Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Integrate Microsoft Azure with Skyhigh CASB

Before you enable Microsoft Azure, make sure that you have an Azure account with permissions that allow you to read security configurations of Azure resources to be monitored by Skyhigh CASB.

Note: The Skyhigh single sign-on (SSO) users are not supported for the Microsoft Azure onboarding.

Required Roles in Azure

Users require the following roles in Azure:

  • Config Audit
    • Reader
    • Reader and Data Access

NOTE: Reader and Data access permission is required for the Config Audit policy "Azure blob storage containers should not be world readable".

  • Activity Monitoring
    • Reader
    • Reader and Data Access
  • DLP and Malware (including Quarantine)
    • Reader and Data Access

NOTE: If you have any firewall or network restrictions for the Azure Subscriptions or Storage Accounts then Skyhigh CASB IP addresses should be added to the allow list. For details, see Skyhigh CASB - IP Addresses.

Configure Roles in Azure

  1. Log in to the Microsoft Azure Portal.
  2. Under Azure services, click Subscriptions.
    enable_azure1.png
  3. Select the Subscription from the list. 
    enable_azure2.png
  4. Select to Access control (IAM)
    enable_azure3.png
  5. On the Check access tab, click Add role assignment.
    enable_azure4.png
  6. As the role, select Reader, then click Next. 
    enable_azure5.png
  7. Select Members to reader permission, then click Next
    enable_azure6.png
  8. Select User. The User displays under the name field with the Object ID. Then click Next
  9. Review and assign the role assigment, the click Review + assign
    enable_azure7.png

Enable Azure

To enable Azure:

  1. Go to Settings > Service Management.
  2. Click Add Service Instance and select Microsoft Azure.  
  3. Add an Instance Name and click Done.
    clipboard_eff513f97de128e6577bcab2b0862e331.png
  4. Select the features you want to enable for your Azure account.
  • DLP. Use On-Demand Scans to examine cloud services for content that violates your policies and support targeted investigations. Enable On-Demand Scan to run your scan immediately or set the scan schedule to daily or weekly.
  • Activity Monitoring. Activity Monitoring allows forensic auditing and investigation of individual activities.
  • Security Configuration Audit. Security Configuration Audit allows your policy team to monitor and discover if your cloud services have been configured per industry best practices.
  • Vulnerabilities. Scans for Common Vulnerabilities and Exposures in container images. 
    azure_enable_features.png
  1. Review the mandatory Pre-requisites, click the checkbox, and click Next.
    clipboard_e3fd504b3de3abcdc4aa2e072065aea3a.png
  2. Click Provide API Credentials.
    Microsoft O365 (or Azure) login window appears.
    clipboard_ecfef6ffab81850fb0b8d2ac8ab9325e7.png
  3. Enter your O365 (or Azure) credentials, or pick an existing account.
    clipboard_ec67d4c88bcad0ec925474e90ea85f006.png
  4. Review the permissions and click Accept.
    clipboard_ec3f64fd3d830dad7720df1bb6c7f2925.png
  5. API Access is Enabled. Click Next.
    Make sure you have configured the roles in Skyhigh CASB.
    clipboard_ea8227d50a0ac618747f28ff97bb9fc81.png
  6. Select a Subscription ID from the list. Click Next.
    clipboard_e66a8c3217196541f780c7257c7ce0f6f.png
  7. Select the Subscription Owner's email to notify any Configuration Audit Policy violation incidents. Alternatively, you can manually enter an email in the description box.
    clipboard_e6a4fe95fc4139438b3adcfdd6b9092fd.png
  8. Review your settings and click Save.
    clipboard_e27102cec4c5e1653d6474e72b93bb281.png

 Azure is enabled in the Service Management page.

  • Was this article helpful?