Microsoft Azure - Manual Deployment

This section covers the manual deployment process for integrating Azure with PGP. While this method provides complete control over each step, we recommend using the Terraform/IaC approach for better consistency and maintainability. Manual deployment requires creating several Azure resources through the Azure Portal, with the process being similar for both tenant-level and subscription-level integrations.

Important: Manual deployment is more complex and error-prone than the automated Terraform method. Consider using the IaC approach unless you have specific requirements that necessitate manual configuration.

Manual deployment requires creating several Azure resources through the Azure portal. The process is similar for both scopes, with role assignment being the key difference.

Prerequisites

Before starting the integration, ensure you have:

• Azure portal access with Global Administrator permissions to create app registrations and assign roles
• User Access Administrator permissions are required for tenant-level integration role assignments at tenant root
• Subscription Owner or User Access Administrator permissions for subscription-level integration

Integration Process

Step 1: Initiate Integration Setup

1. Navigate to the Integrations section in your PGP dashboard
2. Click "Add Integration" and select "Azure"
3. Choose your integration scope and provide the required information

Tenant-Level Integration (Recommended)

For tenant-level integration, you'll need to provide:

• Tenant ID: Your Azure AD tenant ID (GUID format)
• Deployment Type: Choose Manual

TIP: To get your Tenant ID, navigate to Azure Active Directory (or Microsoft Entra ID) in the Azure Portal. The tenant ID is displayed in the Overview section, or you can find it in the URL when viewing your directory.

Subscription-Level Integration

For subscription-level integration, you'll need to provide:

• Tenant ID: Your Azure AD tenant ID (GUID format)
• Subscription ID: The specific Azure subscription ID you want to integrate
• Deployment Type: Choose Manual

Step 2: Record Your Unique Subject

PGP will provide you with a unique Subject value. This will be used in a future step to assign the subject match condition for the OIDC integration.

NOTE: This value is unique per integration attempt. This means an unlikely failure invalidates that value and any new attempt requires the use of the new subject value (which PGP will generate and provide as shown below).

Manual Deployment Instructions

Step 1: Create App Registration

1. Sign in to the Azure Portal
2. Navigate to "Azure Active Directory" (or "Microsoft Entra ID")
3. Go to "App registrations" > "New registration"
4. Set application details:
   • Name: Praetorian PGP Integration
   • Supported account types: "Accounts in this organizational directory only"
   • Redirect URI: Leave blank
5. Click "Register"

Step 2: Configure API Permissions

1. In your app registration, go to "API permissions"
2. Click "Add a permission" > "Microsoft Graph" > "Application permissions"
3. Add the following permissions:
   • Directory.Read.All
   • Policy.Read.All
   • RoleManagement.Read.All
   • RoleManagement.Read.Directory
   • RoleEligibilitySchedule.Read.Directory
   • RoleManagementPolicy.Read.AzureADGroup
   • RoleManagementPolicy.Read.Directory
4. Assign the Global Reader Entra role (more information here) to the App Registration

Step 3: Grant Admin Consent

1. In the "API permissions" section, click "Grant admin consent for [Your Organization]"
2. Confirm the consent by clicking "Yes"
3. Verify all permissions show "Granted for [Your Organization]" status

Step 4: Create Federated Identity Credential

1. In your app registration, go to "Certificates & secrets"
2. Click the "Federated credentials" tab
3. Click "Add credential"
4. Select "Other issuer" as the federated credential scenario
5. Set credential details:
   • Issuer: https://cognito-idp.us-east-2.amazonaws.com/us-east-2_zwCio82YL
   • Subject identifier: YOUR-UNIQUE-USERNAME (the subject value from Step 2 of "Integration Process")
   • Audience: 5nbjkqbdhuf5rnn9m9ko5v3ir1
   • Name: FederationPGP
   • Description: Federated credential for PGP
6. Click "Add"

Step 5: Assign the Reader Role

The role assignment process differs based on your integration scope:

For Tenant-Level Integration:

1. Navigate to "Management groups" in the Azure Portal
2. Select your tenant root management group (named with your tenant ID)
3. Go to "Access control (IAM)"
4. Click "Add" > "Add role assignment"
5. Select "Reader" role
6. Click "Next"
7. Choose "User, group, or service principal"
8. Click "Select members"
9. Search for and select "Praetorian PGP Integration"
10. Click "Select" > "Review + assign" > "Assign"

For Subscription-Level Integration:

1. Navigate to "Subscriptions" in the Azure Portal
2. Select your target subscription
3. Go to "Access control (IAM)"
4. Click "Add" > "Add role assignment"
5. Select "Reader" role
6. Follow the same member selection process as above

Step 6: Record Application Details

1. Go back to your app registration "Overview" page
2. Copy the "Application (client) ID" - this will be needed for verification
3. Note the "Directory (tenant) ID" for reference
4. Provide the information back to PGP

Completing Your Manual Integration

After completing all manual deployment steps, return to the PGP integration modal and enter the Application (client) ID you recorded in Step 6. Click "Finish" to complete the integration process.

PGP will validate the integration by performing authentication tests and verifying the configured permissions. Once validated, your Azure integration will appear in your integrations list and begin monitoring your Azure environment.

Need Help?

If you encounter any issues during the manual deployment process or have questions about the integration setup, please contact our support team at support@praetorian.com. Include your Application ID and any error messages you've encountered to help us assist you more effectively.