Introduction

When an organization onboards an Azure environment to Prisma Cloud DSPM, there are several options available - onboarding individual subscriptions or onboarding an entire tenant or management group. When choosing to onboard an entire tenant or management group, the organization gains several benefits:

• Full coverage and protection of the Azure environments
  Unlike individual subscription onboarding, the organization can be sure that all existing subscriptions are covered. This enables the organization to construct a full data map and gain visibility to the entire organizational data estate.
• Automatic provisioning
  When a new subscription is added to the tenant or management group, it is automatically onboarded to Prisma Cloud DSPM. This mitigates risks of shadow subscriptions or delays in onboarding, which can cause gaps in coverage and increase the chance of a data breach going undetected.
• Less organizational overhead
  Instead of adding Prisma Cloud DSPM to each and every subscription individually, taking up precious time from the security and development teams, choosing to onboard a tenant instead of an individual subscription enables the subscriptions to automatically onboard, reducing the effort required by the organization.

Prerequisites

• To deploy an Azure tenant or management group, it is essential that the onboarding scope already includes an existing orchestrator.
• Only one orchestrator can be within the onboarded scope, meaning that attempting to onboard the tenant after onboarding two orchestrator subscriptions will result in failure.
• The user performing the onboarding should have the required permissions to create roles at the tenant level and approve enterprise applications, preferably holding the Global Admin role.

Onboarding Process

1. Log in to Prisma Cloud DSPM.
2. In the sidebar, click Setting.
3. In the Integrations tab, locate Microsoft Azure under the Cloud Platforms section.
4. Click Configure.
5. In the Microsoft Azure Connected Subscriptions window, click Add New, and select Tenant.
6. Make sure you are signed in to the tenant you want to onboard.
7. Select the location of the orchestrator to be used for the classification of the tenant.
8. Click Generate Template, and follow the steps to deploy the template.

After deploying the template, an Azure Policy is deployed to create the resources required to monitor all subscriptions by Prisma Cloud DSPM.

NOTE: All subscriptions other than the orchestrator have the ‘Prisma Cloud DSPM-Security-Scanner-Role’ and ‘Prisma Cloud DSPM-Security-Reader-Role’ deployed and assigned.

Due to limitations in Azure Policy, the template continues to run for 24 hours following the initial deployment.

Permissions Required by Prisma Cloud DSPM at the Tenant Level

In addition to the above permissions, Prisma Cloud DSPM also associates the policy that is created at onboarding time with the ‘Owner’ role. This role is attached to the policy at creation time and can’t be used by DSPM to alter the environment. This role is required in order to auto-provision DSPM on newly added subscriptions.

For further details refer to the Technical Details section below.

Technical Details

• When a new subscription is added to the tenant or management group, the new subscription is automatically onboarded to Prisma Cloud DSPM. This proactive approach effectively reduces the risks associated with shadow subscriptions or any potential delays in onboarding. By doing so, it significantly minimizes the likelihood of coverage gaps and enhances the detection capabilities, thereby reducing the risk of undetected data breaches. The customer must grant the 'owner' role to the system, which is not usable by Prisma Cloud DSPM, but is only usable by the system user.
• During an onboarding of a subscription, the policy responsible for provisioning necessary resources, such as resource group, roles, role assignments, and activity log diagnostic setting. This policy then continuously monitors the creation of new subscriptions and automatically activates monitoring for these newly created subscriptions within Prisma Cloud DSPM's system.
• During the onboarding process, Prisma Cloud DSPM does not perform any networking modifications. However, networking adjustments may be implemented during the scanning process. These adjustments can include setting up virtual networks, subnets, private endpoints, and other related configurations. This process is identical to the process that occurs when onboarding subscriptions individually.