Step 3/4: Assign Azure Permissions for Data Protection

Step 3/4: Assign Azure Permissions for Data Protection

To scan Azure Blob Storage for DLP scanning and threat protection, under Roles, either create a custom role with inbuilt Reader Role or assign a Contributor role with the following permissions.

  • Microsoft.EventGrid/eventSubscriptions/write – This permission creates or updates an eventSubscription.
  • Microsoft.Storage/storageAccounts/listkeys/action – This permission returns the access keys for the specified storage account.
  • Microsoft.EventGrid/eventSubscriptions/delete – This permission deletes an eventSubscription. Netskope creates an eventSubscription when onboarding the tenant. When the subscription is deleted, the system topic is also deleted.

The inbuilt Reader Role permission performs the following actions.

  • Gets an Azure subscription definition within a management group.
  • Gets information about a role definition.
  • Lists all the permissions the caller has at a given scope.
  • Gets the list of storage accounts or gets the properties for the specified storage account.
  • Gets the list of blob services.
  • Gets the list of containers.
  • Reads an eventSubscription.
  • Gets the list of regional event subscriptions.


If you are configuring this instance for Forensic with a combination of features such as Security Posture, DLP, and Threat Protection, then you must create separate custom roles for each feature. For a combination of feature support, assign the roles based on the table below:

Feature/RoleReader + CustomInbuilt Contributor
Threat ProtectionXX
DLP, Security PostureXX
DLP, ForensicXX
Threat Protection, Security PostureXX
Threat Protection, ForensicXX
DLP, Threat Protection, Security Posture, ForensicXX

To create a custom role for DLP and Threat Protection,

  1. Create a JSON file with the following script and save the file as NetskopeDLP.json.
        "Name": "custom-dlp-role",
        "Description": "Storage Scan",
        "DataActions": [],
        "NotDataActions": [],
        "AssignableScopes": ["/subscriptions/<subscriber_id>"]

    To get the <subscription-id>:

    1. Navigate to All services > General > Subscriptions.
    2. Copy the subscription ID and replace the <subscription-id> parameter with the copied ID.
  2. Next, use the Azure PowerShell. Click the Cloud Shell icon on the top-center bar of the Azure portal page.


    The shell may prompt you to create and mount a storage account.

  3. On the PowerShell top navigation, select the Upload/Download files icon and then Upload.
  4. Upload the NetskopDLP.json file. Then, on the PowerShell prompt, enter the following command:
    New-AzRoleDefinition -InputFile "NetskopeDLP.json"

    When you run this command, Azure creates a custom role Netskope DLP Custom Role with the Microsoft.EventGrid/eventSubscriptions/write , Microsoft.Storage/storageAccounts/listkeys/action, and Microsoft.EventGrid/eventSubscriptions/delete permissions.

  5. Navigate to Subscription, then click the desired subscription from the list.
  6. On the left navigation of the subscription, click Access Control (IAM).
  7. Click + Add, then Add role assignment.
  8. On the Add role assignment page, type the Netskope CSA Custom Role role in the search box. Click Next.
  9. Under Members, click + Select members.
  10. On the Select members page, type the Netskope App and select it.
  11. Click Next followed by Review + assign.


    Follow steps 8-11 for the Reader role too.

Share this Doc

Step 3/4: Assign Azure Permissions for Data Protection

Or copy link

In this topic ...