Add Azure environments using PowerShell scripts

You can add your Microsoft Azure environments to Sophos Cloud Optix by running the PowerShell script Sophos provides.

You must run the PowerShell script in Cloud Shell. Access this from your Microsoft Azure portal.

Warning You must not run the script using Windows PowerShell on your computer.

The script provided by Sophos registers an application in your Microsoft Azure AD tenant. You can run the script as many times as you need to.

The user who first runs the script must have the Application Administrator role. One or more users can then add subscriptions by rerunning the script if needed. They must have the Owner role for each subscription they add to Sophos Cloud Optix.

For example, for multiple subscriptions, a user logged into Microsoft Azure with the Application administrator role for your Microsoft Azure tenant permissions runs it first. Users with the subscription Owner role for each subscription then rerun it to add the Microsoft Azure subscriptions.

You can change the settings for your deployment using Custom settings. For example, you may not want to turn on network flow logs.

If you want to include AKS clusters, you must sign in to Microsoft Azure with a profile that has the Cluster Admin role for each AKS cluster that you add. You can exclude AKS clusters in Custom settings.

To run the script, do as follows:

  1. Go to Settings and click Add Environments.
  2. On Add your cloud environment, select Azure.
  3. Click Add an Azure subscription using a script in Azure PowerShell (includes AKS Clusters)
  4. Follow the steps shown to go to Microsoft Azure and open Microsoft Azure PowerShell.

    You must not run the script using Windows PowerShell on your computer.

  5. Download the script using the command provided in Sophos Cloud Optix.
  6. Click Custom settings to review the settings and change them if you need to.

    If you change the settings, you must copy the command in Custom settings. You use this when you run the script, not the command on the main screen.

  7. Close Custom settings.
  8. Run the script in Microsoft Azure PowerShell, using either the command provided in Sophos Cloud Optix, or the one you copied from Custom settings.

    The script lets you choose all subscriptions or only the subscriptions you want to add.

    The script creates an AD application, a service principal, adds a response URL, and grants permissions at subscription level.

If you have all the required Microsoft Azure roles to create the Enterprise App for your tenant (the Application Administrator role) and add your subscriptions (the Owner role for each subscription), you don't need to rerun the script. Other users can re-run the script to add subscriptions, if required.

After the script has run, you must turn on user and group data sync with Microsoft Azure AD, using an admin account for the subscriptions you've added. To do this, go to the URL shown at the end of the script. You must be an Application Administrator in the Active Directory containing the subscriptions you added. If you aren't, ask an Application Administrator to authenticate for you.