Azure
You can install Agentless CSPM and/or Agentless CDR.
Prerequisites
Sysdig Secure SaaS with Admin permissions.
Terraform v. 1.3.1+ installed on the machine from which you will deploy the installation.
The Azure CLI installed on the same machine.
For more information, see How to install the Azure CLI.
Azure requirements for roles, permissions, and environment, as described in Prepare Your Environment.
Review Azure Roles and Permissions
Review these concepts before preparing your environment and running the installation wizard.
Involved Security principals
Connecting an Azure enrivonment involves two different Security principals:
- Installer: The primary security principal involved. It can be a human user performing the installation or the service principal used by your CI/CD. Sometimes this principal may encompass multiple people in an organization. Installers need specific Entra ID and Azure role-based access control (RBAC) roles to perform the cloud account onboarding.
- Sysdig: The onboarding process creates a “robot user” in the form of a Service Principal. It has different, less permissive roles that are used by Sysdig.
Azure Role Types
Azure has two types of Roles that must be correctly assigned for you to onboard:
Entra ID roles that are applied to the entire Tenant and control what actions you can take in that tenant.
For details, see the Azure documentation on Entra ID (formerly Active Directory) roles.
Azure RBAC roles that are applied to the Subscription or Management Group and control what actions you can take on that subscription/management group.
For details, see the Azure documentation on Azure Role-Based Access Control and Assigning Azure Roles in the Azure Portal.
Permissions Required to Install
Entra ID
To perform the installation, the installer principal needs to have the following Entra ID roles:
- Application Administrator and Privileged Role Administrator
Application Administrator is required to create a Service Principal associated with a Sysdig-owned application.
Privileged Role Administrator is required to assign the
Directory Reader
Entra ID role to the created Service Principal.
Or
Global Administrator
- Global Administrator contains both of the above permissions in a single role.
For details, see the Azure documentation on Application Administrator and Privileged Role Administrator.
Azure RBAC
The installer must have the following permission to assign Azure RBAC roles:
Microsoft.Authorization/roleAssignments/write
- This permission is used to assign the Service Principal permission on the specified Subscriptions. The permissions assigned are documented below.
Common roles that contain this permission are:
- User Access Administrator
- Owner
Permissions Granted to Sysdig
The installation creates a Service Principal that Sysdig can access. This Service Principal is granted the following roles:
Entra ID:
- Directory Readers - this role is used to allow Sysdig to list Users and Service Principals for CSPM.
Azure RBAC:
- Reader - this role is used to allow Sysdig to list resources within your subscriptions for CSPM.
- Custom Role - this is a custom role used to give Sysdig permissions to collect the AuthSettings object required for CSPM.
Prepare Your Environment
Preparation of your Azure environment, roles, and permissions is the key to a seamless connection between your Azure cloud accounts and Sysdig. When preparation is complete, the installation itself is a simple, wizard-guided process from the Sysdig Secure UI.
Use the following steps to prepare for onboarding.
Step 1: Provide User with Appropriate Roles
Log in to Azure and ensure that the principal you log in with has all the necessary roles and permissions required to install.
You can:
- Use an existing principal who meets the permissions requirements
- Create a new principal and set up permissions
- Add permissions to an existing principal
To begin:
Log in to Azure and check your Entra ID roles.
Navigate to the Entra ID console and select Roles and Administrators.
Click on Your Role.
Entra ID is displayed with associated roles.
Add any missing Entra ID roles. See Permissions Required to Install.
Check your Azure RBAC Roles.
For Single Subscriptions:
Navigate to Subscriptions.
Click the target subscription and go to Access Control (IAM).
Click Role Assignments.
Ensure that the required Azure role is assigned to your user. See Permissions Required to Install.
For Management Groups:
Navigate to Management Groups.
Click the target Management Group and go to Access Control (IAM).
Click Role Assignments.
Ensure that the required Azure role is assigned to your user.
Add any missing Azure RBAC Role assignments. See Permissions Required to Install.
Extra Step for the Service Principal Installer
This step is required only when you select the Cloud Logs feature, unless you want to disable Entra logs.
Set Entra ID > Properties > Access management for Azure resources to Yes
.
Entra CDR creates Diagnostic Settings at the Entra level. So, the Service Principal needs to read
and write
at the Entra level. As of May 6, 2024, you cannot assign Azure RBAC roles at the Entra level through the Azure Portal. However, you can assign these permissions through the API or the CLI as follows:
az role assignment create --assignee-principal-type ServicePrincipal --assignee-object-id <OBJECT_ID> --scope "/providers/Microsoft.aadiam" --role Contributor
<OBJECT_ID>
is the Object-ID of the Enterprise Application of your Service Principal (not the Object-ID of your application).
Note: You must have a Global Admin Role to assign that role. See Permissions Required to Install.
Step 2: Configure Your Subscriptions
Register the resource provider Microsoft.ManagedService
in each subscription to be onboarded.
For further guidance, see Azure’s registration instructions.
Step 3: Authenticate and Configure Terraform
Configure your environment from your local machine, preparing to apply Terraform.
Ensure the prerequisites are met:
- Terraform v.1.3.1+ installed
- Azure CLI installed
Authenticate your user and configure Terraform to use these credentials.
A common way to do this is:
Ensure you are logged in to the correct Tenant.
Log in using the Azure CLI:
az login --tenant "TENANT_ID_OR_DOMAIN"
You will be presented with a web page to select your user account. Be sure to log in as the user you configured in Step 1.
Confirm you are logged in as the correct user, by running:
az ad signed-in-user show
For alternative ways to authenticate Terraform, see the Terraform documentation: Authenticating to Azure Active Directory and Authenticating to Azure.
Install using Wizard
To install agentless CSPM and/or CDR, follow the Wizard Quick Start.
Log in and authenticate in Azure, per the Preparation steps above.
Log in to Sysdig Secure as
admin
, select Integrations > Cloud Accounts | Azure, and click +Add Azure Account.It is possible to install agentless CDR only.
In all other cases, all agentless Azure installations include CSPM.
All features are included by default. Deselect individual features if desired:Cloud Detection and Response (CDR)
Vulnerability Host Scanning
and click Next.
Select which installation method matches your enterprise and click Next.
- Tenant Multi-Subscription: Configure Azure for a tenant.
- Single Subscription: Configure Azure for a single subscription.
The Installation screen appears. Specify the following in the wizard:
- Subscription ID: The ID of the Azure subscription where Sysdig resources will be created.
- Tenant ID: The ID of the Azure Active Directory Tenant you want to connect.
- Management Groups: To onboard your entire Tenant, enter your Root Management Group ID. To onboard a subset, enter the Management Group IDs in a comma separated list. Check your groups using the wizard link, if needed.
The wizard will auto-populate a code snippet, along with autodetected Sysdig Secure endpoint and Sysdig Secure API token information.
Create a file called
main.tf
.Copy the code snippet from the Wizard into the file and run
terraform init && terraform apply
Return to the wizard and click Complete.
Validate
Log in to Sysdig Secure and check that each module you deployed is functioning. Events may take 10 minutes or so to collect and display. To validate the successful connection of each of the chosen features:
- In Sysdig Secure, select Integrations > Cloud Accounts > Azure.
- The Status column shows the overall connection status (
Connected/Partial Error/Error/Unknown
).
Check Overall Connection Status
Data Sources: Select Integrations > Data Sources | Cloud Accounts to see all connected cloud accounts.
Check CSPM
Inventory: Select the Inventory module and filter for subscription =
. Check for your Azure cloud account in the drop-down.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.