SaaS Security Administrator's Guide
    : Onboard a Microsoft Azure AD App to SSPM
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. SaaS Security Administrator's Guide
    4. SaaS Security Posture Management
    5. Onboard SaaS Apps Supported by SSPM
    6. Onboard a Microsoft Azure AD App to SSPM
    Download PDF

    SaaS Security Administrator's Guide

    Onboard a Microsoft Azure AD App to SSPM

    Table of Contents

    Onboard a Microsoft Azure AD App to SSPM

    Connect a Microsoft Azure AD instance to SSPM to detect posture risks.
    For SSPM to detect posture risks in your Microsoft Azure Active Directory (AD) instance, you must onboard your Microsoft Azure AD instance to SSPM. Through the onboarding process, SSPM connects to a Microsoft Azure AD API and, through the API, scans your Microsoft Azure AD instance for misconfigured settings. If there are misconfigured settings, SSPM suggests a remediation action based on best practices.
    SSPM gets access to your Microsoft Azure AD instance through OAuth 2.0 authorization. During the onboarding process, you will log in to Microsoft Azure AD and grant SSPM the access it requires.
    To onboard your Microsoft Azure AD instance, you complete the following actions:

    Identify the Administrator Account for Granting SSPM Access

    During the onboarding process, SSPM will redirect you to log in to Microsoft Azure AD. After you log in, Microsoft Azure AD will prompt you to grant SSPM the access it needs to your Microsoft Azure AD instance.
    After SSPM establishes the connection, it will perform an initial scan of your Microsoft Azure AD instance, and will then run scans at regular intervals of approximately 30 minutes. For SSPM to run these scans, the administrator account that you use to establish the initial connection must remain available. For this reason, we recommend that you use a dedicated service account to grant SSPM access. If you delete the service account, the scans will fail and you will need to onboard Microsoft Azure AD again.
    1. Verify that your account has the permissions that SSPM will require.
      Required Permissions: To grant SSPM the access that it requires, you must log in with an account that has Microsoft Global Admin permissions.
    2. Log out of all Microsoft Azure AD accounts.
      Logging out of all Microsoft Azure AD accounts helps ensure that you log in under the correct account during the onboarding process. Some browsers can automatically log you in by using saved credentials. To ensure that the browser does not automatically log you in to the wrong account, you can turn off any automatic log-in option or clear your saved credentials. Alternatively, you can prevent the browser from using saved credentials by opening the Cloud Management Console in an incognito window.

    Connect SSPM to Your Microsoft Azure AD Instance

    By adding a Microsoft Azure AD app in SSPM, you enable SSPM to connect to your Microsoft Azure AD instance.
    1. From the Add Application Page (Posture SecurityApplicationsAdd Application), click the Microsoft Azure AD tile.
    2. Under posture security instances, Add Instance or, if there is already an instance configured, Add New instance.
    3. Select the option to Log in with Credentials and Connect.
      SSPM redirects you to the Microsoft Azure AD login page.
    4. Enter the credentials for the Microsoft Global Admin account that you identified earlier, and log in to Microsoft Azure AD.
      Microsoft Azure AD displays a consent form that details the access permissions that SSPM requires.
    5. Review the consent form and allow access.

    © 2024 Palo Alto Networks, Inc. All rights reserved.