Set Up Your Azure Subscription for Prisma Cloud

Configure your Azure Government subscription for Prisma™ Cloud to analyze traffic data flow and monitor resources for potential security and compliance issues.
Connect Prisma™ Cloud to your Azure cloud environment so that you can monitor for threats and compliance violations, enable auto-remediation of incidents, and identify hosts and containers that contain vulnerabilities. Before Prisma Cloud can monitor the resources within your Azure Government subscription, you must add Prisma Cloud as an application to your Azure Active Directory and configure your Azure subscription to allow Prisma Cloud to analyze flow log data.
You do not need to complete this workflow for Azure commercial because the onboarding flow uses Terraform template to automate this process. Start with Add an Azure Subscription on Prisma Cloud
Prisma Cloud requires your Azure
Subscription ID
so that it can identify your Azure cloud account and retrieve the storage account and key vault information. Prisma Cloud also needs the
Directory ID
,
Application ID
,
Application Key
, and
Service Principal ID
to establish the connection between Prisma Cloud and Azure Active Directory so that it can access the resources in your subscription.
  1. Locate and copy your Azure subscription ID.
    Prisma Cloud requires the
    Subscription ID
    so that it can identify your Azure cloud account and can retrieve the storage account and key vault information.
    1. Log in to Microsoft Azure, select
      All services
      Subscriptions
      , select your subscription, and copy the
      Subscription ID
      .
      azure-subscription-id.png
  2. Add Prisma Cloud as a new application on Azure Active Directory.
    Registering Prisma Cloud as an application on Azure AD generates an Application ID. You need this ID and an Application key to authenticate Prisma Cloud on Azure and to maintain a secure connection.
    1. Log in to Microsoft Azure and select
      Azure Active Directory
      App registrations
      New application registration
      .
      app-registration-azure-ad.png
    2. Enter a
      Name
      to identify the Prisma Cloud application, select the
      Supported account types
      that can use the application as
      Accounts in this organizational directory only
      , enter your login URL for Prisma Cloud as the
      Redirect URI
      , and then click
      Register
      .
      The log in URL for Prisma Cloud is the URL you received in your order confirmation email, and it varies depending on your region.
      azure-ad-create-ap.png
    3. Generate a client secret for the Prisma Cloud application.
      The client secret is the application password for Prisma Cloud.
      1. Select
        Azure Active Directory
        App Registrations
        All Applications
        and select the Prisma Cloud application.
      2. Add a client secret or the application password (
        Certificates & Secrets
        New client secret
        ).
      3. Enter a
        Description
        and select a
        Duration
        , which is the term for which the key is valid.
      4. Add
        the new client secret and then copy the value of that new client secret for your records because you cannot view this key after you close this dialog. You will need this new client secret application key when you Add an Azure Subscription on Prisma Cloud.
        azure-active-directory-application-key.png
  3. Copy the information on the Prisma Cloud application from Azure Active Directory.
    For Prisma Cloud to interact with the Azure APIs and collect information on your Azure resources, you must capture the following values.
    1. Select
      Azure Active Directory
      App Registrations
      All Applications
      , find the Prisma Cloud application you created, and copy the
      Directory ID
      .
      azure-active-directory-id.png
    2. Select
      Azure Active Directory
      Enterprise Applications
      .
    3. Select your Prisma Cloud application
      Properties
      and copy the
      Application ID
      and
      Object ID
      .
      You must enter the Object ID as the Service Principal ID in the next step.
      Make sure that you get the Object ID for the Prisma Cloud application from
      Enterprise Applications
      All applications
      on the Azure portal—not from
      App Registrations
      .
      azure-active-directory-application-id.png
  4. Grant permissions for the Prisma Cloud application to access information at the Azure Subscription level.
    To assign roles, you must have Owner or User Access Administrator privileges on your Azure Subscription.
    1. Select
      All Services
      Subscriptions
      .
    2. Select your subscription and
      Add role assignment
      (
      Access Control (IAM)
      ).
      azure-subscription-roles.png
    3. Select the
      Role
      , verify that Azure AD user, group, or service principal is selected (
      Assign access to
      ), and select the Prisma Cluod app to assign the roles.
      Review the Azure Cloud Account Onboarding Checklist for a description of the roles and permissions that are required at the subscription level. Then decide which roles you must add for your security and monitoring needs—
      Reader Role
      ,
      Reader and Data Access Role
      , Create a Custom Role on Azure to Enable Prisma Cloud to Access Flow Logs,
      Network Contributor Role
      , or
      Storage Account Contributor Role
      .
      azure-subscription-role-list.png
  5. (
    Optional
    ) Grant permission for the Prisma Cloud application to access the Azure Key Vault service.
    If you use Azure Key Vault to safeguard and manage cryptographic keys and secrets used by your cloud applications and services, Prisma Cloud needs permission to ingest this key vault data.
    1. From Azure, select
      All Services
      Key Vaults
      .
    2. Select your Key vault name and
      Access Policies
      .
      azure-key-vault.png
    3. Select
      (add) your Prisma Cloud application (
      Add new
      Select Principal
      ).
      azure-key-vault-prisma-cloud-app.png
    4. Select
      List
      for
      Key permissions
      and for
      Secret permissions
      , select both
      List
      and
      List Certificate Authorities
      for
      Certification permissions
      , and then click
      OK
      .
      azure-access-policy.png
  6. (
    Optional
    ) Grant permission for the Prisma Cloud application to access the catalog related information on Azure Data Lake Analytics account.
    each Azure Data Lake Analytics account you must assign the Prisma Cloud role to access catalog related information such as ACLs, databases, credentials, external data sources, so that it can ingest metadata.After you assign these permissions to the Azure Data Lake Storage Gen 1 instance if you use the same instance in other Azure Data Lake Analytics accounts, then you do not need to repeat these steps.
    1. On the Azure portal, go to your Data Lake Analytics account.
    2. Select Add user wizard.
    3. Select User, and search for the Prisma Cloud app and select it.
    4. In the role drop down, choose Reader and click Next
    5. Under Scope, Assign only Read only permissions and click Next to assign permissions to the files and folders.
    6. Select the checkboxes in the Read and Execute columns, and clear the Write column, then click Next.
      azure-data-lake-catalog-permissions.png
    7. Verify the tasks and click Run.
      azure-data-lake-catalog-permissions-review.png
  7. On the Azure portal,Create a storage account on Azure for NSG flow logs.
    Your Azure storage account stores the flow logs that are required for Prisma Cloud to monitor and analyze network traffic. When Prisma Cloud ingests the data in these logs, you can interact with the information in Prisma Cloud. For example, you can run queries against the data, visualize network topology, and investigate traffic flows between two instances. You can also apply network policies to this traffic.
    If you do not have regulatory guidelines that specify a log retention period to which you must adhere, we recommend you set retention to at least 15 days.
  8. On the Azure portal,Enable NSG flow logs.
  9. Configure Prisma Cloud Reader and Data Access role for your Azure storage account.
    To ingest Azure flow logs, you have to grant access to the storage account in which the logs are stored. The Reader and Data Access role provides the ability to view everything and allows read/write access to all data contained in a storage account using the associated storage account keys. If your flow logs are stored in storage accounts that belong to one or more subscriptions that are not monitored by Prisma Cloud, you must configure the Prisma Cloud application with the Reader and Data Access role for each storage account.
    1. After creating your storage account, select
      Access control (IAM)
      Add role assignment
      .
      azure-storage-group-role.png
    2. Select
      Reader and Data Access
      as the
      Role
      ,
      Select
      the administrative user to whom you want to assign the role, and
      Save
      your changes.
      azure-storage-group-reader-data-access-role.png

Recommended For You