Add Microsoft Azure Account
Prerequisites
Account Requirement
You may use an existing Azure AD (Azure Active Directory) account or create a new one. Other types of Azure account will not be able to add to FortiCASB.
If you create a new account, wait for at least 24 hours for the new account to take effect before granting access to FortiCWP.
Role Requirement
Make sure the user account that will be added on FortiCWP have one of the following role(s) before adding the account to FortiCWP:
- Global Administrator role
- Application Administrator and Global Reader roles
- Cloud Application Administrator and Global Reader roles
FortiCWP supports all types of Azure AD licenses. However, depending on the features supported by the Azure AD license, FortiCWP will only integrate features available to that license. For example, a free Azure AD license does not include sign-in activity report, thus FortiCWP cannot provide sign-in activities from the free Azure AD account.
Follow each section below to help you setup the Azure Subscription, Roles, and configure the Blob Storage in preparation to add the Azure Subscription to FortiCWP.
- Setup Subscription
- Add Role to the Subscription
- Add User Access Administrator role to multiple subscriptions (optional)
- View Subscription ID
- Setup Blob Storage
- Enable Blob Log Monitoring
- Setup Storage Blob Data Reader
- Add Azure Account to FortiCWP
Setup Subscription
Once you have your Azure license ready, you will need a subscription ID to use FortiCWP. If you do not have a subscription yet, please follow these steps:
- Log into the Azure portal https://portal.azure.com using your Azure account.
- Search and click on Subscriptions.
- Click on +Add button to add a subscription.
- Select the subscription desired and complete the rest of the billing steps.
Note: You will need a minimum of "Pay-As-You-Go" subscription to use FortiCWP.
Add Role to the Subscription
Add Reader and Storage Account Contributor, Owner, or User Access Administrator role(s) to the Subscription that is going to be added FortiCWP. The purpose is to provide FortiCWP with read access to the resources under the Subscription.
- Search and click on Subscriptions.
- Click on the Subscription that is going to be used on FortiCWP.
- In the Subscription menu, click on Access control (IAM).
- Click on + Add and select "Add role assignment".
- In Add role assignment drop down menu, click on Select a role and select both Reader and Storage Account Contributor, Owner, or User Access Administrator.
- Leave Assign access to as "Azure AD user, group, or service principal".
- In Select field, search and select a member (user account) that will be associated with the role.
- Click Save to finish creating the Reader role.
'
Note: If you want to select User Access Administrator, please complete Add User Access Administrator role to multiple subscriptions (optional) to make User Access Administrator as an available option in Add role assignment.
The user account should have a Global Administrator role, Application Administrator + Global Reader roles, or Cloud Application Administrator + Global Reader roles as stated in the Role Requirement. |
Add User Access Administrator role to multiple subscriptions (optional)
To add multiple subscriptions to FortiCWP with one user account simultaneously, follow these steps to configure the subscriptions with read access. If the user account has Global Administrator role, only do step 6-9.
- Log in to Azure portal as the master account user.
- In the search field, search and click on "users".
- Click on the user that will be used when adding the Subscriptions to FortiCWP.
- In the middle Profile navigation menu, click on Assigned roles.
- Click +Add assignments to add Global Administrator role to the user.
- Log out of the master account user, and log back in as the user whom the new roles are assigned to.
- Search and click on "Azure Active Directory".
- In the middle Azure Active Directory navigation menu, click on Properties.
- Click Yes under Access management for Azure resources, and click save. This step allows the user to manage access to all Subscriptions under the Azure account.
Now all the Subscriptions under the user account have User Access Administrator role, and you can add multiple Azure Subscriptions at the same time.
View Subscription ID
To view your subscription ID after you have setup subscription, please follow these steps:
- From the portal page, search and click on Subscriptions.
- Once Subscriptions page opens, you will notice the subscription ID column next to the subscription.
Please keep the Subscription ID later for Azure authentication during installation. |
Setup Blob Storage
A Storage account with blob log monitoring enabled is required to install FortiCWP. If you do not have a storage account yet, please follow the steps below to create a storage account:
- From the portal page, search and click on storage account.
- Click +Add to create a storage account.
- Under Basics > Subscription field. Make sure you select the subscription that is linked to your subscription ID.
- In Resource group field, select a resource group based on your preference or create a new one.
- In Storage account name filed , enter an account name based on your preference.
- Click Review + create. Once validation passed, click Create.
Enable Blob Log Monitoring
Once storage account is created, to enable blob log monitoring:
- Select the storage account of interest.
- From the left menu, select Monitoring (classic) > Diagnostic settings.
- Turn On diagnostic logs. Under the Blob properties, enable Read/Write/Delete under Logging.
Setup Storage Blob Data Reader
The last step is to grant Storage Blob Data Reader permission to the Azure AD user. This is a necessary step for FortiCWP DLP and virus scan to read and analyze the data stored in the Storage Blob account as well as integrating Azure cloud traffic in FortiCWP.
- From the Azure portal page, search and click Subscriptions.
- Select your subscription.
- Select Access Control (IAM), and click +Add, then Add role assignment pane will pop-up.
- In Role field, type and select Storage Blob Data Reader.
- In Assign access to field, leave it as Azure AD user, group, or service principal.
- In Select field, type and select the name or e-mail address of the Azure AD user.
- Click Save to complete granting the role to the Azure AD user.
Add Azure Account to FortiCWP
Once you have all the prerequisites in place, click Next on FortiCWP. Review all the configurations that you have done, and click Grant Access @Azure. This will prompt you to log into the Microsoft Azure account using OAuth Authentication to grant access to FortiCWP. Follow the steps below to complete the OAuth authentication.
- Enter Directory ID you saved earlier for Tenant ID field.
- Enter your subscription ID you saved earlier for Subscription ID field.
- Give the Azure account an account name on FortiCWP in Account Name field. (optional)
- Click Submit, you will be re-direct back to FortiCWP.
- Select the subscriptions to add to FortiCWP.
- Click Add Chosen Subscription to finish adding Azure account.
FortiCWP does not request all but only partial permissions from the global administrator user. Below is a list of permissions requested by FortiCWP. |
Permissions requested by FortiCWP | |
Read all user's full profiles | |
Read all user's basic profiles | |
Access Azure Storage As the Signed-in User | |
Access Azure Service Management as you (preview) | |
Read audit log data | |
Sign you in and read your profile | |
Read all user's basic profiles | |