Fortinet black logo

online help

Update Microsoft Azure Account

Copy Link
Copy Doc ID 317ac0d2-6ad6-11ea-9384-00505692583a:484591

Update Microsoft Azure Account

Prerequisites

Make sure the Azure AD account that will be used on FortiCWP has a Global Administrator role, Application Administrator + Global Reader roles, or Cloud Application Administrator + Global Reader roles.

You will also need to set up the Azure AD Privileged Identity Management application. For more information on how to do so, go to:

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure.

FortiCWP supports all types of Azure AD licenses. However, depending on the features supported by the Azure AD license, FortiCWP will only integrate features available to that license. For example, a free Azure AD license does not include sign-in activity report, thus FortiCWP cannot provide sign-in activities from the free Azure AD account.

Follow each section below to help you setup the Azure Subscription, Roles, and configure the Blob Storage in preparation to add the Azure Subscription to FortiCWP.

Setup Subscription

Once you have your Azure license ready, you will need a subscription ID to use FortiCWP. If you do not have a subscription yet, please follow these steps:

  1. Log into the Azure portal https://portal.azure.com using your Azure account.
  2. Search and click on Subscriptions.
  3. Click on +Add button to add a subscription.
  4. Select the subscription desired and complete the rest of the billing steps.
  5. Note: You will need a minimum of "Pay-As-You-Go" subscription to use FortiCWP.

Add Role to the Subscription

Add a Reader, Owner, or User Access Administrator role to the Subscription that is going to be added FortiCWP. The purpose is to provide FortiCWP with read access to the resources under the Subscription.

  1. Search and click on Subscriptions.
  2. Click on the Subscription that is going to be used on FortiCWP.
  3. In the Subscription menu, click on Access control (IAM).
  4. '

  5. Click on + Add and select "Add role assignment".
  6. In Add role assignment drop down menu, click on Select a role and select Reader, Owner, or User Access Administrator.
  7. Leave Assign access to as "Azure AD user, group, or service principal".
  8. In Select field, search and select a member (user account) that will be associated with the role.
  9. The member (user account) should have a Global Administrator role, Application Administrator + Global Reader roles, or Cloud Application Administrator + Global Reader roles as stated in the Perquisite.
  10. Click Save to finish creating the Reader role.

Add Reader roles to multiple subscriptions simultaneously (optional)

To add multiple subscriptions to FortiCWP with one user account simultaneously, follow these steps to configure the subscriptions with read access. If the user account has Global Administrator role, only do step 6-9.

  1. Log in to Azure portal as the master account user.
  2. In the search field, search and click on "users".
  3. Click on the user that will be used when adding the Subscriptions to FortiCWP.
  4. In the middle Profile navigation menu, click on Assigned roles.
  5. Click +Add assignments to add Global reader role and Global Administrator role to the user. (Global Administrator role will be removed later)
  6. Log out of the master account user, and log back in as the user whom the new roles are assigned to.
  7. Search and click on "Azure Active Directory".
  8. In the middle Azure Active Directory navigation menu, click on Properties.
  9. Click Yes under Access management for Azure resources, and click save. This step allows the user to manage access of all Subscriptions under the Azure account.
  10. Log out of the user account, and log back in as the master account.
  11. Follow the steps 2-4 above, and remove the Global administrator role.

Now all the Subscriptions under the user account have Reader role, and you can add multiple Azure Subscriptions at the same time.

View Subscription ID

To view your subscription ID after you have setup subscription, please follow these steps:

  1. From the portal page, search and click on Subscriptions.
  2. Once Subscriptions page opens, you will notice the subscription ID column next to the subscription.

Please keep the Subscription ID later for Azure authentication during installation.

View Directory ID

Obtain Directory ID following the steps below:

  1. From the portal page, search and click on Azure Active Directory.
  2. Click on MANAGE>Properties.
  3. Under Directory properties, you will find Directory ID.

.

Please keep the Directory ID later for Azure authentication during installation.

