Onboard an Azure Subscription


This topic describes how to onboard a Microsoft Azure subscription to your Dome9 account.

Operational Modes for Azure subscriptions

There are two ways to manage your Azure account in Dome9.

  • Read-Only - in this mode, you can view details for your Azure subscription in Dome9, run compliance tests on them, and receive alerts, notifications and reports of activities and changes to cloud entities, but you cannot actively manage them from Dome9.
  • Manage - in this mode you have all the capabilities of Read-Only mode but, in addition, you can use Dome9 to actively manage your Network Security Groups.

Onboard procedure

The onboarding procedure is done from the Dome9 UI, with step-by-step instructions presented on-screen for both Read-Only and Manage modes. In the course of this procedure, you will be instructed to perform some actions on the Azure Management Portal, and some on the Dome9 UI. You will also enter some information. When you have done all this, you click FINISH, and the onboarding process starts. This can take a few minutes, depending on the number of resources in the account.

Configure Policies for Azure Key Vault Entities

Azure Key Vaults have entities that are not accessible using the policy that is set up when the Azure account is onboarded to Dome9 (described above). This is because by default Azure does not grant access rights to vaults, secrets, certificates, and keys. In addition, new entities may be created from time to time. The Dome9 Compliance Engine, for example, needs to access these entities when evaluating the compliance of your Azure environments.

Follow the steps below to set up an Automation account and runbook in your Azure account, that will periodically grant rights to Dome9 to access these new entities. You must set up such an account and runbook for each Azure subscription.

See also

An introduction to Azure Automation

Automation Runbook Gallery

Key-Vault-Runbook-Script.ps1