Enable SaaS API Data Loss Prevention for Azure Tenants
You can apply DLP SaaS API rules to files in an Azure tenant. You must authorize the tenant using the procedure described below. Once the tenant is authorized, for each file residing in the tenant, when Secure Access finds data in violation of an enabled SaaS API rule it will enforce the action of that rule.
Table of Contents
- Prerequisites
- Limitation
- Authorize an Azure Tenant
- Run an PowerShell Script to Obtain Account Information
- Revoke Authorization
Prerequisites
- Full Admin user role. For more information, see Manage Accounts.
- You must have an active Azure account and the person doing the installation must be an Azure Global Admin.
- Chrome or Firefox (recommended) with pop-up blockers and ad blockers disabled (only for the duration of authorization)
Limitation
- A tenant that fails to authenticate cannot be deleted.
Authorize an Azure Tenant
- Navigate to Admin > Authentication.
- Under Platforms, click to expand Azure Storage.
- In the DLP subsection, click Authorize New Tenant to add an Azure tenant to your Secure Access environment.
- In the Azure Storage Authorization dialog, click Download Script to download the Azure PowerShell script AzureOnboarding.ps1. Save the script to your local machine, then run the script in the Azure PowerShell before proceeding to the next step. Be sure to note the information the script will provide: Account ID, Client ID, and Client Secret.
- In the Azure Storage Authorization dialog, check the checkboxes to verify you have met the prerequisites, then click Next.
- Enter a Tenant Name that is meaningful within your environment, then click Next.
- Paste the Account ID, Client ID, and Client Secret (which you obtained when you ran the PowerShell script in the Azure portal) in the appropriate boxes and Click Done. (It may be up to 24 hours for the integration to be confirmed and appear as Authorized on the Authentication page)
Run an Azure PowerShell Script to Obtain Account Information
- In the Azure portal, open a terminal window to the PowerShell.
- Upload the script you downloaded in Step 4 of Authorize an Azure Tenant: In the Azure portal choose Manage Files > Upload, and choose the file.
- Azure will display a message reporting Successfully uploaded a file and show the location and file name; note this information before dismissing the message.
- In the terminal window, set your current directory to the location of the uploaded file.
- To run the script, at the caret prompt (>) in the terminal window, enter ./AzureOnboarding.ps1.
- The script will prompt you to log into a web browser at https://microsoft.com/deviceLogin, and provide you with a code to authenticate. (If you get an error indicating you are already signed in, log out and log back in again.)
- After initiating the login process, return to the terminal window.
- The login process will present you with a numbered list of subscriptions available to you. (The subscription provides the environment where Azure will create resources needed to onboard Azure Storage for Secure Access DLP protection.) Enter the number corresponding to the subscription you want to work in, or press enter to use the default subscription, indicated with an asterisk.
- The script will present a list of available subscriptions. Enter the name of the same subscription you chose during the login process in the previous step.
- The script will present a list of Resource Groups available within the subscription you have chosen, and prompt you to enter the name of the Resource Group you want to use. This is where the resources needed for onboarding will reside.
- For each Storage Account associated your subscription, the script will offer you the chance to add that Storage Account to the list of Storage Accounts with data to be scanned by Secure Access DLP. When presented with each Storage Account name, press Enter to add that account to the list, or Escape to skip that account. Azure will display messages confirming your choices.
The script then proceeds to create the resources needed to support Secure Access DLP. - When the script has completed processing, it will display an Account ID, a Client ID, and Client Secret. Copy that information and return to Step 5 in Authorize an Azure Tenant .
Revoke Authorization
- Navigate to Admin > Authentication.
- In the Platforms section, click Azure Storage.
- Under Action column,, click Revoke. You can revoke any authorized tenant.
- Click Revoke. The selected account is no longer authorized.
Enable SaaS API Data Loss Prevention for AWS Tenants < Enable SaaS API Data Loss Prevention for Azure Tenants > Enable SaaS API Data Loss Prevention for Box Tenants
Updated about 2 months ago