Netskope Help

Configure an Azure AD Application for DLP and Threat Protection

To configure Azure for Blob Storage DLP scanning, & threat protection (API Data Protection), you must log in to the Azure portal as a subscription owner or global administrator and configure the following tasks:

Step-1: Create an Azure AD Application

To create an Azure AD application, follow the steps below:

  1. Log in to portal.azure.com.

  2. Navigate to All services > Identity > Azure Active Directory.

  3. Click App registrations.

    Azure-AD-App_App-Regis.png
  4. Click + New registration and enter the following details:

    1. Name: Enter the name of the application.

    2. Supported account types: Keep the default selection to Accounts in this organizational directory only.

    3. Redirect URL (optional): Leave this blank.

    Azure_Regis-App.png
  5. Click Register.

For additional information, refer to the Microsoft Azure documentation located here.

Step-2: Get the Application ID and Directory ID

After registering the Azure AD application, the page redirects you to the Azure AD application Overview page. Note down the Application (client) ID and Directory (tenant) ID.

Azure_App-ID_Dir-ID.png

Note

These values will be required when you set up the Azure application instance in the Netskope UI.

Step-3: Get the Authentication Key

To get the authentication key, follow the steps below:

  1. On the left navigation bar of the Azure AD application page, click Certificates & secrets.

  2. Under Client secrets, click + New client secret and enter the following details:

    1. Description: Provide a description of the key.

    2. Expires: Set a duration for the key.

  3. Click Add.

    Azure_Setup-Auth-Key.png
  4. After you save the configuration changes, under Client secrets, the right-most column contains the authentication key. Copy the key value.

    Azure_Copy-Key-Value.png

    Important

    Ensure that you copy the key value as it is not accessible once you leave this page. The key value will be required when you set up the Azure application instance in the Netskope UI.

For additional information, refer to the Microsoft Azure documentation located here.

Step-4: Assign a Role to the Azure AD Application

To assign a role, follow the steps below:

  1. Log in to portal.azure.com.

  2. Navigate to All services > General > Subscriptions.

    Azure_All-serv_General_Subscrip.png
  3. On the Subscriptions page, click the appropriate subscription from the list.

  4. Click Access control (IAM).

  5. Click + Add > Add role assignment.

    Azure_Subscrip_Assign-Role.png

    To scan Azure Blob Storage for DLP scanning and threat protection, under Roles, assign a Contributor role or create a custom role with inbuilt Reader Role with the following permissions.

    • Microsoft.EventGrid/eventSubscriptions/write - This permission creates or updates an eventSubscription.

    • Microsoft.Storage/storageAccounts/listkeys/action - This permission returns the access keys for the specified storage account.

    • Microsoft.EventGrid/eventSubscriptions/delete - This permission deletes an eventSubscription.

    The inbuilt Reader Role permission performs the following actions.

    • Gets an Azure subscription definition within a management group.

    • Gets information about a role definition.

    • Lists all the permissions the caller has at a given scope.

    • Gets the list of storage accounts or gets the properties for the specified storage account.

    • Gets the list of blob services.

    • Gets the list of containers.

    • Reads an eventSubscription.

    • Gets the list of regional event subscriptions.

    Important

    If you are configuring a combination of features such as CSA, DLP, Threat Protection, and Forensics in a single instance, then you must create separate custom roles for each feature. For a combination of feature support, assign the roles based on the table below:

    Feature/Role

    Reader + Custom

    Inbuilt Contributor

    Storage Account Contributor

    DLP

    X

    X

    Threat Protection

    X

    X

    Security Assessment

    X

    X

    Forensic

    X

    X

    X

    DLP, Security Assessment

    X

    X

    DLP, Forensic

    X

    X

    Threat Protection, Security Assessment

    X

    X

    Threat Protection, Forensic

    X

    X

    Security Assessment, Forensic

    X

    X

    DLP, Threat Protection, Security Assessment, Forensic

    X

    X

    To create a custom role,

    1. Create a JSON file with the following script and save the file as NetskopeDLP.json.

      {
          "Name": "custom-dlp-role",
          "Description": "Storage Scan",
          "Actions":
          ['Microsoft.EventGrid/eventSubscriptions/write',
              'Microsoft.Storage/storageAccounts/listkeys/action',
              'Microsoft.EventGrid/eventSubscriptions/delete'
          ],
          "DataActions": [],
          "NotDataActions": [],
          "AssignableScopes": ["/subscriptions/<subscriber_id>"]
      }
      

      To get the <subscription-id>:

      1. Navigate to All services > General > Subscriptions.

      2. Copy the subscription ID and replace the <subscription-id> parameter with the copied ID.

    2. Next, use the Azure PowerShell. Click the Cloud Shell icon on the top-center bar of the Azure portal page.

      Note

      The shell may prompt you to create and mount a storage account.

    3. On the PowerShell top navigation, select the Upload/Download files icon and then Upload.

      Azure_PowerShell.png
    4. Upload the NetskopDLP.json file. Then, on the PowerShell prompt, enter the following command:

      New-AzRoleDefinition -InputFile "NetskopeDLP.json"

      When you run this command, Azure creates a custom role Netskope DLP Custom Role with the Microsoft.EventGrid/eventSubscriptions/write , Microsoft.Storage/storageAccounts/listkeys/action, and Microsoft.EventGrid/eventSubscriptions/delete permissions.

    5. Under Roles, assign the Reader and Netskope DLP Custom Role.

      Note

      If you have multiple subscriptions, you can group them under a Management Group and assign the role at the Management Group.

    6. Keep the Assign access to Azure AD user, group, or service principal.

    7. Under Select, search for the newly created Azure AD application and select it.

      Azure_Add-Role.png
    8. Click Save.

For additional information, refer to the Microsoft Azure documentation located here.