Register an App on Azure Active Directory

Create an app registration (service principal) on Azure portal so that you can manually onboard your Azure AD tenant or subscription to Prisma Cloud.
Register a new application using Azure Active Directory (Azure AD) so that you can manually connect your Azure AD tenant or subscriptions to Prisma™ Cloud and monitor it for security vulnerabilities and ensure compliance.
  1. Register an app on Azure Active Directory (Azure AD).
    To register an app on Azure AD, ensure that you have access to the following prerequisites:
    • A Prisma Cloud tenant with permissions to onboard a cloud account.
    • Access to Azure portal with the permissions to:
      • Create an app registration (service principal).
      • Create a custom role.
      • Assign IAM roles at the tenant root level.
      • Assign GraphAPI permissions at the tenant level.
      • Grant admin consent for Azure AD Graph APIs.
  2. Register a new app.
    1. Log in to Azure portal.
    2. Select
      Azure Active Directory
      App registrations
      + New registration
      .
    3. Enter the application name.
    4. Select the supported account types.
      You have the options of choosing from single tenant, multitenant, multitenant and personal Microsoft accounts, or personal Microsoft accounts only.
    5. Optional
      —Enter the Redirect URI.
      The authentication response of the app will be returned to this URI.
    6. Click
      Register
      .
    7. Copy
      Application (client) ID
      and
      Directory (tenant) ID
      to a secure location on your computer. You will later enter these details into the Prisma Cloud UI.
  3. Create the client secret.
    The client secret is a secret string that the application uses to prove its identity when requesting a token.
    1. Select
      Certificates & secrets
      + New client secret
      .
    2. Enter a client
      Description
      , select
      Expires
      to configure how long the client secret lasts, and
      Add
      .
    3. Copy
      Value
      to a secure location.
    Make sure that you copy
    Value
    and not
    Secret ID
    .
  4. Get the Object ID.
    1. Select
      Azure active directory
      Enterprise applications
      , and search for the app you previously created in the search box.
    2. Copy
      Object ID
      to a secure location on your computer.
      Make sure that you get the
      Object ID
      for the Prisma Cloud application from
      Enterprise Applications
      All applications
      on the Azure portal—not from
      App Registrations
      .
  5. Add roles to the root group.
    The following roles should be added to the root group:
    • Reader
    • Reader and Data Access
    • Network Contributor
    • Storage Account Contributor
    • Optional
    1. To add these roles, click
      Home
      under header to get back to azure portal.
    2. Add role assignment.
      • Select
        Management groups
        Tenant Root Group
        (your azure subscription)
        Access control (IAM)
        Role assignments
        + Add
        Add role assignment
        .
      • Search by role
        —Enter the name of the role you want to search for in the search box—for example—
        reader
        . Click on the role name in the results, and then
        Next
        .
      • Select members
        —Modify
        Assign access to
        to assign the role to a
        User, group, or service principal
        —or—
        Managed identity
        . Click
        +Select members
        and then type in the name of the app you previously created in the search box to assign the role to your app. Click
        Select
        and then
        Next
        .
      • Click
        Review + assign
        .
      • Repeat these steps to add the
        Reader and Data Access
        ,
        Network Contributor
        , and
        Storage Account Contributor
        roles.
  6. Verify that all the roles have been added.
    1. Select
      Role assignments
      .
    2. Enter the name of your app in the search form and view the roles that have been added.
  7. Add the Microsoft Graph APIs.
    1. Navigate to the app you previously registered.
      Select
      Azure Active Directory
      App registrations
      , and select your app.
    2. Navigate to Microsoft Graph.
      Select
      API permissions
      + Add a permission
      Microsoft Graph
      Application permissions
      .
    3. Add the permissions.
      Enter the permission name in
      Select permissions
      , and select the name from
      Permission
      .
      Add the following permissions:
      • User.Read.All
      • Policy.Read.All
      • Group.Read.All
      • GroupMember.Read.All
      • Reports.Read.All
      • Directory.Read.All
      • Domain.Read.All
      • Application.Read.All
  8. Grant admin consent for Default Directory.
    1. Select
      Grant admin consent for Default Directory
      Yes
      .
    2. Verify that the permissions are granted.
      You should see green check marks under the
      Status
      column.

Recommended For You