Onboarding Azure Blob applications

This section outlines the procedures for onboarding Azure Blob Storage cloud applications.

Notes

  • Juniper Secure Edge does not support Azure Data Lake Storage generation 2 storage accounts. Juniper is unable to log activity or take actions on blobs using this storage type.

  • Juniper Secure Edge does not support content-related actions on immutable containers, due to retention and legal hold policies enforced by Azure.

Configuration steps

In preparation for onboarding Azure Blob, do the following:

  • Ensure that you have an active Azure account and that you have the Subscription ID of the account.

  • Ensure that your Azure subscription has at least one storage account with the storageV2 type.

  • Ensure that you have a storage account to use for quarantine actions. You will be prompted to select the storage account during onboarding. You can use an existing storage account, or, if you prefer, create a new dedicated storage account for quarantine.

  • Create a new custom role at the subscription level, and assign it to an admin account. This will be used for authorization on the Management Console. See details for this step below.

  • Ensure that your Azure account has the EventGrid resource registered. See details for this step below.

Creating a custom role

  1. Copy the following code into a new text document.

    {"properties":{"roleName":"casbrole","description":"CASB role","assignableScopes":["/subscriptions/<Subscription-ID>"],"permissions":[{"actions":["Microsoft.Storage/storageAccounts/read","Microsoft.Storage/storageAccounts/encryptionScopes/read","Microsoft.Storage/storageAccounts/blobServices/read","Microsoft.Storage/storageAccounts/blobServices/containers/read","Microsoft.Storage/storageAccounts/blobServices/containers/write","Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/read","Microsoft.Storage/storageAccounts/queueServices/read","Microsoft.Storage/storageAccounts/queueServices/queues/write","Microsoft.EventGrid/eventSubscriptions/delete","Microsoft.EventGrid/eventSubscriptions/read","Microsoft.EventGrid/eventSubscriptions/write","Microsoft.Storage/storageAccounts/write","Microsoft.Storage/storageAccounts/listkeys/action","Microsoft.EventGrid/systemTopics/read","Microsoft.EventGrid/systemTopics/write","Microsoft.Insights/eventtypes/values/Read","Microsoft.Storage/storageAccounts/blobServices/providers/Microsoft.Insights/diagnosticSettings/read"],"notActions":[],"dataActions":["Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read","Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write","Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete","Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action","Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action","Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action","Microsoft.Storage/storageAccounts/blobServices/containers/blobs/permanentDelete/action","Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action","Microsoft.Storage/storageAccounts/queueServices/queues/messages/read","Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete"],"notDataActions":[]}]}}

  2. Replace the text “<Subscription-ID>” with the subscription ID for your Azure account. If desired, you can also replace the roleName and description values.

  3. Save the text file with a .json extension.

  4. In the Azure console, navigate to Azure Subscription > Access Control (IAM).

  5. Click Add and select Add custom role.

  6. For Baseline Permissions, select Start from JSON.

  7. Use the file browser to select and upload the .json file that you saved in step 2 above.

  8. If needed, enter or update the name and (optional) description of your new role.

  9. Select Review + Create to see all settings for your new role.

  10. Click Create to finish creating the new role.

  11. Assign the new role to a user with admin permissions on your Azure account.

Registering the EventGrid resource

  1. In the Azure console, navigate to Azure Subscription > Resource Providers.

  2. Use the filter field to search for Microsoft.EventGrid. Select it and click Register.

Onboarding steps

  1. From the Management Console, select Administration > App Management and click +New.

  2. Select Azure. Enter a Name (required) and a Description (optional). The name must include only alphanumeric characters, with no special characters other than the underscore, and no spaces. Click Next.

  3. Select Microsoft Azure Blob Storage and click Next.

  4. Select API Access (required). If needed, you can also select Cloud Security Posture (optional). Click Next.

  5. For both Azure and Azure Blob Storage, click the Authorize button and enter the credentials for the account that you assigned your new role to in the previous section. If prompted, click Accept to give Juniper permissions on your Azure account.

  6. After you have authorized both accounts, the Subscription Id field appears. Select your Azure subscription.

  7. The Destination Storage Account field appears. Select the storage account that you want to use as a quarantine container.

  8. Click Next.

  9. Ensure that the details shown on the summary page are correct. If they are, click Next to finish onboarding.