Fortinet black logo

Version:

Version:

Version:

Version:


Table of Contents

Online Help

Add Microsoft Azure Account

Follow each section below to help you setup the Azure Subscription, Roles, and configure the Blob Storage in preparation to add the Azure Subscription to FortiCWP.

Prerequisites

Account Requirement

You may use an existing Azure AD (Azure Active Directory) account or create a new one. Other types of Azure account will not be able to add to FortiCWP.

If you create a new account, wait for at least 24 hours for the new account to take effect before granting access to FortiCWP.

Role Requirement

Make sure the user account that will be added on FortiCWP has one of the following role(s) before adding the account to FortiCWP:

  • Global Administrator role
  • Cloud Application Administrator and Global Reader roles

FortiCWP supports all types of Azure AD licenses. However, depending on the features supported by the Azure AD license, FortiCWP will only integrate features available to that license. For example, a free Azure AD license does not include sign-in activity report, thus FortiCWP cannot provide sign-in activities from the free Azure AD account.

Setup Subscription

Once you have your Azure license ready, you will need a subscription ID to use FortiCWP. If you do not have a subscription yet, please follow these steps:

  1. Log into the Azure portal using your Azure account.
  2. Search and click on Subscriptions.
  3. Click on +Add button to add a subscription.
  4. Select the subscription desired and complete the rest of the billing steps.
  5. Note: You will need a minimum of "Pay-As-You-Go" subscription to use FortiCWP.

     

Add Role to the Subscription

Add Reader, Owner, or User Access Administrator role to the Subscription that is going to be added FortiCWP. (Only one role is required) The purpose is to provide FortiCWP with read access to the resources under the Subscription.

  1. Search and click on Subscriptions.
  2. Click on the Subscription that is going to be used on FortiCWP.
  3. In the Subscription menu, click on Access control (IAM).
  4. '

  5. Click on + Add and select "Add role assignment".
  6. In Add role assignment drop down menu, click on Select a role and select Reader, Owner, or User Access Administrator.
  7. Note: If you want to select User Access Administrator, please complete Add User Access Administrator role to multiple subscriptions (optional) to make User Access Administrator as an available option in Add role assignment.

  8. Leave Assign access to as "User, group, or service principal".
  9. In Select field, search and select a member (user account) that will be associated with the role.
  10. The user account should have a Global Administrator role or Cloud Application Administrator + Global Reader roles as stated in Role Requirement.
  11. Click Save to finish creating the role.

Add User Access Administrator role to multiple subscriptions (optional)

To add multiple subscriptions to FortiCWP with one user account simultaneously, follow these steps to configure the subscriptions with read access. If the user account has Global Administrator role, only do step 6-9.

  1. Log in to Azure portal as the master account user.
  2. In the search field, search and click on "users".
  3. Click on the user that will be used when adding the Subscriptions to FortiCWP.
  4. In the middle Profile navigation menu, click on Assigned roles.
  5. Click +Add assignments to add Global Administrator role to the user.
  6. Log out of the master account user, and log back in as the user whom the new roles are assigned to.
  7. Search and click on "Azure Active Directory".
  8. In the Azure Active Directory navigation menu, click on Properties.
  9. Click Yes under Access management for Azure resources, and click save. This step allows the user to manage access to all Subscriptions under the Azure account.

Now all the Subscriptions under the user account have User Access Administrator role, and you can add multiple Azure Subscriptions at the same time.

Setup Storage Blob Data Reader

Another role to be added to the Azure AD user is Storage Blob Data Reader. This is a necessary step for FortiCWP DLP and virus scan to read and analyze the data stored in the Storage Blob account as well as integrating Azure cloud traffic in FortiCWP.

  1. From the Azure portal page, search and click Subscriptions.
  2. Select your subscription.
  3. Select Access Control (IAM), and click +Add, then Add role assignment pane will pop-up.
  4. In Role field, type and select Storage Blob Data Reader.
  5. In Assign access to field, leave it as Azure AD user, group, or service principal.
  6. In Select field, type and select the name or e-mail address of the Azure AD user.
  7. Click Save to complete granting the role to the Azure AD user.

