Connect an Azure management group

Views:

Add multiple Azure subscriptions to Cloud Accounts in one step by connecting an Azure Management Group.

Cloud Accounts supports adding subscriptions in your Azure management groups by deploying features to the tenant root group or a child management group. Adding your Azure management group to Cloud Accounts provides a quick way to allow TrendAI Vision One™ access to your managed Azure subscriptions to provide security and visibility into your cloud assets. Some Cloud Account features have limited support for Azure regions. For more information, see Azure supported regions and limitations.

The primary subscription is the subscription where the connector resources are created and deployed, and is used by TrendAI Vision One™ to connect to all the other subscriptions in the management group. You cannot remove or exclude the primary subscription from the Cloud Accounts management group deployment, and if you delete this subscription from Azure, TrendAI Vision One™ will no longer connect to any other subscriptions in the management group. You can choose a different subscription as the primary subscription when deploying the Terraform script. For more information, see Change the primary subscription.

After deployment, the Azure management group appears in Cloud Accounts, with all subscriptions listed beneath. The features and permissions selected for a management group apply to all subscriptions in the management group, except for any subscriptions that you exclude. New subscriptions are detected and added to Cloud Accounts when you do a Resource Update on the management group connector.

Procedure

Sign in to the TrendAI Vision One™ console.
In a separate browser tab, sign into your Azure portal account.
In the TrendAI Vision One™ console, go to Cloud Security → Cloud Accounts → Azure
Click Add Subscription.
On the Deployment Type page, select Management Group.
Click Next.

Specify the general information for the Management Group.

Specify the Management Group ID.
Add a description to display in Cloud Accounts.
Specify the subscriptions you want to exclude from Cloud Account deployment by entering the subscription IDs in the Excluded descriptions area. If you are typing in the subscription IDs (instead of copying and pasting from Azure), you must separate Subscription IDs by commas.

Note

Subscriptions with a Disabled state are automatically filtered out during deployment and do not need to be manually excluded.

Select the Azure region for deployment.

Note

The default region is your TrendAI Vision One™ region.

Some Cloud Account features have limited support for Azure regions. For more information, see Azure supported regions and limitations.

If you have more than one Server & Workload Protection Manager instance, select the instance to associate with the connected account.
Note

If you have one Server & Workload Protection Manager instance, the account is automatically associated with that instance.

Click Next.
Configure the Features and Permissions you want to grant access to your cloud environment. For more information, see Azure features and permissions.
Click Next.

Create a new directory for the deployment folder and then access the folder.

In Azure local shell, copy the command to create the deployment folder.

Note

The Connect Azure Management Group screen in the TrendAI Vision One™ console provides a set of commands to help complete the following steps. To complete the connection process, you must copy each command provided in the screen to enable the Done button. While you can alter some parameters, TrendAI™ recommends using the provided comands as is to prevent the deployment failing.

In the TrendAI Vision One™ console, select whether you will upload the resource creation script manually or using CLI.
Copy the resource creation script from the TrendAI Vision One™ console.
In Azure local shell, access the command line interface and enter the resource creation script you copied in the previous step. This downloads the script directly to your cloud environment.
Extract the template by copying the command from the TrendAI Vision One™ console.

Note

You must have permission enabled to unzip in your cloud environment.
Navigate to the deployment folder by copying the command from the TrendAI Vision One™ console.
Initiate Terraform and run the resource creation script.

Azure local shell begins the terraform process to deploy TrendAI Vision One™ security resources.
In the TrendAI Vision One™ console, click Done.