully onboard the Azure subscription to Prisma™ Cloud.
Prisma™ Cloud supports both Azure commercial and Azure Government. For Azure commercial, the onboarding flow enables you to provide your subscription details as inputs and generates a Terraform template, which you can download and run from the Azure Cloud Shell. The workflow automates the process of setting up the Prisma Cloud application on Azure Active Directory and enabling the permissions for read-only or read-write access to your Azure subscription. You will however, need to review and manually enable the permissions for Prisma Cloud to retrieve network traffic data from network security group (NSG) flow logs.
To successfully onboard and monitor the resources within your Azure Government subscription, use the following checklist to authorize the correct set of access rights to Prisma Cloud.
  • Collect your Azure Subscription ID from the Azure portal.
    Get your Azure Subscription ID. Make sure that you have Account Owner or Contributor privileges so that you can add Prisma Cloud as an application on your Azure Active Directory. To onboard your Azure subscription on Prisma Cloud, set up an Active Directory application object (Application Client ID) and an Enterprise Application Object ID that together enable API access. The process of setting up Prisma Cloud on Azure Active Directory will provide you with the keys and IDs that are required to establish an identity for sign-in and access to resources in your Azure subscription. The Enterprise Application Object ID defines the permissions and scope that is assumed by Prisma Cloud.
  • Review the roles and associated permissions required:
    Role
    Description
    Reader
    The Reader role at the subscription level is required for Prisma Cloud to monitor the configuration of existing Azure resources within your Azure subscription. Prisma Cloud requires this role to ingest configuration and activity logs.
    Reader and Data Access
    The Reader and Data Access role at the subscription level is required for Prisma Cloud to fetch flow logs and storage account attributes so that you can use Prisma Cloud policies that assess risks in your storage account. This role includes the permissions to access the storage account keys and authenticate to the storage account to access the data.
    • For Prisma Cloud to access flow logs stored in storage accounts that belong to subscriptions that are not monitored by Prisma Cloud, you must provide
      Reader and Data Access
      role on the storage accounts.
    • The Reader and Data Access role is not a superset of the Reader role. Although this role has read-write access, Prisma Cloud only uses these permissions to access and read the flow log from the storage account.
    Network Contributor
    or a
    custom role
    to query flow log status
    The built-in Network Contributor role can manage network data necessary to access and read flow logs settings for all network security groups (NSGs) along with the details on the storage account to which the flow logs are written. It also enables auto-remediation of network-related incidents.
    You can use the built-in role or create a custom role to allow Prisma Cloud to fetch flow log status. As a best practice, Create a Custom Role on Azure to Enable Prisma Cloud to Access Flow Logs and use the least privilege principal to enable access only to the required permissions. The network contributor built-in role provides a much broader set of permissions than required by Prisma Cloud.
    To create a custom role, you must have the
    Microsoft.Authorization/roleDefinitions/write
    permission on all AssignableScopes, such as Owner or User Access Administrator.
    You can then use the Azure CLI to create a custom role with the
    Microsoft.Network/networkWatchers/queryFlowLogStatus/action
    permission to query the status of flow logs.
    Storage Account Contributor
    (
    Optional but required if you want to enable auto -remediation
    ) The Storage Account Contributor role is required on all storage accounts to allow auto-remediation of policy violations.
    Custom role with permissions
    (
    Optional but required if you want to enable ingestion of the listed services
    ) Create a custom role with the following permissions:
    • Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action
      —To ingest data from Azure Container Registry webhooks that are triggered when a container image or Helm chart is pushed to or deleted from a registry.
    • Microsoft.Web/sites/config/list/action
      —To ingest Authentication/Authorization data from Azure App Service that hosts websites and web applications. The Reader Role listed earlier is adequate to ingest configuration data from the Azure App Service.
    Prisma Cloud provides a JSON file that makes it easier for you to create a custom role with the read-only permissions required to monitor your Azure resources.
  • Enable Prisma Cloud to obtain network traffic data from network security group (NSG) flow logs: NSG flow logs are a feature of Network Watcher, which allows you to view information about ingress and egress IP traffic through an NSG.
    • Create one or more network security groups if you have none.
    • Create Azure Network Watcher instances for the virtual networks in every region where you collect NSG flow logs.
      Network Watcher enables you to monitor, diagnose, and view metrics to enable and disable logs for resources in an Azure virtual network.
    • Create storage accounts. You must have a storage account in each region where you have NSGs because flow logs are written to the same region as the NSGs. As a best practice, configure a single storage account to collect flow logs from all NSGs in a region.
    • Enable Network Watcher and register Microsoft.InsightsResource Provider.
      Microsoft.Insights is the resource provider namespace for Azure Monitor, which provides features such as metrics, diagnostic logs, and activity logs.
    • Enable NSG flow logs version 1 or 2, based on the regions where NSG flow logs version 2 is supported on Azure.
    • Verify that you can view the flow logs.
  • Enable the Prisma Cloud application to access the Azure Key Vault service and Azure Data Lake Anlytics account. See Set Up Your Azure Subscription for Prisma Cloud.

Recommended For You