Netskope Help

Step 3/4: Assign Azure Permissions for Data Protection

To scan Azure Blob Storage for DLP scanning and threat protection, under Roles, either create a custom role with inbuilt Reader Role or assign a Contributor role with the following permissions.

  • Microsoft.EventGrid/eventSubscriptions/write - This permission creates or updates an eventSubscription.

  • Microsoft.Storage/storageAccounts/listkeys/action - This permission returns the access keys for the specified storage account.

  • Microsoft.EventGrid/eventSubscriptions/delete - This permission deletes an eventSubscription. Netskope creates an eventSubscription when onboarding the tenant. When the subscription is deleted, the system topic is also deleted.

The inbuilt Reader Role permission performs the following actions.

  • Gets an Azure subscription definition within a management group.

  • Gets information about a role definition.

  • Lists all the permissions the caller has at a given scope.

  • Gets the list of storage accounts or gets the properties for the specified storage account.

  • Gets the list of blob services.

  • Gets the list of containers.

  • Reads an eventSubscription.

  • Gets the list of regional event subscriptions.

Important

If you are configuring this instance for Forensic with a combination of features such as Security Posture, DLP, and Threat Protection, then you must create separate custom roles for each feature. For a combination of feature support, assign the roles based on the table below:

Feature/Role

Reader + Custom

Inbuilt Contributor

DLP

X

X

Threat Protection

X

X

DLP, Security Posture

X

X

DLP, Forensic

X

X

Threat Protection, Security Posture

X

X

Threat Protection, Forensic

X

X

DLP, Threat Protection, Security Posture, Forensic

X

X

To create a custom role for DLP and Threat Protection,

  1. Create a JSON file with the following script and save the file as NetskopeDLP.json.

    {
        "Name": "custom-dlp-role",
        "Description": "Storage Scan",
        "Actions":
        ['Microsoft.EventGrid/eventSubscriptions/write',
            'Microsoft.Storage/storageAccounts/listkeys/action',
            'Microsoft.EventGrid/eventSubscriptions/delete'
        ],
        "DataActions": [],
        "NotDataActions": [],
        "AssignableScopes": ["/subscriptions/<subscriber_id>"]
    }
    

    To get the <subscription-id>:

    1. Navigate to All services > General > Subscriptions.

    2. Copy the subscription ID and replace the <subscription-id> parameter with the copied ID.

  2. Next, use the Azure PowerShell. Click the Cloud Shell icon on the top-center bar of the Azure portal page.

    Note

    The shell may prompt you to create and mount a storage account.

  3. On the PowerShell top navigation, select the Upload/Download files icon and then Upload.

    Azure_PowerShell.png
  4. Upload the NetskopDLP.json file. Then, on the PowerShell prompt, enter the following command:

    New-AzRoleDefinition -InputFile "NetskopeDLP.json"

    When you run this command, Azure creates a custom role Netskope DLP Custom Role with the Microsoft.EventGrid/eventSubscriptions/write , Microsoft.Storage/storageAccounts/listkeys/action, and Microsoft.EventGrid/eventSubscriptions/delete permissions.

  5. Under Roles, assign the Reader and Netskope DLP Custom Role.

    Note

    If you have multiple subscriptions, you can group them under a Management Group and assign the role at the Management Group.

  6. Keep the Assign access to Azure AD user, group, or service principal.

  7. Under Select, search for the newly created Azure AD application and select it.

    Azure_Add-Role.png
  8. Click Save.