Add your Microsoft Azure environment

You can add your Azure environment to Sophos Cloud Optix by running the PowerShell script Sophos provides.

Note By adding your Microsoft Azure environment, you authorize Sophos to access information via APIs and collect log data from your environment. For some data, such as network flow logs, your cloud provider may charge you. See Cloud provider charges or contact your provider for details. You can choose not to enable export of network flow logs if you don't need the advanced features that require this data.

You must run the PowerShell script in Cloud Shell. Access this from your Azure portal.

Warning You must not run the script using Windows PowerShell on your computer.

Sophos Cloud Optix can't connect to free trial Azure accounts. This is because of a restriction in the subscription permissions with free trials of Azure.

To add your Azure subscriptions, you must run the script provided by Sophos. This registers an application in your Azure AD tenant. You can run the script as many times as you need to.

The user who first runs the script must have the Application Administrator role. One or more users can then add subscriptions by rerunning the script if needed. They must have the Owner role for each subscription they add to Sophos Cloud Optix.

For example, for multiple subscriptions, a user logged into Azure with the Application administrator role for your Azure tenant permissions runs it first. Users with the subscription Owner role for each subscription then rerun it to add the Azure subscriptions.

You can change the settings for your deployment using Custom settings. For example, you may not want to turn on network flow logs.

If you want to include AKS clusters, you must sign in to Azure with a profile that has the Cluster Admin role for each AKS cluster that you add. You can exclude AKS clusters in Custom settings.

To run the script, do as follows:

  1. Click Settings and select Environments.
  2. Click Add New Environment.
  3. On Add your Cloud Provider environment, select Azure.
  4. Click Add an Azure subscription using a script in Azure PowerShell (includes AKS Clusters)
  5. Follow the steps shown to go to Azure and open Azure PowerShell.

    You must not run the script using Windows PowerShell on your computer.

  6. Download the script using the command provided in Sophos Cloud Optix.
  7. Click Custom settings to review the settings and change them if you need to.

    If you change the settings, you must copy the command in Custom settings. You use this when you run the script, not the command on the main screen.

  8. Close Custom settings.
  9. Run the script in Azure PowerShell, using either the command provided in Sophos Cloud Optix, or the one you copied from Custom settings.

    The script lets you choose all subscriptions or only the subscriptions you want to add.

    The script creates an AD application, a service principal, adds a response URL, and grants permissions at subscription level.

If you have all the required Azure roles to create the Enterprise App for your tenant (the Application Administrator role) and add your subscriptions (the Owner role for each subscription), you don't need to rerun the script. Other users can re-run the script to add subscriptions, if required.

After the script has run, you must turn on user and group data sync with Azure AD, using an admin account for the subscriptions you've added. To do this, go to the URL shown at the end of the script. You must be an Application Administrator in the Active Directory containing the subscriptions you added. If you aren't, ask an Application Administrator to authenticate for you.