Linking an Azure Account

Linking an Azure account to ingest Blobs is similar to linking an AWS account.

The below video details how you can link in your Azure account to scan files stored in your Azure Blobs:

You can also follow the steps and information below:

You'll need to perform the following steps to link an Azure account and begin scanning your Azure Blobs:

  1. Create a new user managed identity in the Azure portal

  2. Assign the new identity permissions to create an Application Registration

  3. Run our CSS Bicep Template

  4. Link the account

Create a new user managed identity in the Azure Portal

  1. Navigate to Azure Portal (portal.azure.com) and login

  2. Create a Resource Group for Service Principal

    1. Go to Resource Group

    2. Add New

    3. Add a Resource Group Name (name it whatever you'd like)

    4. Click Create

  3. Create Managed Identity for Service Principal

    1. Navigate to the newly created resource group

    2. Click +Create

    3. Search for Managed Identity in Marketplace

    4. Find User Assigned Managed Identity

  1. Click Create

    1. Add Name (name it whatever you'd like)

    2. Click Create

Assign the new identity permissions to create an Application Registration

First make sure to copy your Resource ID.

  1. Go to the Resource Group created above

    1. Click Overview

    2. Select the created Managed Identity from Step 3

    3. Click the JSON View link in the top-right

    4. Copy the full Resource Id from the JSON View

  2. Add Application Administrator permissions

    1. In new browser tab navigate to Entra ID

    2. Open the Manage menu on the left

    3. Select Roles and Administrators

    4. Find Application Administrator Role and click on it

    5. Click +Add Assignments

    6. Search and select the created Managed Identity and add it

You will have to enter the name of the Managed Identity in the search bar.

Run the CSS Bicep template

For this part we recommend using VS Code to edit and run your Bicep template.

  1. Download the provided .zip file here and extract it

  2. Open the Deployment.bicepparam file in your editor of choice

  3. Update the following parameters:

  • Location - (region) in which the LinkedAccount resources should be created (e.g. eastus)

  • CSS App Id - your deployment's application ID

  • userManagedIdentityId - ID of the user managed identity created earlier

After that, Save your changes, go to your terminal and login using az login and run the following command:

az stack sub create --name <your_stack_name> -l <location (e.g. eastus)> --template-file AzureLinkedAccount.bicep --parameters Deployment.bicepparam --deny-settings-mode none --action-on-unmanage deleteAll

Enter the following parameters of the link account Bicep template output from the above command:

  • Tenant ID

  • Subscription ID

  • App Registration Client ID

  • App Registration Secret

Optionally, enter a nickname for this account (i.e. "Testing"). If you do not enter one, it will be set to the Subscription ID.

Click the "Test Credentials" button. If the credentials are invalid, check the values entered and correct them. Then, test the credentials again.

Finally, click the "Link Account" button.

Check that your Blobs are being ingested into your Management Console

Navigate to Protection > Azure > Blob Containers and verify we have ingested your Azure Blobs.

After this you're ready to start protecting your Azure Blobs.

Last updated