(408) 800-2536 support@dasera.com

Welcome to Dasera's Knowledge Base

You will find your answers here!

    Sorry, we didn't find any relevant articles for you.

    Send us your queries using the form below and we will get back to you with a solution.

    Onboarding Azure manually within Dasera instances

    Table of Contents

    Overview Register Dasera App Service Principal Create Client Secret Add Dasera Role Assign Role to Dasera App Grant permissions for automatic misconfiguration analysis (Optional) Create Dasera Infrastructure Connection Next Steps

    Overview

    These instructions are used for onboarding Azure Subscriptions and Tenants as Infrastructure Connections within Dasera. Such connections permit Dasera to discover your available Data Stores and facilitate scanning & classification activities. You will repeat these steps for each Azure Account you wish to onboard to Dasera. In order to do that, you need to follow these steps.

    Register Dasera App Service Principal

    1. Login to your Azure portal and search for App registration.
    2. Click on New Registrations and complete the registration by providing app Name. It is recommended  to include "Dasera" in the name, to make it easier to identify.
    3. Go to Overview of the created app and capture Application ID and Tenant ID (Directory ID).

    Create Client Secret

    1. From Dasera App overview, navigate to Certificates & secrets and click on New client secret
    2. Enter Description and validity of secret
    3. On clicking Add the secret is created. Copy and capture the Secret value as Application Secret. The secret is never shown again after this step

    Add Dasera Role

    1. Click and navigate to Subscriptions and capture Subscription ID
    2. Navigate to Access control (IAM) and Add a custom role by clicking the Add menu bar at the top
    3. Navigate to JSON tab and click the Edit button
    4. In the text area, replace the default JSON with one of the following Dasera-specific JSON content (expand to see the details).  Be sure to substitute your Azure Subscription ID value where you see <AZURE SUBSCRIPTION ID>

    Standard Permissions

    Use this JSON for the standard permissions required by Dasera.

    {
    "properties": {
        "roleName": "Dasera Role",
        "description": "",
        "assignableScopes": [
            "/subscriptions/<AZURE SUBSCRIPTION ID>"
        ],
        "permissions": [
            {
                "actions": [
                      "Microsoft.Sql/servers/read",
                      "Microsoft.DBforPostgreSQL/servers/read",
                      "Microsoft.DBforPostgreSQL/servers/databases/read",
                      "Microsoft.DBforMySQL/servers/read",
                      "Microsoft.DBforMariaDB/servers/databases/read",
                      "Microsoft.DBforMariaDB/servers/read",
                      "Microsoft.Resources/subscriptions/resourceGroups/read",
                      "Microsoft.DBforPostgreSQL/serversv2/firewallRules/read",
                      "Microsoft.DBforPostgreSQL/servers/firewallRules/read",
                      "Microsoft.DBforMariaDB/servers/firewallRules/read",
                      "Microsoft.DBforMySQL/servers/firewallRules/read",
                      "Microsoft.Sql/servers/firewallRules/read",
                      "Microsoft.Sql/servers/administrators/read",
                      "Microsoft.DBforMySQL/flexibleServers/read",
                      "Microsoft.DBforMySQL/flexibleServers/firewallRules/read",
                      "Microsoft.DBforPostgreSQL/serversv2/read",
                      "Microsoft.DBforPostgreSQL/flexibleServers/read",
                      "Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/read",
                      "Microsoft.DBforPostgreSQL/flexibleServers/databases/read",
                      "Microsoft.Synapse/workspaces/read",
                      "Microsoft.Databricks/workspaces/read",
                      "Microsoft.Storage/storageAccounts/blobServices/read",
                      "Microsoft.Storage/storageAccounts/blobServices/containers/read",
                      "Microsoft.Storage/storageAccounts/read",
                      "Microsoft.Storage/storageAccounts/listkeys/action",
                      "Microsoft.Storage/storageAccounts/fileServices/shares/read"
                    ],
                "notActions": [],
                "dataActions": [
                      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
                      "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read"
                    ],
                "notDataActions": []
            }
        ]
    }
}
     
     

    Standard + Snapshot Permissions

    Use this JSON for both the standard and snapshot scanning permissions required by Dasera.

