Create an Azure application for Deep Security

In your operating environment, it may not be desirable to allow the Deep Security Manager to access Azure resources with an account that has both the Global Administrator role for Microsoft Entra ID and the Subscription Owner role for the Azure subscription. As an alternative, you can create an Azure application for Deep Security Manager that provides read-only access to Azure resources.

If you have multiple Azure subscriptions, you can create a single Deep Security Azure application for all of them, as long as the subscriptions all connect to the same Active Directory.

To create an Azure application, you need to do the following:

  1. Assign the correct roles
  2. Create the Azure application
  3. Record the Azure app ID and Active Directory ID
  4. Record the Subscription ID
  5. Assign the Azure application a role and connector

Assign the correct roles

To create an Azure application, your account must have the User Administrator role for Microsoft Entra ID and the User Access Administrator role for the Azure subscription. Assign these roles to your Azure account before proceeding.

Create the Azure application

  1. In the Microsoft Entra ID blade, click App registrations.
  2. Click New registration.
  3. Enter a Name (for example, Deep Security Azure Connector).
  4. For the Supported account types, select Accounts in this organizational directory only.
  5. Click Register.

    The Azure application appears in the App registrations list with the Name you provided.

Record the Azure app ID and Active Directory ID

  1. In the App registrations list, click the Azure application.
  2. Record the Application (client) ID.
  3. Record the Directory (tenant) ID

Create an application secret or upload the application certificate

  1. On the Certificates & secrets tab, select the type of the application credential to use:
    • Option 1: Client secrets (application password)
    • Option 2: Certificate

    You can create multiple application credentials in Azure, but Deep Security Manager only required one credential (either the application secret or application certificate) for the Azure account.

  2. Follow the procedure for either Option 1 or Option 2 (below) depending on the type of credential you want to use.

Option 1: Create client secrets (application password)

  1. Click New client secret.
  2. Enter a Description for the client secret.
  3. Select an appropriate Duration. The client secret expires after this time.
  4. Click Add.

    The client secret Value appears.

  5. Record the client secret Value. You need to use it as the Application Password when registering the Azure application with Deep Security.

    The client secret Value only appears once, so record it now. If you do not, you must regenerate it to obtain a new Value.

    If the client secret Value expires, you must regenerate it and update it in the associated Azure accounts.

Option 2: Upload an application certificate

  1. Prepare a certificate in X.509 PEM text format.

    The certificate can be either public-signed or self-signed and should not expire. If the private key is protected with a secret, you need the certificate private key and optional passphrase or secret when setting up the Azure account in Deep Security Manager. The RSA key size must be at least 2048 bits.

    Deep Security Manager currently does not support certificates in binary format.

  2. Click the Upload certificate button.
  3. Select certificate file to upload.
  4. Click Add.

If you provide invalid credentials or configurations (for example, the RSA key is too short), the Azure connector displays an error message "Unable to authenticate to Azure Entra ID. Credential or configuration is invalid".

Record the Subscription ID

  1. On the left, go to All Services and click Subscriptions.

    A list of subscriptions appears.

    If Subscriptions does not appear on the left, use the search box at the top of the screen to find it.

  2. Record the Subscription ID of each subscription you want to associate with the Azure application. You need the ID later, when adding the Azure accounts to Deep Security.

Assign the Azure application a role and connector

  1. Under All Services > Subscriptions, click a subscription that you want to associate with the Azure application.

    2. You can associate another subscription with the Azure application later if you want to.

  2. Click Access Control (IAM).
  3. In the main pane, click Add, and then select Add Role Assignment from the menu.
  4. Under Role, enter Reader and then click the Reader role that appears.
  5. Under Assign access to, select User, user group, or service principal.
  6. Under Select members, enter the Azure application Name (for example, Deep Security Azure Connector).

    The Azure application appears with the Name you chose for it in Step 3 of the Create the Azure application procedure.

  7. Click Save.
  8. If you want to associate the Azure application to another subscription, repeat this procedure (Assign the Azure application a role and connector) for that subscription.

You can now configure Deep Security to add Azure virtual machines by following the instructions in Add a Microsoft Azure account to Deep Security.