Create an Azure app for Deep Security

In your operating environment, it may not be desirable to allow the Deep Security Manager to access Azure resources with an account that has both the Global Administrator role for Microsoft Entra ID and the Subscription Owner role for the Azure subscription. As an alternative, you can create an Azure app for the Deep Security Manager that provides read-only access to Azure resources.

If you have multiple Azure subscriptions, you can create a single Deep Security Azure app for all of them, as long as the subscriptions all connect to the same Active Directory. Details are provided within the set of instructions below.

To create an Azure app, you will need to:

  1. Assign the correct roles.
  2. Create the Azure app.
  3. Record the Azure app ID and Active Directory ID.
  4. Record the Subscription ID(s).
  5. Assign the Azure app a role and connector.

Assign the correct roles

To create an Azure app, your account must have the User Administrator role for Microsoft Entra ID and the User Access Administrator role for the Azure subscription. Assign these roles to your Azure account before proceeding.

Create the Azure app

  1. In the Microsoft Entra ID blade, click App registrations.
  2. Click New registration.
  3. Enter a Name (for example, Deep Security Azure Connector).
  4. For the Supported account types, select Accounts in this organizational directory only.
  5. Click Register.

    The Azure app appears in the App registrations list with the Name you chose in Step 3 (above).

Record the Azure app ID and Active Directory ID

  1. In the App registrations list, click the Azure app.

    The Azure app will display with the Name you chose for it in Step 3 of the Create the Azure app procedure.

  2. Record the Application (client) ID.
  3. Record the Directory (tenant) ID

Create an application secret or upload the application certificate

  1. On the Certificates & secrets tab, choose which type of application credential to use:
    • Option 1: Client secrets (application password)
    • Option 2: Certificate

    You can create multiple application credentials in Azure, but Deep Security Manager only required one credential (either the application secret or application certificate) for the Azure account.

  2. Follow the procedure for either Option 1 or Option 2 (below) depending on the type of credential you want to use.

Option 1: Create client secrets (application password)

  1. Click New client secret.
  2. Enter a Description for the client secret.
  3. Select an appropriate Duration. The client secret expires after this time.
  4. Click Add.

    The client secret Value appears.

  5. Record the client secret Value. You will use it as the Application Password when registering the Azure app with Deep Security.

    The client secret Value only appears once, so record it now. If you do not, you must regenerate it to obtain a new Value.

    If the client secret Value expires, you must regenerate it and update it in the associated Azure accounts.

Option 2: Upload an application certificate

  1. Prepare a certificate in X.509 PEM text format.

    The certificate can be either public-signed or self-signed and should not expire. If the private key is protected with a secret, you will need the certificate private key and optional passphrase/secret when setting up the Azure account in Deep Security Manager.

    Deep Security Manager currently does not support certificates in binary format.

  2. Click the Upload certificate button.
  3. Select certificate file to upload.
  4. Click Add.

Record the Subscription ID(s)

  1. On the left, go to All Services and click Subscriptions.

    If Subscriptions does not appear on the left, use the search box at the top of the screen to find it.

    A list of subscriptions appears.

  2. Record the Subscription ID of each subscription you want to associate with the Azure app. You will need the ID(s) later, when adding the Azure account(s) to Deep Security.

Assign the Azure app a role and connector

  1. Under All Services > Subscriptions, click a subscription that you want to associate with the Azure app.
  2. You can associate another subscription with the Azure app later if you want to.

  3. Click Access Control (IAM).
  4. In the main pane, click Add and then select Add Role Assignment from the drop-down menu.
  5. Under Role, enter Reader and then click the Reader role that appears.
  6. Under Assign access to, select User, user group, or service principal.
  7. Under Select members, enter the Azure app Name (for example, Deep Security Azure Connector).

    The Azure app appears with the Name you chose for it in Step 3 of the Create the Azure app procedure.

  8. Click Save.
  9. If you want to associate the Azure app to another subscription, repeat this procedure (Assign the Azure app a role and connector) for that subscription.

You can now configure Deep Security to add Azure virtual machines by following the instructions in Add a Microsoft Azure account to Deep Security.