After you create (or designate) a storage account and container in Azure, you need to
create a CDP credential for audit archiving on Azure.
Before proceeding with this task, open the Azure shell in the
Azure Portal.Required Role:
PowerUser
-
Use the provided command in an Azure shell to identify your subscription ID and tenant
ID:
az account list|jq '.[]|{"name": .name, "subscriptionId": .id, "tenantId": .tenantId, "state": .state}'
Take note of the subscription ID (the subscription used to create the storage account
that you designated for auditing) and the tenant ID for later use.
- Use the provided command in an Azure shell to create a new service principal in
Azure. Substitute your service principal name (whatever you chose to give it, for example
the container name), subscription ID, resource group name, storage account name, and
container name where indicated:
az ad sp create-for-rbac \ --name http://{app-name} \ --role "Storage Blob Data Contributor" \ --scopes /subscriptions/{subscriptionId}/resourceGroups/{resource-group-name}/providers/Microsoft.Storage/storageAccounts/{storage-account-name}/blobServices/default/containers/{container-name}
Save the App ID and password from the command output to use in the credential creation
command.
- In the CDP CLI, use the following command to create the CDP credential:
cdp environments set-azure-audit-credential --profile <profile-name> --subscription-id <subscription-id> --tenant-id <tenant-id> --app-based applicationId=<application-id>,secretKey=<password>
The value of the secretKey parameter is the password returned in
the output of the previous command that you ran to create the Azure service
principal.
Running this command creates the CDP credential for audit archiving on
Azure. Take note of the crn returned in the command output, as you
will need it to configure archiving in the next task.
After you create the credential for auditing, proceed to the
next task: Configuring audit archiving for Azure using the CLI.
