Linking an Azure Account

Linking an Azure account to ingest Blobs is similar to linking an AWS account.

You'll need to perform the following steps to link an Azure account and begin scanning your Azure Blobs:

Create a new user managed identity in the Azure portal
Assign the new identity permissions to create an Application Registration
Run our CSS Bicep Template
Link the account

Create a new user managed identity in the Azure Portal

Navigate to Azure Portal (portal.azure.com) and login
Create a Resource Group for Service Principal
1. Go to Resource Group
2. Add New
3. Add a Resource Group Name (name it whatever you'd like)
4. Click Create
Create Managed Identity for Service Principal
1. Navigate to the newly created resource group
2. Click +Create
3. Search for Managed Identity in Marketplace
4. Find User Assigned Managed Identity
Click Create
Add Name (name it whatever you'd like)
Click Create

Assign the new identity permissions to create an Application Registration

First make sure to copy your Resource ID.

Go to the Resource Group created above
1. Click Overview
2. Select the created Managed Identity from Step 3
3. Click the JSON View link in the top-right
4. Copy the full Resource Id from the JSON View
Add Application Administrator permissions
1. In new browser tab navigate to Entra ID
2. Open the Manage menu on the left
3. Select Roles and Administrators
4. Find Application Administrator Role and click on it
5. Click +Add Assignments
6. Search and select the created Managed Identity and add it

You will have to enter the name of the Managed Identity in the search bar.

Run the CSS Bicep template

For this part we recommend using VS Code to edit and run your Bicep template.

Download the provided .zip file here and extract it
Open the Deployment.bicepparam file in your editor of choice
Update the following parameters:

Location - (region) in which the LinkedAccount resources should be created (e.g. eastus)
CSS App Id - your deployment's application ID
userManagedIdentityId - ID of the user managed identity created earlier

After that, Save your changes, go to your terminal and login using az login and run the following command:

az stack sub create --name <your_stack_name> -l <location (e.g. eastus)> --template-file AzureLinkedAccount.bicep --parameters Deployment.bicepparam --deny-settings-mode none --action-on-unmanage deleteAll

Link the Account

Enter the following parameters of the link account Bicep template output from the above command:

Tenant ID
Subscription ID
App Registration Client ID
App Registration Secret

Optionally, enter a nickname for this account (i.e. "Testing"). If you do not enter one, it will be set to the Subscription ID.

Click the "Test Credentials" button. If the credentials are invalid, check the values entered and correct them. Then, test the credentials again.

Finally, click the "Link Account" button.

Check that your Blobs are being ingested into your Management Console

Navigate to Protection > Azure > Blob Containers and verify we have ingested your Azure Blobs.

After this you're ready to start protecting your Azure Blobs.

PreviousLinking an AWS Account NextLinking a GCP Account

Last updated 2 months ago