Add a Microsoft Azure subscription

This topic describes how to add or delete a Microsoft Azure subscription to DPA.

Before you begin

Verify that you've done the following before you add the subscription to DPA.

Configure the VMs in your workspace

Ensure that your VMs meet the requirements described in Network requirements.

Add a subscription to DPA

You can add an Microsoft Azure subscription to DPA from the Platform management page.

To add a subscription to DPA:

  1. On the Platform management page, click Microsoft Azure.

  2. On the Microsoft Azure page, click Add a subscription.

  3. Follow the online instructions to configure DPA and your Microsoft Azure environment.

Step 1: Subscription details

  1. Enter the following information.

    Subscription details



    Directory (tenant) ID

    The Azure directory where the subscription is located, in GUID format.

    Subscription ID

    The ID of the subscription you are adding, in GUID format.

    Subscription name (optional)

    Give the subscription a name in DPA which provides some context.

    Description (optional)

    Provide additional useful information about the subscription.

  2. After you provide the subscription details, click Save and continue to Configuration.

  • You can create a recurring access policy after you complete this part of adding your subscription, but it won't work until you complete the configuration process.

  • It may be helpful to create a simple test policy so you can verify that your subscription is connected when you finish configuring it.

Step 2: Configuration

  1. Enable read-only access to your subscription.

    Download the DPA script and run it in your Azure console. This script creates an Azure application in your directory along with a dedicated role that enables read-only permissions. DPA uses these permissions to read metadata about the relevant VMs.

    Resources created in Azure




    The application that DPA uses to access your subscription in order to query VM metadata. The application is created with a set of generated credentials, which are shared with DPA, as well as a service principal that allows assigning a role to the application.


    An IAM role with the read-only permissions required for DPA to read the necessary metadata (see the table below).

    Role Assignment between CyberArk-DPA-App and CyberArk-DPA-Role

    Grants the CyberArk-DPA-App application the permissions specified in the CyberArk-DPA-Role role for the subscription.

    CyberArk-DPA-Role IAM role permissions




    Allows reading of VM metadata


    Allows reading of VM network interface metadata


    Allows reading of the VM public IP address


    Allows invoking the Resource Graph API in order to retrieve the data specified above

  2. Install the DPA connector.

    Install the DPA connector on a host machine that sits within the network you're connecting to the service.

    For detailed instructions on how to install the DPA connector, see Install a connector.

  3. (Linux machines only) Target machine - for Linux configuration.

    1. The Add SSH host key validation slider is activated by default. This option enables DPA to save the fingerprint of the host key the first time a user signs in via an SSH client to a target instance. It is recommended to leave this activated, to add an extra layer of security when identifying the target.

      You can deactivate this option only after clicking Save below.

    2. Deploy an SSH CA public key on your target machines. If your platform resources don't have any certificate files already installed, you can copy and run the CyberArk script where its needed. If your platform resources already contain certificate files, you can download the SSH CA public key without the installation script and add it to the certificate files.

      The installation script automatically deploys a certificate file with the SSH CA public key on the machine where it is run. To deploy the CyberArk CA certificate manually, follow the instructions in Manage certificates on a Linux target machine.

  4. (Windows machines only) Configure a domain - for Windows configuration.

    1. Click Strong accounts.

    2. Configure a strong account (a user role with strong credentials, which can create ephemeral users on the target machines), as described in Add and manage strong accounts.