Cloud Storage Security Help Docs
Release Notes
  • Introduction
  • Getting Started
    • How to Subscribe
      • Pay-As-You-Go (PAYG)
      • Bring Your Own License/GovCloud (BYOL)
      • AWS Transfer Family
    • How to Deploy
      • Steps to Deploy
      • Advanced Deployment Considerations
      • AWS Transfer Family
    • How to Configure
  • Console Overview
    • Dashboard
    • Malware Scanning
      • AWS
        • Buckets
        • Amazon EBS Volumes
        • Amazon EFS Volumes
        • Amazon FSx Volumes
        • WorkDocs Connections
      • Azure
        • Blob Containers
      • GCP
        • GCP Buckets
    • See What's Infected
      • Findings
      • Malware History
      • Results
    • Schedules
    • Monitoring
      • Error Logs
      • Bucket Settings
      • Deployment
      • Jobs
      • Notifications
      • Storage Assessment
      • Usage
    • Configuration
      • Classification Rule Sets
      • Classification Custom Rules
      • Scan Settings
      • Console Settings
      • AWS Integrations
      • Job Networking
      • API Agent Settings
      • Proactive Notifications
      • License Management
      • Event Agent Settings
    • Access Management
      • Manage Users
      • Manage Accounts
        • Linking an AWS Account
        • Linking an Azure Account
        • Linking a GCP Account
      • Manage Groups
    • Support
      • Getting Started
      • Stay Connected
      • Contact Us
      • Documentation
  • Product Updates
  • How It Works
    • Scanning Overview
      • Event Driven Scanning for New Files
      • Retro Scanning for Pre-Existing Files
      • API Driven Scanning
    • Architecture Overview
    • Deployment Details
    • Sizing Discussion
    • Integrations
      • AWS Security Hub
      • AWS CloudTrail Lake
      • AWS Transfer Family
      • Amazon GuardDuty
      • Amazon Bedrock
    • Demo Videos
    • Scanning APIs
    • SSO Integrations
      • Entra ID SSO Integration
      • Okta SSO Integration
  • Frequently Asked Questions
    • Getting Started
    • Product Functionality
    • Architecture Related
    • Supported File Types
  • Troubleshooting
    • CloudFormation Stack failures
    • Cross-Region Scanning on with private network
    • API Scanning: Could not connect to SSL/TLS (v7)
    • Password not received after deployment
    • Conflicted buckets
    • Modifying scaling info post-deployment
    • Objects show unscannable with access denied
    • Remote account objects not scanning
    • My scanning agents keep starting up and immediately shutting down
    • I cannot access the management console
    • Linked Account Out of Date
    • Rebooting the Management Console
    • Error when upgrading to the latest major version
    • I Cannot Create/Delete an API Agent
  • Release Notes
    • Latest (v8)
    • v7
    • v6 and older
  • Contact Us & Support
  • Data Processing Agreement
  • Privacy Policy
Powered by GitBook
On this page
  • Create a new user managed identity in the Azure Portal
  • Assign the new identity permissions to create an Application Registration
  • Run the CSS Bicep template
  • Link the Account
  • Check that your Blobs are being ingested into your Management Console
  1. Console Overview
  2. Access Management
  3. Manage Accounts

Linking an Azure Account

Linking an Azure account to ingest Blobs is similar to linking an AWS account.

PreviousLinking an AWS AccountNextLinking a GCP Account

Last updated 1 month ago

The below video details how you can link in your Azure account to scan files stored in your Azure Blobs:

You can also follow the steps and information below:

You'll need to perform the following steps to link an Azure account and begin scanning your Azure Blobs:

  1. Create a new user managed identity in the Azure portal

  2. Assign the new identity permissions to create an Application Registration

  3. Run our CSS Bicep Template

  4. Link the account

Create a new user managed identity in the Azure Portal

  1. Create a Resource Group for Service Principal

    1. Go to Resource Group

    2. Add New

    3. Add a Resource Group Name (name it whatever you'd like)

    4. Click Create

  2. Create Managed Identity for Service Principal

    1. Navigate to the newly created resource group

    2. Click +Create

    3. Search for Managed Identity in Marketplace

    4. Find User Assigned Managed Identity

  1. Click Create

    1. Add Name (name it whatever you'd like)

    2. Click Create

Assign the new identity permissions to create an Application Registration

First make sure to copy your Resource ID.

  1. Go to the Resource Group created above

    1. Click Overview

    2. Select the created Managed Identity from Step 3

    3. Click the JSON View link in the top-right

    4. Copy the full Resource Id from the JSON View

  2. Add Application Administrator permissions

    1. In new browser tab navigate to Entra ID

    2. Open the Manage menu on the left

    3. Select Roles and Administrators

    4. Find Application Administrator Role and click on it

    5. Click +Add Assignments

    6. Search and select the created Managed Identity and add it

You will have to enter the name of the Managed Identity in the search bar.

Run the CSS Bicep template

For this part we recommend using VS Code to edit and run your Bicep template.

  1. Open the Deployment.bicepparam file in your editor of choice

  2. Update the following parameters:

  • Location - (region) in which the LinkedAccount resources should be created (e.g. eastus)

  • CSS App Id - your deployment's application ID

  • userManagedIdentityId - ID of the user managed identity created earlier

After that, Save your changes, go to your terminal and login using az login and run the following command:

az stack sub create --name <your_stack_name> -l <location (e.g. eastus)> --template-file AzureLinkedAccount.bicep --parameters Deployment.bicepparam --deny-settings-mode none --action-on-unmanage deleteAll

Link the Account

Enter the following parameters of the link account Bicep template output from the above command:

  • Tenant ID

  • Subscription ID

  • App Registration Client ID

  • App Registration Secret

Optionally, enter a nickname for this account (i.e. "Testing"). If you do not enter one, it will be set to the Subscription ID.

Click the "Test Credentials" button. If the credentials are invalid, check the values entered and correct them. Then, test the credentials again.

Finally, click the "Link Account" button.

Check that your Blobs are being ingested into your Management Console

Navigate to Protection > Azure > Blob Containers and verify we have ingested your Azure Blobs.

After this you're ready to start protecting your Azure Blobs.

Navigate to Azure Portal () and login

Download the provided .zip file and extract it

portal.azure.com
here