At the end of this step, please confirm that your Azure AD account subscription has one of the following roles combinations as the table below:

Roles Combinations

Reader and Blob Storage Reader
User Access Administrator and Blob Storage Reader
Owner and Blob Storage Reader

Setup Blob Storage

An Azure Storage account with blob log monitoring enabled is required to install FortiCWP. If you do not have a storage account yet, please follow the steps below to create a storage account:

  1. From the portal page, search and click on storage account.
  2. Click +Create to create a storage account.
  3. Under Basics > Subscription field. Make sure you select the subscription that is linked to your subscription ID.
  4. In Resource group field, select a resource group based on your preference or create a new one.
  5. In Storage account name filed , enter an account name based on your preference.
  6. Click Review + create. Once validation passed, click Create.

Enable Blob Log Monitoring

Once storage account is created, to enable blob log monitoring, follow the steps below:

  1. Select the storage account of interest.
  2. From the left menu, select Monitoring (classic) > Diagnostic settings.
  3. Turn On diagnostic logs. Under the Blob properties, enable Read/Write/Delete under Logging.

Add Azure Account to FortiCWP

After all the Azure configurations are completed from previous sections, follow these steps to add your Azure account on FortiCWP.

  1. Log into FortiCWP with your account, and select Workload Protection.
  2. From the navigation menu, go to ADMIN > Account, and select +Add New.
  3. Select Azure, and click Next. Review the key configuration summary and click Next.
  4. Click Grant Access @Azure to be re-directed to Azure portal.
  5. Log in with your Azure account, and a permission request page will pop-up.
  6. Click Accept to grant FortiCWP with the permissions requested.
  7. Azure will be prompt you to grant the same permissions 3 more times, then you will be re-directed back to FortiCWP.
FortiCWP does not request all but only partial permissions from the global administrator user. Below is a list of permissions requested by FortiCWP.
Permissions requested by FortiCWP
Read audit log data
Sign you in and read your profile
Read all users' basic profiles
Read all groups
Read group memberships
Read all user's full profiles
Read all groups
Read directory data
Access Azure Storage As the Signed-in User
Access Azure Service Management as you (preview)
 
 

 

 

 

 

Add Microsoft Azure Account

Follow each section below to help you setup the Azure Subscription, Roles, and configure the Blob Storage in preparation to add the Azure Subscription to FortiCWP.

Prerequisites

Account Requirement

You may use an existing Azure AD (Azure Active Directory) account or create a new one. Other types of Azure account will not be able to add to FortiCWP.

If you create a new account, wait for at least 24 hours for the new account to take effect before granting access to FortiCWP.

Role Requirement

Make sure the user account that will be added on FortiCWP has one of the following role(s) before adding the account to FortiCWP:

  • Global Administrator role
  • Cloud Application Administrator and Global Reader roles

FortiCWP supports all types of Azure AD licenses. However, depending on the features supported by the Azure AD license, FortiCWP will only integrate features available to that license. For example, a free Azure AD license does not include sign-in activity report, thus FortiCWP cannot provide sign-in activities from the free Azure AD account.

Setup Subscription

Once you have your Azure license ready, you will need a subscription ID to use FortiCWP. If you do not have a subscription yet, please follow these steps:

  1. Log into the Azure portal using your Azure account.
  2. Search and click on Subscriptions.
  3. Click on +Add button to add a subscription.
  4. Select the subscription desired and complete the rest of the billing steps.
  5. Note: You will need a minimum of "Pay-As-You-Go" subscription to use FortiCWP.

     

Add Role to the Subscription

Add Reader, Owner, or User Access Administrator role to the Subscription that is going to be added FortiCWP. (Only one role is required) The purpose is to provide FortiCWP with read access to the resources under the Subscription.

  1. Search and click on Subscriptions.
  2. Click on the Subscription that is going to be used on FortiCWP.
  3. In the Subscription menu, click on Access control (IAM).
  4. '

  5. Click on + Add and select "Add role assignment".
  6. In Add role assignment drop down menu, click on Select a role and select Reader, Owner, or User Access Administrator.
  7. Note: If you want to select User Access Administrator, please complete Add User Access Administrator role to multiple subscriptions (optional) to make User Access Administrator as an available option in Add role assignment.

