Begin Scanning a Microsoft Azure Storage App

Configure your Microsoft Azure Storage app to connect to Prisma SaaS to enable the monitoring and scanning of your resources.
To connect a Microsoft Azure Storage app to Prisma SaaS and begin scanning assets you need to:
For information on which automated remediation capabilities Prisma SaaS supports with Google Drive, refer to Supported Applications with Remediation.

Create Your AAD Application

To discover containers, Prisma SaaS requires specific permissions. Permissions are tied to roles, and these roles are bound to the Azure Storage App subscription and an AAD application that you create in advance of adding the Microsoft Azure Storage app on Prisma SaaS.
Item
Description
Ensure that you have the required permissions to create an application in Azure Active Directory (AAD).
Check Azure Active Directory Permissions
in the Microsoft documentation.
Create an AAD Application.
In a text editor (such as Notepad), copy the Application ID and name of the application to use later in this procedure.
Create an Azure Active Directory Application
in the Microsoft documentation.
Get the
Tenant ID
, which is the ID of the AAD directory in which you created the application.
In a text editor (such as Notepad), copy the Directory (tenant) ID to use later in this procedure.
The
Directory ID
value is the tenant ID required to install Azure to Prisma SaaS.
Get Tenant ID
in the Microsoft documentation.
Assign
Reader Role
to the AAD Application on the subscriptions to scan.
Assign
Storage Account Key Operator Service Role
to the AAD Application on the subscriptions or storage accounts to scan.
Assign Application to Role
in the Microsoft documentation.
Enable roles required by the AAD Application.
microsoft-azure-storage-enable-role.png
From your subscription select
Access control (IAM)
Add
Role
. Enable the following roles:
  • Reader Role
    (Subscription scans) — The reader role can view existing Azure resources and is required for monitoring subscriptions.
  • Storage Account Key Operator Service Role
    (Storage Account scans) — The storage account key operator role enables application identity and permissions. This role is required to list and regenerate storage account keys in the Azure key value application.

Register Your AAD Application

Before you can add the Microsoft Azure Storage app, you must register the application to provide secure sign-in and authorization for Prisma SaaS.
  1. Register your application with Azure AD tenant.
    1. Log in to Microsoft Azure.
    2. Select
      Azure Active Directory
      App registrations
      .
    3. Do one of the following:
      • Add a
        New application registration
        : Enter the application
        Name
        and
        Supported account type
        and, optionally,
        URI
        to
        Register
        a new application.
      • Select an application that has already been registered by clicking on the app from the list.
      microsoft-azure-register-app.png
  2. Enable API permissions for Microsoft Graph.
    1. Click on the
      Display name
      for the registered app.
    2. Select
      View API permissions
      Add a permission
      Microsoft Graph
      .
      microsoft-azure-required-permissions.png
    3. Add
      Read all users’ full profiles
      in
      Application Permissions
      and
      Delegated Permissions
      .
      microsoft-azure-enable-access-graph.png
  3. Enable API permissions for Azure Active Directory Graph.
    1. Click on the
      Display name
      for the registered app.
    2. Select
      View API permissions
      Add a permission
      Azure Active Directory Graph
      .
    3. Enable
      Read directory data
      in
      Application Permissions
      and
      Read all users’ full profiles
      in
      Delegated Permissions
      .
      microsoft-azure-enable-access-windows.png
    4. Save
      your Windows Azure Active Directory API setting.
  4. Grant application and delegated permissions.
    1. Click on the
      Display name
      for the registered app.
    2. Select
      Grant admin consent for Default Directory
      .
      A confirmation window displays to grand permissions for all accounts in the current directory. Select
      Yes
      to grant the permissions for the accounts.
      microsoft-azure-grant-permissions.png

Retrieve Required Information from AAD Application

Now that you’ve registered your AAD application, you must retrieve the following information to complete the setup of the Microsoft Azure Storage app on Prisma SaaS. Additionally, to generate the Application Key, you need to create the key as outlined in the final step below.
  • Application (client) ID
  • Directory (tenant) ID
  • Application Key
  1. Log in to Microsoft Azure.
  2. (
    Application ID
    ) Select the registered app to view and copy the
    Application ID
    to enter during app installation.
    microsoft-azure-application-id.png
  3. (
    Directory ID
    ) Select
    Azure Active Directory
    Properties
    . Copy the
    Directory ID
    to enter during app installation.
    microsoft-azure-directory-id.png
  4. (
    Application Key
    ) Add and copy the key:
    1. From the registered application, select
      Certificates & secrets
      New client secret
      , provide a description and set duration to
      Never
      , then
      Add
      the key.
      microsoft-azure-enter-key.png
      The key value is the
      Application Key
      to enter during app installation. After saving the key, the value of the key is displayed.
    2. Copy this value because you are not able to retrieve the key later.
    microsoft-azure-copy-app-key.png

