Create an Azure app for Deep Security

In your operating environment, it may not be desirable to allow the Deep Security Manager to access Azure resources with an account that has both the Global Administrator role for the Azure Active Directory and the Subscription Owner role for the Azure subscription. As an alternative, you can create an Azure app for the Deep Security Manager that provides read-only access to Azure resources.

To create an Azure app, your account must have been assigned the User Administrator role for the Azure Active Directory and the User Access Administrator role for the Azure subscription.

To do this you will need to:

  1. Record the Azure Active Directory ID.
  2. Create the Azure app.
  3. Record the Azure app ID and password.
  4. Record the Subscription ID.
  5. Assign the Azure app a reader role and add it to your Azure Subscription.

Record the Azure Active Directory ID

  1. On the Hub menu, click Azure Active Directory and select your Azure Active Directory.
  2. In the Azure Active Directory blade, click Properties.
  3. Record the Directory ID.

Create the Azure app

  1. In the Azure Active Directory blade, click App registrations.
  2. Click Add.
  3. Enter a Name (for example, Deep Security Azure Connector).
  4. For the Application Type, select Web app/API.
  5. Enter a Sign-on URL. The URL can be any value, but it must begin with the http prefix.

    You must enter a URL in the Sign-on URL field, even though it is not used by Deep Security Azure integration. The value does not need to resolve to a valid address.

  6. Click Create.

    The Deep Security Azure Connector app will appear in the App registrations list.

Record the Azure app ID and password

  1. In the App registrations list, click on the Deep Security Azure Connector.
  2. Record the Application ID.
  3. Click on All settings.
  4. On the Settings blade, click Keys.
  5. Enter a Description for the key.
  6. Select an appropriate Duration.
  7. Click Save.

    The key Value will appear.

  8. Record the key Value. This will be used as the Application Password when registering the Azure app with Deep Security.

Record the Subscription ID

  1. On the Hub menu, click Subscriptions, then select the subscription you added the Deep Security Azure Connector app to.
  2. Record the Subscription ID.

Assign the Azure app a reader role and add it to your Azure Subscription

  1. In the Subscriptions blade, click on Access Control (IAM).
  2. Click Add.
  3. Click on the Reader role.
  4. Select the Deep Security Azure Connector app. If it is not already in the list, enter it in the search field and select it when it appears.
  5. Click OK.

You can now continue configuring Deep Security to add Azure virtual machines by following the remaining steps of the Advanced procedure in Add a Microsoft Azure account to Deep Security.