  8. Leave Assign access to as "User, group, or service principal".
  9. In Select field, search and select a member (user account) that will be associated with the role.
  10. The user account should have a Global Administrator role or Cloud Application Administrator + Global Reader roles as stated in Role Requirement.
  11. Click Save to finish creating the role.

Add User Access Administrator role to multiple subscriptions (optional)

To add multiple subscriptions to FortiCWP with one user account simultaneously, follow these steps to configure the subscriptions with read access. If the user account has Global Administrator role, only do step 6-9.

  1. Log in to Azure portal as the master account user.
  2. In the search field, search and click on "users".
  3. Click on the user that will be used when adding the Subscriptions to FortiCWP.
  4. In the middle Profile navigation menu, click on Assigned roles.
  5. Click +Add assignments to add Global Administrator role to the user.
  6. Log out of the master account user, and log back in as the user whom the new roles are assigned to.
  7. Search and click on "Azure Active Directory".
  8. In the Azure Active Directory navigation menu, click on Properties.
  9. Click Yes under Access management for Azure resources, and click save. This step allows the user to manage access to all Subscriptions under the Azure account.

Now all the Subscriptions under the user account have User Access Administrator role, and you can add multiple Azure Subscriptions at the same time.

Setup Storage Blob Data Reader

Another role to be added to the Azure AD user is Storage Blob Data Reader. This is a necessary step for FortiCWP DLP and virus scan to read and analyze the data stored in the Storage Blob account as well as integrating Azure cloud traffic in FortiCWP.

  1. From the Azure portal page, search and click Subscriptions.
  2. Select your subscription.
  3. Select Access Control (IAM), and click +Add, then Add role assignment pane will pop-up.
  4. In Role field, type and select Storage Blob Data Reader.
  5. In Assign access to field, leave it as Azure AD user, group, or service principal.
  6. In Select field, type and select the name or e-mail address of the Azure AD user.
  7. Click Save to complete granting the role to the Azure AD user.

At the end of this step, please confirm that your Azure AD account subscription has one of the following roles combinations as the table below:

Roles Combinations

Reader and Blob Storage Reader
User Access Administrator and Blob Storage Reader
Owner and Blob Storage Reader

Setup Blob Storage

An Azure Storage account with blob log monitoring enabled is required to install FortiCWP. If you do not have a storage account yet, please follow the steps below to create a storage account:

  1. From the portal page, search and click on storage account.
  2. Click +Create to create a storage account.
  3. Under Basics > Subscription field. Make sure you select the subscription that is linked to your subscription ID.
  4. In Resource group field, select a resource group based on your preference or create a new one.
  5. In Storage account name filed , enter an account name based on your preference.
  6. Click Review + create. Once validation passed, click Create.

Enable Blob Log Monitoring

Once storage account is created, to enable blob log monitoring, follow the steps below:

  1. Select the storage account of interest.
  2. From the left menu, select Monitoring (classic) > Diagnostic settings.
  3. Turn On diagnostic logs. Under the Blob properties, enable Read/Write/Delete under Logging.

Add Azure Account to FortiCWP

After all the Azure configurations are completed from previous sections, follow these steps to add your Azure account on FortiCWP.

  1. Log into FortiCWP with your account, and select Workload Protection.
  2. From the navigation menu, go to ADMIN > Account, and select +Add New.
  3. Select Azure, and click Next. Review the key configuration summary and click Next.
  4. Click Grant Access @Azure to be re-directed to Azure portal.
  5. Log in with your Azure account, and a permission request page will pop-up.
  6. Click Accept to grant FortiCWP with the permissions requested.
  7. Azure will be prompt you to grant the same permissions 3 more times, then you will be re-directed back to FortiCWP.
FortiCWP does not request all but only partial permissions from the global administrator user. Below is a list of permissions requested by FortiCWP.
Permissions requested by FortiCWP
Read audit log data
Sign you in and read your profile
Read all users' basic profiles
Read all groups
Read group memberships
Read all user's full profiles
Read all groups
Read directory data
Access Azure Storage As the Signed-in User
Access Azure Service Management as you (preview)