Setup Blob Storage

A Storage account with blob log monitoring enabled is required to install FortiCWP. If you do not have a storage account yet, please follow the steps below to create a storage account:

  1. From the portal page, search and click on storage account.
  2. Click +Add to create a storage account.
  3. Under Basics > Subscription field. Make sure you select the subscription that is linked to your subscription ID.
  4. In Resource group field, select a resource group based on your preference or create a new one.
  5. In Storage account name filed , enter an account name based on your preference.
  6. Click Review + create. Once validation passed, click Create.

Enable Blob Log Monitoring

Once storage account is created, to enable blob log monitoring:

  1. Select the storage account of interest.
  2. From the left menu, select Monitoring (classic) > Diagnostic settings.
  3. Turn On diagnostic logs. Under the Blob properties, enable Read/Write/Delete under Logging.

Setup Storage Blob Data Reader

The last step is to grant Storage Blob Data Reader permission to the Azure AD user. This is a necessary step for FortiCWP DLP and virus scan to read and analyze the data stored in the Storage Blob account as well as integrating Azure cloud traffic in FortiCWP.

  1. From the Azure portal page, search and click Subscriptions.
  2. Select your subscription.
  3. Select Access Control (IAM), and click +Add, then Add role assignment pane will pop-up.
  4. In Role field, type and select Storage Blob Data Reader.
  5. In Assign access to field, leave it as Azure AD user, group, or service principal.
  6. In Select field, type and select the name or e-mail address of the Azure AD user.
  7. Click Save to complete granting the role to the Azure AD user.

Update Account

Once you have all the prerequisites in place, click Update Azure Accounton FortiCWP. This will prompt you to log into the Microsoft Azure account using OAuth authentication to grant access to FortiCWP. Follow the steps below to complete the OAuth authentication.

  1. Enter Directory ID you saved earlier for Tenant ID field.
  2. Enter your subscription ID you saved earlier for Subscription ID field.
  3. Give the Azure account an account name on FortiCWP in Account Name field. (optional)
  4. Click Submit, you will be re-direct back to FortiCWP.
FortiCWP does not request all but only partial permissions from the global administrator user. Below is a list of permissions requested by FortiCWP.
Permissions requested by FortiCWP
Read all user's full profiles
Read all user's basic profiles
Access Azure Storage As the Signed-in User
Access Azure Service Management as you (preview)
Read audit log data
Sign you in and read your profile
Read all user's basic profiles

Update Microsoft Azure Account

Prerequisites

Make sure the Azure AD account that will be used on FortiCWP has a Global Administrator role, Application Administrator + Global Reader roles, or Cloud Application Administrator + Global Reader roles.

You will also need to set up the Azure AD Privileged Identity Management application. For more information on how to do so, go to:

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure.

FortiCWP supports all types of Azure AD licenses. However, depending on the features supported by the Azure AD license, FortiCWP will only integrate features available to that license. For example, a free Azure AD license does not include sign-in activity report, thus FortiCWP cannot provide sign-in activities from the free Azure AD account.

Follow each section below to help you setup the Azure Subscription, Roles, and configure the Blob Storage in preparation to add the Azure Subscription to FortiCWP.

Setup Subscription

Once you have your Azure license ready, you will need a subscription ID to use FortiCWP. If you do not have a subscription yet, please follow these steps:

  1. Log into the Azure portal https://portal.azure.com using your Azure account.
  2. Search and click on Subscriptions.
  3. Click on +Add button to add a subscription.
  4. Select the subscription desired and complete the rest of the billing steps.
  5. Note: You will need a minimum of "Pay-As-You-Go" subscription to use FortiCWP.

Add Role to the Subscription

Add a Reader, Owner, or User Access Administrator role to the Subscription that is going to be added FortiCWP. The purpose is to provide FortiCWP with read access to the resources under the Subscription.

  1. Search and click on Subscriptions.
  2. Click on the Subscription that is going to be used on FortiCWP.
  3. In the Subscription menu, click on Access control (IAM).
  4. '

  5. Click on + Add and select "Add role assignment".
  6. In Add role assignment drop down menu, click on Select a role and select Reader, Owner, or User Access Administrator.
  7. Leave Assign access to as "Azure AD user, group, or service principal".
  8. In Select field, search and select a member (user account) that will be associated with the role.
  9. The member (user account) should have a Global Administrator role, Application Administrator + Global Reader roles, or Cloud Application Administrator + Global Reader roles as stated in the Perquisite.
  10. Click Save to finish creating the Reader role.

