Connect an Azure Subscription
Learn how to Connect Azure Commercial Subscription, Connect Azure Government Subscription, or Connect Azure China Subscription on Prisma Cloud. Onboarding an
Azure Subscription
connects the resources within your Azure subscription to Prisma Cloud.Connecting Prisma™ Cloud to your Azure cloud account enables you to analyze and monitor traffic logs, and detect potential malicious network activity or compliance issues. During the built-in onboarding process you have the option of using one of the following three methods to create the required Azure resources to authorize Prisma Cloud to access Azure APIs:
- Terraform (Recommended) This workflow automates the process of setting up the Prisma Cloud application on Azure Active Directory and enables read-only or read-write access to your Azure subscription.
Azure China workflows do not support the use of Terraform templates.
- Using Custom Role JSON Using a manually created Custom Role you also have the option to enforce least access privilege to restrict access. To achieve this you will need to manually set up the Prisma Cloud application on Active Directory and Create a Custom Role to authorize access to Azure APIs.
- Manually Authorizing Prisma Cloud If your organization restricts the use of Terraform scripts, you can choose to manually create the required Azure resources for Prisma Cloud to call the Azure APIs.
Connect Azure Commercial Subscription
Ensure that you’ve reviewed the onboarding prerequisites prior to starting the onboarding process. The graphic below provides a visual overview of the steps you will take to onboard your account.
- Get Started
- Access Prisma Cloud and select .
- ChooseAzureas theCloud to Secure.
- SelectSubscriptionunderScope.
- SelectCommercialas theDeployment Type.
- Enable the followingAdvancedsecurity capabilities to optimize your Prisma Cloud experience:
- Agentless Workload Scanning scans hosts and containers for vulnerabilities and compliance risks without having to install a Defender. You can also update the scanning configuration for Agentless scans.
- Serverless Function Scanningscans cloud provider functions like AWS Lambda, Azure and Google functions for vulnerabilities and compliance. You can also update the scanning configuration for Serverless scans
- Agent-Based Workload Protectionallows for automated deployment of Defenders to secure resources such as VMs, containers and Kubernetes orchestrators. Registry scanning, Kubernetes audits and other features required by defenders are also enabled.
- Threat Detectionto identify network and user threats is enabled by default.The following recommended capabilities are enabled by default:
- Misconfigurations(Foundational) scans cloud resources and ingestion metadata for vulnerabilities.
- Identity Security(Foundational) calculates net effective permission for identities and manages access.
- Threat Detection(Advanced) identifies network and user threats.
- ClickNextto proceed with the onboarding flow.
- Configure Account
- On theConfigure Accountpage provide yourAccount DetailsincludingDirectory Tenant IDand choose anAccount Name.
- Click theRemediationcheckbox if you would like to optionally remediate misconfigured resources from IaC (Infrastructure as Code) templates. Additional permissions are required for this functionality.
- If you’re using the recommended Terraform template to provide the required account details, clickDownload Terraform Scriptand enter the form details from the script output. Provide details forApplication (Client) ID,Application Client Secret,Enterprise Application Object IDfrom the script output.
- Enable Network Security Group (NSG) flow log ingestion if you would like to view information about ingress and egress IP traffic through an NSG.
- You can also select a Default Account Group, or choose from one of the Account Groups in the drop-down.
- Click Next.
- Review Status
- On theReview Statuspage, ensure that all theSecurity Capabilitiesyou have selected display a green Enabled button. IfChecks Failedappears next to a selected function. Click the drop-down next to the failed check and add the missing permissions listed.
- ClickSave and Closeto complete onboarding orSave and Onboard Another Account.
Connect Azure Government Subscription
To connect an Azure Government account follow the steps outlined under Azure Commercial above, with the following exceptions:
- While completing the Get Started step, selectGovernmentas the deployment type.
- During the Configuration step,Remediation of IaC templatesis not available for Azure Government accounts.
Connect Azure China Subscription
Account onboarding on Prisma Cloud is only available for cloud resources currently deployed on Azure China. Follow the steps outlined under Azure Subscription above to onboard an Azure China account with the following exceptions:
- Azure China does not support the use of Terraform templates to onboard a cloud account. To get started with monitoring your Azure China Subscription, review the manual onboarding steps and gather the required information from your Azure China account.
- During the Configuration step,Remediation of IaC templatesis not available for Azure China accounts.
- Advanced security capabilities such as Agentless Workload Scanning, Serverless Function Scanning and Agent-based Workload Protection are not available on Azure China.
