Create a Custom Role on Azure

Create and configure a custom role on Azure to enforce the principle of least privilege.
Connecting Prisma™ Cloud to your Azure cloud account enables you to analyze compliance issues, traffic logs, or detect potential malicious network activity. While you can use the built-in roles that enables a much broader set of permissions, it is a best practice to create a custom role so that you follow the principle of least privilege and limit access rights to the bare-minimum. Use the Azure Cloud Account Onboarding Checklist to verify on which services you want to ingest data and manually assign the permissions for this custom role that includes the permissions required.
To create a custom role on Azure, you must have an Azure Active Directory Premium 1 or Premium 2 license plan.
  1. Create a custom role using Azure CLI.
      1. Install the Azure CLI and log in to Azure.
      2. Download the JSON files which contains the permissions:
        Microsoft recommends to use wildcard (*) for configuring NSG flow log permissions, instead of a specific action because
        have only one function which is action. Refer to Microsoft documentation for additional details.
      3. Open a text editor (such as notepad) and enter the following command in the JSON format to create a custom role. You can create custom roles using Azure PowerShell, Azure CLI, or the REST API. These instructions use the Azure CLI command (run on PowerShell or on the DOS command prompt) to create the custom role with queryFlowLogStatus permission. Make sure to provide your Azure Subscription ID in the last line.
      4. Save the JSON files on your local Windows system and give it a descriptive name, such as
      5. Log in to the Azure portal from the same Windows system and complete the following steps:
        1. Open a PowerShell window (or a DOS Command Prompt Window)
        2. Go to the directory where you stored the JSON file.
        3. Enter the following Azure CLI command (replace the JSON filename to match the name you specified when you saved your custom role JSON file.
          az role definition create --role-definition "azure_prisma_cloud_lp_read_only.json"
          az role definition create --role-definition "azure_prisma_cloud_read_only_role_gov.json"
          az role definition create --role-definition "azure_prisma_cloud_read_only_role_china.json"
          The output is as follows:
          {"assignableScopes": [    "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"  ],  "description": "Allows Reading Flow Logs Settings",  "id": "/subscriptions/16dfdbcc-e407-4fbe-9096-e7a97ee23fb5/providers/Microsoft.Authorization/roleDefinitions/088c8f48-201c-4f8d-893f-7716a8d58fa1",  "name": "088c8f48-201c-4f8d-893f-7716a8d58fa1",  "permissions": [{      "actions": [        "<a list of all actions>"],      "dataActions": [],      "notActions": [],      "notDataActions": []    }],  "roleName": "Flow Log Settings Reader",  "roleType": "CustomRole",  "type": "Microsoft.Authorization/roleDefinitions"}
  2. Configure the custom role to access the flow logs.
    1. Log in to the Microsoft Azure Portal.
    2. Select your subscription (
      All services
    3. Select
      Access control (IAM)
      Add role assignment
      Verify that you can see the new custom role you created in the
    4. Assign the
      to Prisma Cloud, enable the permission to query flow log status, and
      your changes.

Recommended For You