Add Reader roles to multiple subscriptions simultaneously (optional)

To add multiple subscriptions to FortiCWP with one user account simultaneously, follow these steps to configure the subscriptions with read access. If the user account has Global Administrator role, only do step 6-9.

  1. Log in to Azure portal as the master account user.
  2. In the search field, search and click on "users".
  3. Click on the user that will be used when adding the Subscriptions to FortiCWP.
  4. In the middle Profile navigation menu, click on Assigned roles.
  5. Click +Add assignments to add Global reader role and Global Administrator role to the user. (Global Administrator role will be removed later)
  6. Log out of the master account user, and log back in as the user whom the new roles are assigned to.
  7. Search and click on "Azure Active Directory".
  8. In the middle Azure Active Directory navigation menu, click on Properties.
  9. Click Yes under Access management for Azure resources, and click save. This step allows the user to manage access of all Subscriptions under the Azure account.
  10. Log out of the user account, and log back in as the master account.
  11. Follow the steps 2-4 above, and remove the Global administrator role.

Now all the Subscriptions under the user account have Reader role, and you can add multiple Azure Subscriptions at the same time.

View Subscription ID

To view your subscription ID after you have setup subscription, please follow these steps:

  1. From the portal page, search and click on Subscriptions.
  2. Once Subscriptions page opens, you will notice the subscription ID column next to the subscription.

Please keep the Subscription ID later for Azure authentication during installation.

View Directory ID

Obtain Directory ID following the steps below:

  1. From the portal page, search and click on Azure Active Directory.
  2. Click on MANAGE>Properties.
  3. Under Directory properties, you will find Directory ID.

.

Please keep the Directory ID later for Azure authentication during installation.

Setup Blob Storage

A Storage account with blob log monitoring enabled is required to install FortiCWP. If you do not have a storage account yet, please follow the steps below to create a storage account:

  1. From the portal page, search and click on storage account.
  2. Click +Add to create a storage account.
  3. Under Basics > Subscription field. Make sure you select the subscription that is linked to your subscription ID.
  4. In Resource group field, select a resource group based on your preference or create a new one.
  5. In Storage account name filed , enter an account name based on your preference.
  6. Click Review + create. Once validation passed, click Create.

Enable Blob Log Monitoring

Once storage account is created, to enable blob log monitoring:

  1. Select the storage account of interest.
  2. From the left menu, select Monitoring (classic) > Diagnostic settings.
  3. Turn On diagnostic logs. Under the Blob properties, enable Read/Write/Delete under Logging.

Setup Storage Blob Data Reader

The last step is to grant Storage Blob Data Reader permission to the Azure AD user. This is a necessary step for FortiCWP DLP and virus scan to read and analyze the data stored in the Storage Blob account as well as integrating Azure cloud traffic in FortiCWP.

  1. From the Azure portal page, search and click Subscriptions.
  2. Select your subscription.
  3. Select Access Control (IAM), and click +Add, then Add role assignment pane will pop-up.
  4. In Role field, type and select Storage Blob Data Reader.
  5. In Assign access to field, leave it as Azure AD user, group, or service principal.
  6. In Select field, type and select the name or e-mail address of the Azure AD user.
  7. Click Save to complete granting the role to the Azure AD user.

Update Account

Once you have all the prerequisites in place, click Update Azure Accounton FortiCWP. This will prompt you to log into the Microsoft Azure account using OAuth authentication to grant access to FortiCWP. Follow the steps below to complete the OAuth authentication.

  1. Enter Directory ID you saved earlier for Tenant ID field.
  2. Enter your subscription ID you saved earlier for Subscription ID field.
  3. Give the Azure account an account name on FortiCWP in Account Name field. (optional)
  4. Click Submit, you will be re-direct back to FortiCWP.
FortiCWP does not request all but only partial permissions from the global administrator user. Below is a list of permissions requested by FortiCWP.
Permissions requested by FortiCWP
Read all user's full profiles
Read all user's basic profiles
Access Azure Storage As the Signed-in User
Access Azure Service Management as you (preview)
Read audit log data
Sign you in and read your profile
Read all user's basic profiles