Skip to main content

Netskope Help

Step 2/4: Configure an Azure AD Application for Data Protection

To configure Azure for Blob Storage for DLP scanning and Threat Protection (Malware scanning), you must log in to the Azure portal as a subscription owner or global administrator and configure the following tasks:

Create an Azure AD Application

To create an Azure AD application, follow the steps below:

  1. Log in to portal.azure.com.

  2. Navigate to All services > Identity > Azure Active Directory.

  3. Click App registrations.

    Azure-AD-App_App-Regis.png
  4. Click + New registration and enter the following details:

    1. Name: Enter the name of the application.

    2. Supported account types: Keep the default selection to Accounts in this organizational directory only.

    3. Redirect URL (optional): Leave this blank.

    Azure_Regis-App.png
  5. Click Register.

For additional information, refer to the Microsoft Azure documentation located here.

Get the Application ID and Directory ID

After registering the Azure AD application, the page redirects you to the Azure AD application Overview page. Note down the Application (client) ID and Directory (tenant) ID.

Azure_App-ID_Dir-ID.png

Note

These values will be required when you set up the Azure application instance in the Netskope UI.

Create the AzureEventGridSecureWebhookSubscriber role

Create the predefined Azure role, AzureEventGridSecureWebhookSubscriber to allow the validation of JWT tokens against the Netskope instance. The role makes use of the Azure AD credentials from the application you created in step 1 to validate the JWT tokens.

To create the AzureEventGridSecureWebhookSubscriber role,

  1. Copy the azure_webhook_role.ps1 script locally.

    # NOTE: Before run this script ensure you are logged in Azure by using "az login" command.
    
    $webhookAppObjectId = "[REPLACE_WITH_YOUR_ID]"
    $eventSubscriptionWriterAppId = "[REPLACE_WITH_YOUR_APPLICATION_ID]" 
    
    # Start execution
    try {
    
        # Creates an application role of given name and description
    
        Function CreateAppRole([string] $Name, [string] $Description)
        {
            $appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
            $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
            $appRole.AllowedMemberTypes.Add("Application");
            $appRole.AllowedMemberTypes.Add("User");
            $appRole.DisplayName = $Name
            $appRole.Id = New-Guid
            $appRole.IsEnabled = $true
            $appRole.Description = $Description
            $appRole.Value = $Name;
    
            return $appRole
        }
    
        # Creates Azure Event Grid Azure AD Application if not exists
    
        $eventGridAppId = "4962773b-9cdb-44cf-a8bf-237846a00ab7" # You don't need to modify this id
        $eventGridRoleName = "AzureEventGridSecureWebhookSubscriber" # You don't need to modify this role name
        $eventGridSP = Get-AzureADServicePrincipal -Filter ("appId eq '" + $eventGridAppId + "'")
        if ($eventGridSP -match "Microsoft.EventGrid")
        {
            Write-Host "The Azure AD Application is already defined.`n"
        } else {
            Write-Host "Creating the Azure Event Grid Azure AD Application"
            $eventGridSP = New-AzureADServicePrincipal -AppId $eventGridAppId
        }
    
        # Creates the Azure app role for the webhook Azure AD application
    
        $app = Get-AzureADApplication -ObjectId $webhookAppObjectId
        $appRoles = $app.AppRoles
    
        Write-Host "Azure AD App roles before addition of the new role..."
        Write-Host $appRoles
        
        if ($appRoles -match $eventGridRoleName)
        {
            Write-Host "The Azure Event Grid role is already defined.`n"
        } else {      
            Write-Host "Creating the Azure Event Grid role in Azure AD Application: " $webhookAppObjectId
            $newRole = CreateAppRole -Name $eventGridRoleName -Description "Azure Event Grid Role"
            $appRoles.Add($newRole)
            Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRoles
        }
    
        Write-Host "Azure AD App roles after addition of the new role..."
        Write-Host $appRoles
    
