Add a Microsoft Azure subscription
This topic describes how to add or delete a Microsoft Azure subscription to DPA.
Before you begin
Verify that you've done the following before you add the subscription to DPA.
Configure the VMs in your workspace
Ensure that your VMs meet the requirements described in Network requirements.
Add a subscription to DPA
You can add an Microsoft Azure subscription to DPA from the Platform management page.
To add a subscription to DPA:
On the Platform management page, click Microsoft Azure.
On the Microsoft Azure page, click Add a subscription.
Follow the online instructions to configure DPA and your Microsoft Azure environment.
Step 1: Subscription details
Enter the following information.
Directory (tenant) ID
The Azure directory where the subscription is located, in GUID format.
The ID of the subscription you are adding, in GUID format.
Subscription name (optional)
Give the subscription a name in DPA which provides some context.
Provide additional useful information about the subscription.
After you provide the subscription details, click Save and continue to Configuration.
Step 2: Configuration
Enable read-only access to your subscription.
Download the DPA script and run it in your Azure console. This script creates an Azure application in your directory along with a dedicated role that enables read-only permissions. DPA uses these permissions to read metadata about the relevant VMs.
Resources created in Azure
The application that DPA uses to access your subscription in order to query VM metadata. The application is created with a set of generated credentials, which are shared with DPA, as well as a service principal that allows assigning a role to the application.
An IAM role with the read-only permissions required for DPA to read the necessary metadata (see the table below).
Role Assignment between CyberArk-DPA-App and CyberArk-DPA-Role
Grants the CyberArk-DPA-App application the permissions specified in the CyberArk-DPA-Role role for the subscription.
CyberArk-DPA-Role IAM role permissions
Allows reading of VM metadata
Allows reading of VM network interface metadata
Allows reading of the VM public IP address
Allows invoking the Resource Graph API in order to retrieve the data specified above
Install the DPA connector.
Install the DPA connector on a host machine that sits within the network you're connecting to the service.
For detailed instructions on how to install the DPA connector, see Install a connector.
(Linux machines only) Target machine - for Linux configuration.
The Add SSH host key validation slider is activated by default. This option enables DPA to save the fingerprint of the host key the first time a user signs in via an SSH client to a target instance. It is recommended to leave this activated, to add an extra layer of security when identifying the target.
You can deactivate this option only after clicking Save below.
Deploy an SSH CA public key on your target machines. If your platform resources don't have any certificate files already installed, you can copy and run the CyberArk script where its needed. If your platform resources already contain certificate files, you can download the SSH CA public key without the installation script and add it to the certificate files.
The installation script automatically deploys a certificate file with the SSH CA public key on the machine where it is run. To deploy the CyberArk CA certificate manually, follow the instructions in Manage certificates on a Linux target machine.
(Windows machines only) Configure a domain - for Windows configuration.
Click Strong accounts.
Configure a strong account (a user role with strong credentials, which can create ephemeral users on the target machines), as described in Add and manage strong accounts.