1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Connect Your Cloud Platform to Prisma Cloud
    6. Onboard Your Azure Account
    7. Set Up Your Azure Subscription for Prisma Cloud

    Set Up Your Azure Subscription for Prisma Cloud

    Configure your Azure Government subscription for Prisma™ Cloud to analyze traffic data flow and monitor resources for potential security and compliance issues.
    Connect Prisma™ Cloud to your Azure cloud environment so that you can monitor for threats and compliance violations, enable auto-remediation of incidents, and identify hosts and containers that contain vulnerabilities. Before Prisma Cloud can monitor the resources within your Azure Government subscription, you must add Prisma Cloud as an application to your Azure Active Directory and configure your Azure subscription to allow Prisma Cloud to analyze flow log data.
    You do not need to complete this workflow for Azure commercial because the onboarding flow uses Terraform template to automate this process. Start with Add an Azure Subscription on Prisma Cloud
    Prisma Cloud requires your Azure
    Subscription ID
     so that it can identify your Azure cloud account and retrieve the storage account and key vault information. Prisma Cloud also needs the
    Directory ID
    ,
    Application ID
    ,
    Application Key
    , and
    Service Principal ID
     to establish the connection between Prisma Cloud and Azure Active Directory so that it can access the resources in your subscription.
    1. Locate and copy your Azure subscription ID.
      Prisma Cloud requires the
      Subscription ID
       so that it can identify your Azure cloud account and can retrieve the storage account and key vault information.
      1. Log in to Microsoft Azure, select
        All services
        Subscriptions
        , select your subscription, and copy the
        Subscription ID
        .
        azure-subscription-id.png
    2. Add Prisma Cloud as a new application on Azure Active Directory.
      Registering Prisma Cloud as an application on Azure AD generates an Application ID. You need this ID and an Application key to authenticate Prisma Cloud on Azure and to maintain a secure connection.
      1. Log in to Microsoft Azure and select
        Azure Active Directory
        App registrations
        New application registration
        .
        app-registration-azure-ad.png
      2. Enter a
        Name
         to identify the Prisma Cloud application, select the
        Supported account types
         that can use the application as
        Accounts in this organizational directory only
        , enter your login URL for Prisma Cloud as the
        Redirect URI
        , and then click
        Register
        .
        The log in URL for Prisma Cloud is the URL you received in your order confirmation email, and it varies depending on your region.
        azure-ad-create-ap.png
      3. Generate a client secret for the Prisma Cloud application.
        The client secret is the application password for Prisma Cloud.
        1. Select
          Azure Active Directory
          App Registrations
          All Applications
           and select the Prisma Cloud application.
        2. Add a client secret or the application password (
          Certificates & Secrets
          New client secret
          ).
        3. Enter a
          Description
           and select a
          Duration
          , which is the term for which the key is valid.
        4. Add
           the new client secret and then copy the value of that new client secret for your records because you cannot view this key after you close this dialog. You will need this new client secret application key when you Add an Azure Subscription on Prisma Cloud.
          azure-active-directory-application-key.png
    3. Copy the information on the Prisma Cloud application from Azure Active Directory.
      For Prisma Cloud to interact with the Azure APIs and collect information on your Azure resources, you must capture the following values.
      1. Select
        Azure Active Directory
        App Registrations
        All Applications
        , find the Prisma Cloud application you created, and copy the
        Directory ID
        .
        azure-active-directory-id.png
      2. Select
        Azure Active Directory
        Enterprise Applications
        .
      3. Select your Prisma Cloud application
        Properties
         and copy the
        Application ID
         and
        Object ID
        .
        You must enter the Object ID as the Service Principal ID in the next step.
        Make sure that you get the Object ID for the Prisma Cloud application from
        Enterprise Applications
        All applications
         on the Azure portal—not from
        App Registrations
        .
        azure-active-directory-application-id.png
    4. Grant permissions for the Prisma Cloud application to access information at the Azure Subscription level.