        # Creates the user role assignment for the app that will create event subscription
    
        $servicePrincipal = Get-AzureADServicePrincipal -Filter ("appId eq '" + $app.AppId + "'")
        $eventSubscriptionWriterSP = Get-AzureADServicePrincipal -Filter ("appId eq '" + $eventSubscriptionWriterAppId + "'")
    
        if ($null -eq $eventSubscriptionWriterSP)
        {
            Write-Host "Create new Azure AD Application"
            $eventSubscriptionWriterSP = New-AzureADServicePrincipal -AppId $eventSubscriptionWriterAppId
        }
    
        try
        {
            Write-Host "Creating the Azure AD Application role assignment: " $eventSubscriptionWriterAppId
            $eventGridAppRole = $app.AppRoles | Where-Object -Property "DisplayName" -eq -Value $eventGridRoleName
            New-AzureADServiceAppRoleAssignment -Id $eventGridAppRole.Id -ResourceId $servicePrincipal.ObjectId -ObjectId $eventSubscriptionWriterSP.ObjectId -PrincipalId $eventSubscriptionWriterSP.ObjectId
        }
        catch
        {
            if( $_.Exception.Message -like '*Permission being assigned already exists on the object*')
            {
                Write-Host "The Azure AD Application role is already defined.`n"
            }
            else
            {
                Write-Error $_.Exception.Message
            }
            Break
        }
    
        # Creates the service app role assignment for Event Grid Azure AD Application
    
        $eventGridAppRole = $app.AppRoles | Where-Object -Property "DisplayName" -eq -Value $eventGridRoleName
        New-AzureADServiceAppRoleAssignment -Id $eventGridAppRole.Id -ResourceId $servicePrincipal.ObjectId -ObjectId $eventGridSP.ObjectId -PrincipalId $eventGridSP.ObjectId
        
        # Print output references for backup
    
        Write-Host ">> Webhook's Azure AD Application Id: $($app.AppId)"
        Write-Host ">> Webhook's Azure AD Application ObjectId Id: $($app.ObjectId)"
    }
    catch {
      Write-Host ">> Exception:"
      Write-Host $_
      Write-Host ">> StackTrace:"  
      Write-Host $_.ScriptStackTrace
    }
  2. Log into the Azure portal. You must login with Azure AD Application Administrator role or be an owner of the service principal of the Webhook app in Azure AD. These are standard Roles defined by Azure.

    To learn more: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#all-roles

  3. On the left navigation bar of the Azure portal, click the Cloud Shell button and select PowerShell.

  4. Using the Azure PowerShell, open azure_webhook_role.ps1 and update the following parameters in the script.

    $webhookAppObjectId = "REPLACE_WITH_OBJECT_ID_OF_APPLICATION"
    $eventSubscriptionWriterAppId = "[REPLACE_WITH_YOUR_APPLICATION_ID]" Refer to Get the Application ID and Directory ID
    $webhookAadTenantId = "REPLACE_WITH_YOUR_TENANT_ID"
  5. Enter the following commands to connect the Azure AD account with the tenant ID and run the script, azure_webhook_role.ps1.

    Connect-AzureAD -TenantId $webhookAadTenantId
    ./azure_webhook_role.ps1
    azure-event-grid-role.png
  6. You can view the AzureEventGridSecureWebhookSubscriber role in the Azure app registrations page. The role is enabled by default.

    azure-event-grid-app-registration.png
Get the Authentication Key

To get the authentication key, follow the steps below:

  1. On the left navigation bar of the Azure AD application page, click Certificates & secrets.

  2. Under Client secrets, click + New client secret and enter the following details:

    1. Description: Provide a description of the key.

    2. Expires: Set a duration for the key.

  3. Click Add.

    Azure_Setup-Auth-Key.png
  4. After you save the configuration changes, under Client secrets, copy the key value (not the Secret ID).

    Azure_Copy-Key-Value.png

    Important

    Ensure that you copy the key value as it is not accessible once you leave this page. The key value will be required when you set up the Azure application instance in the Netskope UI.

For additional information, refer to the Microsoft Azure documentation located here.

Assign a Role to the Azure AD Application

Note

Netskope sets up all subscriptions accessible by this Azure AD application for scanning. Ensure that you restrict the Azure AD application to the subscriptions you intend to scan.

To assign a role, follow the steps below:

  1. Log in to portal.azure.com.

  2. Navigate to All services > General > Subscriptions.

    Azure_All-serv_General_Subscrip.png
  3. On the Subscriptions page, click the appropriate subscription from the list.

  4. If you want to set up multiple subscriptions, group them under a Management Group and assign a role at the Management Group. When you add a new subscription to the management group, Netskope will automatically detect the subscription and perform scans as per your configuration.

  5. Click Access control (IAM).

  6. Click + Add > Add role assignment.

    Azure_Subscrip_Assign-Role.png

    Assign the roles and permissions specified in Step 3/4: Assign Azure Permissions for Data Protection.

For additional information, refer to the Microsoft Azure documentation located here.