Connect an Azure Subscription

Learn how to Connect Azure Commercial Subscription, Connect Azure Government Subscription, or Connect Azure China Subscription on Prisma Cloud. Onboarding an
Azure Subscription
connects the resources within your Azure subscription to Prisma Cloud.
Connecting Prisma™ Cloud to your Azure cloud account enables you to analyze and monitor traffic logs, and detect potential malicious network activity or compliance issues. During the built-in onboarding process you have the option of using one of the following three methods to create the required Azure resources to authorize Prisma Cloud to access Azure APIs:
  • Terraform (Recommended) This workflow automates the process of setting up the Prisma Cloud application on Azure Active Directory and enables read-only or read-write access to your Azure subscription.
Azure China workflows do not support the use of Terraform templates.
  • Using Custom Role JSON Using a manually created Custom Role you also have the option to enforce least access privilege to restrict access. To achieve this you will need to manually set up the Prisma Cloud application on Active Directory and Create a Custom Role to authorize access to Azure APIs.
  • Manually Authorizing Prisma Cloud If your organization restricts the use of Terraform scripts, you can choose to manually create the required Azure resources for Prisma Cloud to call the Azure APIs.

Connect Azure Commercial Subscription

Ensure that you’ve reviewed the onboarding prerequisites prior to starting the onboarding process. The graphic below provides a visual overview of the steps you will take to onboard your account.
  1. Get Started
    1. Access Prisma Cloud and select
      Cloud Accounts
      Add Cloud Account
    2. Choose
      as the
      Cloud to Secure
    3. Select
    4. Select
      as the
      Deployment Type
    5. Enable the following
      security capabilities to optimize your Prisma Cloud experience:
      • Agentless Workload Scanning scans hosts and containers for vulnerabilities and compliance risks without having to install a Defender. You can also update the scanning configuration for Agentless scans.
      • Serverless Function Scanning
        scans cloud provider functions like AWS Lambda, Azure and Google functions for vulnerabilities and compliance. You can also update the scanning configuration for Serverless scans
      • Agent-Based Workload Protection
        allows for automated deployment of Defenders to secure resources such as VMs, containers and Kubernetes orchestrators. Registry scanning, Kubernetes audits and other features required by defenders are also enabled.
      • Threat Detection
        to identify network and user threats is enabled by default.
        The following recommended capabilities are enabled by default:
        • Misconfigurations
          (Foundational) scans cloud resources and ingestion metadata for vulnerabilities.
        • Identity Security
          (Foundational) calculates net effective permission for identities and manages access.
        • Threat Detection
          (Advanced) identifies network and user threats.
    6. Click
      to proceed with the onboarding flow.
  2. Configure Account
    1. On the
      Configure Account
      page provide your
      Account Details
      Directory Tenant ID
      and choose an
      Account Name
    2. Click the
      checkbox if you would like to optionally remediate misconfigured resources from IaC (Infrastructure as Code) templates. Additional permissions are required for this functionality.
    3. If you’re using the recommended Terraform template to provide the required account details, click
      Download Terraform Script
      and enter the form details from the script output. Provide details for
      Application (Client) ID
      Application Client Secret
      Enterprise Application Object ID
      from the script output.
    4. Enable Network Security Group (NSG) flow log ingestion if you would like to view information about ingress and egress IP traffic through an NSG.
    5. You can also select a Default Account Group, or choose from one of the Account Groups in the drop-down.
    6. Click Next.
  3. Review Status
    1. On the
      Review Status
      page, ensure that all the
      Security Capabilities
      you have selected display a green Enabled button. If
      Checks Failed
      appears next to a selected function. Click the drop-down next to the failed check and add the missing permissions listed.
    2. Click
      Save and Close
      to complete onboarding or
      Save and Onboard Another Account

Connect Azure Government Subscription

To connect an Azure Government account follow the steps outlined under Azure Commercial above, with the following exceptions:
  • While completing the Get Started step, select
    as the deployment type.
  • During the Configuration step,
    Remediation of IaC templates
    is not available for Azure Government accounts.

Connect Azure China Subscription

Account onboarding on Prisma Cloud is only available for cloud resources currently deployed on Azure China. Follow the steps outlined under Azure Subscription above to onboard an Azure China account with the following exceptions:
  • Azure China does not support the use of Terraform templates to onboard a cloud account. To get started with monitoring your Azure China Subscription, review the manual onboarding steps and gather the required information from your Azure China account.
  • During the Configuration step,
    Remediation of IaC templates
    is not available for Azure China accounts.
  • Advanced security capabilities such as Agentless Workload Scanning, Serverless Function Scanning and Agent-based Workload Protection are not available on Azure China.

Recommended For You