Connect your Azure Account
Effectively monitor your Azure cloud resources and ensure compliance by onboarding your Azure cloud account on Prisma™ Cloud.
Learn how to add your Azure cloud resources to Prisma™ Cloud for threat detection, monitoring and compliance. Choose from one of the options outlined below, based on where you are in your journey with Prisma Cloud:
What do you want to do? | Start Here |
After Onboarding | |
Update an Added Account | |
Onboarding Options
Use one of the following three options to onboard your Azure cloud account on Prisma Cloud:
- Azure Tenant(Connects all your Azure resources, accounts with Management Groups, Subscriptions and Active Directory to Prisma Cloud)
- Azure Subscription (Connects a single subscription)
- Azure Active Directory (Connects an Active Directory)
Using Azure’s APIs, Prisma Cloud ingests and processes data from your cloud environment and initiates resource monitoring. During the built-in onboarding process you have the option of using one of the following three methods to create the required Azure resources to authorize Prisma Cloud to access Azure APIs:
- Terraform (Recommended) This workflow automates the process of setting up the Prisma Cloud application on Azure Active Directory and enables read-only or read-write access to your Azure subscription.
Azure China workflows do not support the use of Terraform templates. Use the Manual or Custom Role JSON method to onboard Azure China.
- Using Custom Role JSON Using a manually created Custom Role you also have the option to enforce least access privilege to restrict access. To achieve this you will need to manually set up the Prisma Cloud application on Active Directory and Create a Custom Role to authorize access to Azure APIs.
- Manually Authorizing Prisma Cloud If your organization restricts the use of Terraform scripts, you can choose to manually create the required resources for Prisma Cloud to call the Azure APIs.
Prerequisites
To successfully onboard and monitor the resources within your Azure subscription, ensure that you have completed the following prerequisites:
- Get your Azure Subscription ID from the Azure portal.
- Confirm that you have Account Owner or Contributor privileges to add your Prisma Cloud created application on your Azure Active Directory.
- To onboard your Azure subscription on Prisma Cloud, set up an Active Directory application object (Application Client ID) and an Enterprise Application Object ID that together enable API access.
- The process of setting up Prisma Cloud on Azure Active Directory provides you with the keys and IDs required to establish an identity for sign-in and access to resources in your Azure subscription.
- The Enterprise Application Object ID defines the permissions and scope assumed by Prisma Cloud.
- Elevate access for a Global Administrator using Azure portal to enable Prisma Cloud access to Azure subscriptions or management groups. This is needed for ingesting resources associated with subscriptions and management groups only during the initial onboarding of your Azure accounts. You can disable this option after onboarding is complete.
- Enable Prisma Cloud to ingest Azure Key Vault resources. This step is required only if you are using the Azure Tenant or Subscription workflow.The following Azure resources need to have theGetandListpermissions enabled in the Key Management Operations on Azure Portal for Prisma Cloud to ingest them:
- azure-key-vault-list
- azure-key-vault-certificateSelect . ForKey permissions,Secret permissions, andCertificate permissions, add theGetandListKey Management Operations.
- Enable Prisma Cloud to obtain network traffic data from Network Security Group (NSG) flow logs. NSG flow logs a feature of Network Watcher, allows you to view ingress and egress IP traffic information through a NSG. This step is required only if you are using the Azure Tenant or Subscription workflow, or if you would optionally like to ingest flow logs.
- Create one or more network security groups if you have none.
- Create Azure Network Watcher instances for the virtual networks in every region where you collect NSG flow logs. Network Watcher enables you to monitor, diagnose, and view metrics to enable and disable logs for resources in an Azure virtual network.
- Create storage accounts to collect NSG flow logs. Prisma Cloud can ingest flow logs only when:
- The subscriptions belong to the same Azure AD or Root Management Group (for example, Azure Org).
- The Service Principal that you use to onboard the subscription on Prisma Cloud has access to read the contents of the storage account.
- Add only the IP addresses for your Prisma Cloud instance from NAT Gateway IP Addresses for Prisma Cloud. For example, if your instance is onapp.prismacloud.iouse the IP addresses associated with that.On the Azure Portal, include the source and the DR Prisma Cloud IP addresses for your Prisma Cloud instance. Select .
Replaceyour storage accountwith the name of your storage account in Azure portal. - Enable Network Watcher and register Microsoft.InsightsResource Provider. Microsoft.Insights is the resource provider namespace for Azure Monitor, which provides features such as metrics, diagnostic logs, and activity logs.
- Enable NSG flow logs version 1 or 2, based on the regions where NSG flow logs version 2 is supported on Azure.
- Verify that you can view the flow logs.
Required Roles and Permissions
To successfully connect your account to Prisma Cloud you will need to provide the required permissions for both Foundational and Advanced security capabilities. Reference the information below to make sure that you have assigned the appropriate permissions to Prisma Cloud.
Next: Onboard your Azure Account
- Azure Tenant (Connects all your Azure resources to Prisma Cloud including Accounts with Management Groups, Subscriptions and Active Directory)
- Azure Subscription (Connects a single subscription)
- Azure Active Directory (Connects an Active Directory)