    {
    "properties": {
        "roleName": "Dasera Role",
        "description": "",
        "assignableScopes": [
            "/subscriptions/<AZURE SUBSCRIPTION ID>"
        ],
        "permissions": [
            {
                "actions": [
                      "Microsoft.Sql/servers/write", 
                      "Microsoft.Sql/servers/delete", 
                      "Microsoft.Sql/servers/firewallRules/write", 
                      "Microsoft.Sql/servers/databases/read", 
                      "Microsoft.Sql/servers/databases/write", 
                      "Microsoft.Sql/servers/databases/delete",
                      "Microsoft.Sql/servers/read",
                      "Microsoft.DBforPostgreSQL/servers/read",
                      "Microsoft.DBforPostgreSQL/servers/databases/read",
                      "Microsoft.DBforMySQL/servers/read",
                      "Microsoft.DBforMariaDB/servers/databases/read",
                      "Microsoft.DBforMariaDB/servers/read",
                      "Microsoft.Resources/subscriptions/resourceGroups/read",
                      "Microsoft.DBforPostgreSQL/serversv2/firewallRules/read",
                      "Microsoft.DBforPostgreSQL/servers/firewallRules/read",
                      "Microsoft.DBforMariaDB/servers/firewallRules/read",
                      "Microsoft.DBforMySQL/servers/firewallRules/read",
                      "Microsoft.Sql/servers/firewallRules/read",
                      "Microsoft.Sql/servers/administrators/read",
                      "Microsoft.DBforMySQL/flexibleServers/read",
                      "Microsoft.DBforMySQL/flexibleServers/firewallRules/read",
                      "Microsoft.DBforPostgreSQL/serversv2/read",
                      "Microsoft.DBforPostgreSQL/flexibleServers/read",
                      "Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/read",
                      "Microsoft.DBforPostgreSQL/flexibleServers/databases/read",
                      "Microsoft.Synapse/workspaces/read",
                      "Microsoft.Databricks/workspaces/read",
                      "Microsoft.Storage/storageAccounts/blobServices/read",
                      "Microsoft.Storage/storageAccounts/blobServices/containers/read",
                      "Microsoft.Storage/storageAccounts/read",
                      "Microsoft.Storage/storageAccounts/listkeys/action",
                      "Microsoft.Storage/storageAccounts/fileServices/shares/read"
                    ],
                "notActions": [],
                "dataActions": [
                      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
                      "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read"
                    ],
                "notDataActions": []
            }
        ]
    }
}
     
     

    1. Click the Save button.
    2. Click the Review + Create button.  The review screen is displayed.
    3. Click the Create button.

    Assign Role to Dasera App

    Add Dasera RoleClick on Review and Create and Click OK button to complete creation of required custom role. 
    Next, we have to assign this custom role to our app. For this click on Add role assignment

    1. Filter for custom roles, click View of role created for Dasera and click Select role.
    2. Click on Next and move to Add members.
    3. Search for Dasera and Select DaseraApp
    4. Click Next and on Review + Assign to complete role assignment

    Grant permissions for automatic misconfiguration analysis (Optional)

    1. Click and navigate to App registrations, select Dasera App and navigate to API permissions
    2. Click on Microsoft Graph (1) and click checkbox for permission Application > Application.Read.All and Update permissions
    3. Once above permission is added, Grant admin consent to remove the warning icon.

    Create Dasera Infrastructure Connection

    1. Log into Dasera
    2. Navigate to the Administration > Infrastructure Connections screen > Azure tab
    3. Click the Add Infrastructure button
    4. Enter the following values:
    Field Value
    Account Name Any value (this is used to identify your infrastructure connection within the Dasera UI).
    Tenant ID Enter the Tenant ID captured in point 3 in Register Dasera App Service Principal section above
    Application ID Enter the Application ID captured in point 3 in Register Dasera App Service Principal section above
    Application Secret Enter the Application Secret (value) captured in point 3 in Create Client Secret section above
    Subscription ID Enter the Subscription ID captured in point 1 in Add Dasera Role section above 
    1. Click the Acknowledge button

    Next Steps

    • If you have additional Azure Accounts to onboard in Dasera, repeat the above steps.
    • Connect your discovered Data Stores. For more information, visit our Connecting Azure Data Stores category and select the article(s) applicable to the Data Store Type(s) you wish to connect.

    Was this article helpful?

    Recently Updated

    Still can't find what you are looking for?

    Contact Support