Enable Iterative Scanning Service

Prisma SaaS can continuously scan for Azure Storage subscriptions and accounts to identify and report any new accounts, activities, and events with the iterative scanning service. The service also scans and identifies users assigned to subscriptions, resources, groups, containers and storage accounts.
To enable iterative scan on Prisma SaaS, you need to configure the diagnostic service settings in Azure for each storage account.
  1. Select the storage account to configure the diagnostic service settings.
  2. Select
    Monitor
    Diagnostic settings
    . If not already, enable the settings by turning the status
    On
    .
  3. Select the type of
    Metrics
    and
    Logging
    data for each service you wish to monitor, and the retention policy for the data by moving the retention in days slider from 1 to 365.
  4. Save
    your monitoring configuration.
    microsoft-azure-diagnostic-settings.png

Add the Microsoft Azure Storage App

To begin scanning an Microsoft Azure Storage app:
  1. (
    Recommended
    ) Add your Microsoft Azure Storage domain as an internal domain.
  2. From the Prisma SaaS
    Dashboard
    ,
    Add a Cloud App
    .
  3. Select
    Microsoft Azure Storage
    .
    microsoft-azure-tile-frame.png
  4. Configure your Microsoft Azure Storage settings.
    1. Click
      Connect to Account
      .
    2. Enter the
      Directory ID
      ,
      Application ID
      , and
      Application Key
      you recorded in the previous steps.
    3. Click
      Next
      .
    microsoft-azure-connect-acount-to-ps.png
  5. Select the Azure subscriptions to monitor.
    1. Enable a
      Subscription
      to scan from the discovered list, or you can select
      Automatically scan all new subscriptions
      .
    2. Click
      Next
      .
    microsoft-azure-select-subscriptions.png
  6. Review initial scan discoveries and complete the Azure Storage app installation.
    View Details
    on the discovered containers to review the discoveries and determine if you want to proceed with scanning:
    • To proceed scanning all discovered containers, enable
      Scan all current and any new containers
      and then
      Save
      your scan setting.
    • To proceed scanning individual containers and subscriptions, select the items to scan and then
      Save
      your scan setting.
    • If you do not want to proceed with scanning the discovered containers, select
      Cancel
      to abort the installation.
    • Save
      the Azure Cloud Storage app to the list of Cloud Apps.
  7. (
    Optional
    ) Give a descriptive name to this app instance and specify an incident reviewer.
    1. Select the Azure Cloud Storage link on the Cloud Apps list.
    2. Enter a descriptive
      Name
      to differentiate this instance of Azure Cloud Storage app from other instances you are managing.
  8. Start scanning the new Azure Cloud Storage app for risks.
    1. Select
      Settings
      Cloud Apps & Scan Settings
      .
    2. In the Cloud Apps row that corresponds to the new Azure Cloud Storage app, select
      Actions
      Start Scanning
      .
      The status changes to Scanning. Prisma SaaS starts scanning all assets in the associated Azure Cloud Storage app and begins identifying incidents. Depending on the number of Azure assets, it may take some time for service to complete the process of discovering all assets and users. However, as soon as you begin to see this information populating on the Prisma SaaS
      Dashboard
      , you can begin to Assess Incidents.
  9. During the discovery phase, as Prisma SaaS scans files and matches them against enabled default policy rules.
    Verify that your default policy rules are effective. If the results don’t capture all risks or you see false positives, improve the results.
    (
    Optional
    ) To view the status of
    Subscriptions
    and
    Containers
    being scanned, select
    Settings
    Cloud App and Scan Settings
    . Select an Azure Storage app from the list of
    Cloud Apps
    and expand the
    Subscriptions
    and
    Containers
    to view the scan details.
    microsoft-azure-view-subscription-status.png

Identify Risks

When you add a new cloud app, Prisma SaaS automatically scans the cloud app against the default data patterns and displays the match occurrences. You can take action now to improve your scan results and identify risks.
  1. (
    Optional
    ) Modify match criteria for existing policy rules.
  2. (
    Optional
    ) Add new policy rules.
    Consider the business use of your app, then identify risks unique to your enterprise. As necessary, add new:
  3. (
    Optional
    ) Configure or edit a data pattern.
    You can Configure Data Patterns to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.

Fix Microsoft Azure Storage App Onboarding Issues

The most common issues related to onboarding a Microsoft Azure Storage app are as follows:
Symptom
Explanation
Solution
Scan results for subscriptions and containers do not display in Prisma SaaS.
Prisma SaaS cannot discover containers without the correct permissions.
Create the AAD application and associate your AAD application with the roles under each subscription as outlined in Create Your AAD Application.

Recommended For You