      To assign roles, you must have Owner or User Access Administrator privileges on your Azure Subscription.
      1. Select
        All Services
        Subscriptions
        .
      2. Select your subscription and
        Add role assignment
         (
        Access Control (IAM)
        ).
        azure-subscription-roles.png
      3. Select the
        Role
        , verify that Azure AD user, group, or service principal is selected (
        Assign access to
        ), and select the Prisma Cluod app to assign the roles.
        Review the Azure Cloud Account Onboarding Checklist for a description of the roles and permissions that are required at the subscription level. Then decide which roles you must add for your security and monitoring needs—
        Reader Role
        ,
        Reader and Data Access Role
        , Create a Custom Role on Azure to Enable Prisma Cloud to Access Flow Logs,
        Network Contributor Role
        , or
        Storage Account Contributor Role
        .
        azure-subscription-role-list.png
    5. (
      Optional
      ) Grant permission for the Prisma Cloud application to access the Azure Key Vault service.
      If you use Azure Key Vault to safeguard and manage cryptographic keys and secrets used by your cloud applications and services, Prisma Cloud needs permission to ingest this key vault data.
      1. From Azure, select
        All Services
        Key Vaults
        .
      2. Select your Key vault name and
        Access Policies
        .
        azure-key-vault.png
      3. Select
         (add) your Prisma Cloud application (
        Add new
        Select Principal
        ).
        azure-key-vault-prisma-cloud-app.png
      4. Select
        List
         for
        Key permissions
         and for
        Secret permissions
        , select both
        List
         and
        List Certificate Authorities
         for
        Certification permissions
        , and then click
        OK
        .
        azure-access-policy.png
    6. (
      Optional
      ) Grant permission for the Prisma Cloud application to access the catalog related information on Azure Data Lake Analytics account.
      each Azure Data Lake Analytics account you must assign the Prisma Cloud role to access catalog related information such as ACLs, databases, credentials, external data sources, so that it can ingest metadata.After you assign these permissions to the Azure Data Lake Storage Gen 1 instance if you use the same instance in other Azure Data Lake Analytics accounts, then you do not need to repeat these steps.
      1. On the Azure portal, go to your Data Lake Analytics account.
      2. Select Add user wizard.
      3. Select User, and search for the Prisma Cloud app and select it.
      4. In the role drop down, choose Reader and click Next
      5. Under Scope, Assign only Read only permissions and click Next to assign permissions to the files and folders.
      6. Select the checkboxes in the Read and Execute columns, and clear the Write column, then click Next.
        azure-data-lake-catalog-permissions.png
      7. Verify the tasks and click Run.
        azure-data-lake-catalog-permissions-review.png
    8. On the Azure portal,Create a storage account on Azure for NSG flow logs.
      Your Azure storage account stores the flow logs that are required for Prisma Cloud to monitor and analyze network traffic. When Prisma Cloud ingests the data in these logs, you can interact with the information in Prisma Cloud. For example, you can run queries against the data, visualize network topology, and investigate traffic flows between two instances. You can also apply network policies to this traffic.
      If you do not have regulatory guidelines that specify a log retention period to which you must adhere, we recommend you set retention to at least 15 days.
    9. On the Azure portal,Enable NSG flow logs.
    10. Configure Prisma Cloud Reader and Data Access role for your Azure storage account.
      To ingest Azure flow logs, you have to grant access to the storage account in which the logs are stored. The Reader and Data Access role provides the ability to view everything and allows read/write access to all data contained in a storage account using the associated storage account keys. If your flow logs are stored in storage accounts that belong to one or more subscriptions that are not monitored by Prisma Cloud, you must configure the Prisma Cloud application with the Reader and Data Access role for each storage account.
      1. After creating your storage account, select
        Access control (IAM)
        Add role assignment
        .
        azure-storage-group-role.png
      2. Select
        Reader and Data Access
         as the
        Role
        ,
        Select
         the administrative user to whom you want to assign the role, and
        Save
         your changes.
        azure-storage-group-reader-data-access-role.png

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo