Linking an Azure Account
Linking an Azure account to ingest Blobs is similar to linking an AWS account.
There are two ways to link an Azure Account: Via Terraform or via Bicep. We recommend deployment via our Terraform Template. This guide presupposes the following:
The Azure CLI is installed with the correct credentials
The CSS Application has been installed
The Azure Console is accessible
Deploying Via Terraform
You'll need to perform the following steps to link an Azure account with Terraform:
Download the required Terraform template here
Modify the 'main.tf' file to add your CSS Application ID
Fill in optional variables
Run the Template
Test the credentials in the CSS Console
Link the account
Download the Terraform Template
In your CSS Console, navigate to Access Management > Manage Accounts > Link Account > Link Azure Account. You should see a page like this.
Download the template file located under point 1 in the instructions.
Capture the
css_application_id
located under point 2 in the instructions for the next step.Leave this page open, we will be filling out the form with Terraform output variables after deploying.
Modify the main.tf file
Unzip the file downloaded from the previous step and open the files in the text editor of your choice.
Locate and open the
main.tf
file. Under thecss_application_id parameter
, enter in the value captured from the last section.

Fill in optional Terraform variables
There are 3 main ways you can modify the Terraform files to configure the deployment to your specific needs.
Deployment Location: by default, the deployment stands up resources in region
eastus
. That can be modified in the terraform.tf file. Change thedefault
value to the region of your choice.variable "location" { description = "The location of the resources created for the Project" type = string default = "eastus" }
Terraform Backend: by default, the backend is the machine that is running Terraform apply. The backend can be changed by adding a
backend
block. Read more from Terraform's documentation here.Tenant ID: by default, the tenant ID is set by the user making the Terraform calls. The AZ CLI detects the default subscription and tenant, which can be modified in the command line. If desired, the tenant ID can also be set in terraform.tf in the
provider "azuread"{}
block.
Initiate and Deploy the Terraform stack
Login to the Azure CLI with
az login
and select the subscription and tenant of choice.Run
terraform init
Run
terraform validate
to validate there are no syntax errorsRun
terraform plan
to get an idea of what resources might deployRun
terraform apply
and enter inyes
when Terraform asks you if you want to perform the above actions.After deployment, run terraform output -json to access all the output variables. Capture the entire output in brackets for the next step
Input Terraform output variables into the CSS Console
Insert the paste the entire output captured in the previous step into the 'Terraform Output' field. The values should automatically populate. If not, manually enter in the values.

Select the Group or Groups which this linked account should belong to.
Click 'Test Credentials' to confirm they are valid. If successful, you will see a string saying '
The provided credentials are valid!
'Select '
Link Account
'. Congratulations, you have now linked your Azure account through Terraform!
Deploying Via Bicep
The below video details how you can link in your Azure account to scan files stored in your Azure Blobs using the Bicep Template:
You can also follow the steps and information below:
You'll need to perform the following steps to link an Azure account and begin scanning your Azure Blobs:
Create a new user managed identity in the Azure portal
Assign the new identity permissions to create an Application Registration
Run our CSS Bicep Template
Link the account
Create a new user managed identity in the Azure Portal
Navigate to Azure Portal (portal.azure.com) and login
Create a Resource Group for Service Principal
Go to Resource Group
Add New
Add a Resource Group Name (name it whatever you'd like)
Click Create
Create Managed Identity for Service Principal
Navigate to the newly created resource group
Click +Create
Search for
Managed Identity
in MarketplaceFind
User Assigned Managed Identity
Click Create
Add Name (name it whatever you'd like)
Click Create

Assign the new identity permissions to create an Application Registration
First make sure to copy your Resource ID.
Go to the Resource Group created above
Click Overview
Select the created Managed Identity from Step 3
Click the JSON View link in the top-right
Copy the full Resource Id from the JSON View
Add Application Administrator permissions
In new browser tab navigate to Entra ID
Open the Manage menu on the left
Select Roles and Administrators
Find Application Administrator Role and click on it
Click +Add Assignments
Search and select the created Managed Identity and add it
Run the CSS Bicep template
For this part we recommend using VS Code to edit and run your Bicep template.
Download the provided .zip file here and extract it
Open the Deployment.bicepparam file in your editor of choice
Update the following parameters:
Location
- (region) in which the LinkedAccount resources should be created (e.g. eastus)CSS App Id
- your deployment's application IDuserManagedIdentityId
- ID of the user managed identity created earlier
After that, Save your changes, go to your terminal and login using az login
and run the following command:
az stack sub create --name <your_stack_name> -l <location (e.g. eastus)> --template-file AzureLinkedAccount.bicep --parameters Deployment.bicepparam --deny-settings-mode none --action-on-unmanage deleteAll
Link the Account
Enter the following parameters of the link account Bicep template output from the above command:
Tenant ID
Subscription ID
App Registration Client ID
App Registration Secret

Click the "Test Credentials" button. If the credentials are invalid, check the values entered and correct them. Then, test the credentials again.
Finally, click the "Link Account" button.
Check that your Blobs are being ingested into your Management Console
Navigate to Protection > Azure > Blob Containers and verify we have ingested your Azure Blobs.

After this you're ready to start protecting your Azure Blobs.
Last updated