Linking an Azure Account

Linking an Azure account to ingest Blobs is similar to linking an AWS account.

There are two ways to link an Azure Account: Via Terraform or via Bicep. We recommend deployment via our Terraform Template. This guide presupposes the following:

  • The Azure CLI is installed with the correct credentials

  • The CSS Application has been installed

  • The Azure Console is accessible

Deploying Via Terraform

You'll need to perform the following steps to link an Azure account with Terraform:

  1. Download the required Terraform template here

  2. Modify the 'main.tf' file to add your CSS Application ID

  3. Fill in optional variables

  4. Run the Template

  5. Test the credentials in the CSS Console

  6. Link the account

Download the Terraform Template

  1. In your CSS Console, navigate to Access Management > Manage Accounts > Link Account > Link Azure Account. You should see a page like this.

  2. Download the template file located under point 1 in the instructions.

  3. Capture the css_application_id located under point 2 in the instructions for the next step.

  4. Leave this page open, we will be filling out the form with Terraform output variables after deploying.

Modify the main.tf file

  1. Unzip the file downloaded from the previous step and open the files in the text editor of your choice.

  2. Locate and open the main.tf file. Under the css_application_id parameter, enter in the value captured from the last section.

Fill in optional Terraform variables

There are 3 main ways you can modify the Terraform files to configure the deployment to your specific needs.

  1. Deployment Location: by default, the deployment stands up resources in region eastus. That can be modified in the terraform.tf file. Change the default value to the region of your choice. variable "location" { description = "The location of the resources created for the Project" type = string default = "eastus" }

  2. Terraform Backend: by default, the backend is the machine that is running Terraform apply. The backend can be changed by adding a backend block. Read more from Terraform's documentation here.

  3. Tenant ID: by default, the tenant ID is set by the user making the Terraform calls. The AZ CLI detects the default subscription and tenant, which can be modified in the command line. If desired, the tenant ID can also be set in terraform.tf in the provider "azuread"{} block.

Initiate and Deploy the Terraform stack

  1. Login to the Azure CLI with az login and select the subscription and tenant of choice.

  2. Run terraform init

  3. Run terraform validate to validate there are no syntax errors

  4. Run terraform plan to get an idea of what resources might deploy

  5. Run terraform apply and enter in yes when Terraform asks you if you want to perform the above actions.

  6. After deployment, run terraform output -json to access all the output variables. Capture the entire output in brackets for the next step

Input Terraform output variables into the CSS Console

  1. Insert the paste the entire output captured in the previous step into the 'Terraform Output' field. The values should automatically populate. If not, manually enter in the values.

  1. Select the Group or Groups which this linked account should belong to.

  2. Click 'Test Credentials' to confirm they are valid. If successful, you will see a string saying 'The provided credentials are valid!'

  3. Select 'Link Account'. Congratulations, you have now linked your Azure account through Terraform!

Deploying Via Bicep

The below video details how you can link in your Azure account to scan files stored in your Azure Blobs using the Bicep Template:

You can also follow the steps and information below:

You'll need to perform the following steps to link an Azure account and begin scanning your Azure Blobs:

  1. Create a new user managed identity in the Azure portal

  2. Assign the new identity permissions to create an Application Registration

  3. Run our CSS Bicep Template

  4. Link the account

Create a new user managed identity in the Azure Portal

  1. Navigate to Azure Portal (portal.azure.com) and login

  2. Create a Resource Group for Service Principal

    1. Go to Resource Group

    2. Add New

    3. Add a Resource Group Name (name it whatever you'd like)

    4. Click Create

  3. Create Managed Identity for Service Principal

    1. Navigate to the newly created resource group

    2. Click +Create

    3. Search for Managed Identity in Marketplace

    4. Find User Assigned Managed Identity

  1. Click Create

    1. Add Name (name it whatever you'd like)

    2. Click Create

Assign the new identity permissions to create an Application Registration

First make sure to copy your Resource ID.

  1. Go to the Resource Group created above

    1. Click Overview

    2. Select the created Managed Identity from Step 3

    3. Click the JSON View link in the top-right

    4. Copy the full Resource Id from the JSON View

  2. Add Application Administrator permissions

    1. In new browser tab navigate to Entra ID

    2. Open the Manage menu on the left

    3. Select Roles and Administrators

    4. Find Application Administrator Role and click on it

    5. Click +Add Assignments

    6. Search and select the created Managed Identity and add it

You will have to enter the name of the Managed Identity in the search bar.

Run the CSS Bicep template

For this part we recommend using VS Code to edit and run your Bicep template.

  1. Download the provided .zip file here and extract it

  2. Open the Deployment.bicepparam file in your editor of choice

  3. Update the following parameters:

  • Location - (region) in which the LinkedAccount resources should be created (e.g. eastus)

  • CSS App Id - your deployment's application ID

  • userManagedIdentityId - ID of the user managed identity created earlier

After that, Save your changes, go to your terminal and login using az login and run the following command:

az stack sub create --name <your_stack_name> -l <location (e.g. eastus)> --template-file AzureLinkedAccount.bicep --parameters Deployment.bicepparam --deny-settings-mode none --action-on-unmanage deleteAll

Enter the following parameters of the link account Bicep template output from the above command:

  • Tenant ID

  • Subscription ID

  • App Registration Client ID

  • App Registration Secret

Optionally, enter a nickname for this account (i.e. "Testing"). If you do not enter one, it will be set to the Subscription ID.

Click the "Test Credentials" button. If the credentials are invalid, check the values entered and correct them. Then, test the credentials again.

Finally, click the "Link Account" button.

Check that your Blobs are being ingested into your Management Console

Navigate to Protection > Azure > Blob Containers and verify we have ingested your Azure Blobs.

After this you're ready to start protecting your Azure Blobs.

Last updated