This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Installation

Product Installation Guide.

1 - Prerequisites

Requirements before installing the protector.

    Azure Services

    The following table describes the Azure services that may be part of your Protegrity installation.

    All permissions in the table must be granted with the Resource group scope.

    Service

    Description

    Microsoft Entra ID Application

    Allows authentication with Azure Function app

    Azure Managed Identity

    Allows functions assume user-defined managed identity

    Function App

    Provides serverless compute for Protegrity protection operations and ESA integration to fetch policy updates or deliver audit logs.

    API Management Service

    Provides the end-point and access control

    Azure Key Vault

    Provides cryptographic keys for envelope encryption/decryption of the policy. Stores secrets required during deployment, e.g., ESA credentials

    Blob storage

    Intermediate storage location for the encrypted ESA policy package

    Application Insights

    Application and audit logs, performance monitoring, and alerts

    Azure Event Hubs

    Required if audit logs are to be sent to ESA. Set up and configuration of a new Event Hub is covered in section Audit Log Forwarder Installation.

    ESA Version Requirements

    The Protector and Log Forwarder functions require a security policy from a compatible ESA version.

    The table below shows compatibility between different Protector and ESA versions.

    Protector VersionESA Version
    8.x9.09.1 & 9.210.0
    2.xNoYes*No
    3.0.x & 3.1.xNoNoYesNo
    3.2.xNoNoYes*
    4.0.xNoNoNoYes

    Legend

    Yes

    Protector was designed to work with this ESA version

    No

    Protector will not work with this ESA version

    *

    Backward compatible policy download supported:

    • Data elements and features which are common between this and previous ESA versions will be downloaded
    • Data elements and features which are new to this ESA version and do not exist in previous ESA version will not be downloaded

    Prerequisites

    Requirement

    Detail

    Protegrity distribution and installation scripts

    These artifacts are provided by Protegrity

    Protegrity ESA 10.0+

    The Cloud VNet must be able to obtain network access to the ESA

    Azure Account (Azure Global or US Government Subscription)

    Recommend creating a new resource group for Protegrity.

    Required Skills and Abilities

    Role / Skillset

    Description

    Azure Account Administrator

    Ability to run Azure Resource Manager (or perform steps manually), create/configure Entra ID Application Registrations

    Protegrity Administrator

    The ESA credentials required to extract the policy for the Policy Agent

    Snowflake Administrator

    Account Admin access required to setup Snowflake integration

    Network Administrator

    Needed to open firewall to access ESA and evaluate Azure network setup

    2 - Pre-Configuration

    Configuration steps prior product installation.

      Resource Group

      Identify or create a new Azure Resource Group where the Protegrity solution will be installed. It is recommended that a new Resource group is created. This can provide greater security controls and help avoid conflicts with other applications that might impact regional account limits. An individual with the Cloud Administrator role will be required for some of the subsequent installation steps.

      Azure Subscription ID (AzureSubscriptionID): ____________________

      Azure Resource Group ID (ApiResourceGroupID): ___________________

      Azure Region (ApiRegion): ___________________

      Key Vault

      Key Vault is required to store secrets and encrypt policy deployment package. Identify existing Key Vault or create new.

      To create Key Vault:

      1. From the Azure Console select Create a resource.

      2. Navigate to Key Vault > Create.

      3. Select a Resource group.

      4. Enter a Key vault name.

      5. Select a Region. For the best performance, use the same region for all resources.

      6. Set the Pricing tier to Standard.

      7. Under Access configuration, select Vault access policy as the Permission model.

      8. Under Networking, ensure that Enable public access is selected.

      9. Under Review + create, click Create.

      10. Record Key Vault Name:

        Key Vault Name (PolicyKeyValue): ___________________

      Function App Storage

      Create Storage Account

      Create a storage account to host Protegrity deployment packages provided in installation artifact bundle. Note that turning on the firewall or restricting access to selected virtual networks or IP address ranges will require additional configuration and is beyond the scope of this document.

      To create Function App storage:

      1. From the Azure Console select Create a resource.

      2. Navigate to Storage account > Create.

      3. Select the Resource group where the Protegrity solution will be deployed.

      4. Enter a Storage account name.

      5. Select the Region where the Protegrity solution will be deployed.

      6. Set the Preferred storage type to Azure Blob Storage or Azure Data Lake Storage

      7. Set the Primary workload to Cloud native

      8. Setting for Performance should be set to Standard.

      9. Setting for Redundancy should be set to Geo-redundant storage (GRS).

      10. Continue to Advanced setup and verify Enable hierarchical namespace is unchecked

      11. Adjust the Networking and Data protection configurations according to your security requirements or use the default values.

      12. Under Review + create, click Create.

      13. Record the storage account name

        Storage Account Name (StorageAccountName): ____________________

      14. Record the storage blob service URL. Navigate to created Storage Account, select Settings, Endpoints, record the value of Blob Service

        Storage Account Blob Service Url (StorageAccountBlobServiceUrl): ____________________

      Upload Files

      Create a deployment container using the Azure Blob Service.

      1. Go Storage Account created in the previous step.

      2. Under Data storage section, select Containers and click + Container .

      3. Type in container name and click Create .

      4. Upload the following installation artifacts to the container:

      • protegrity-protect-azure-<version>.zip
      • protegrity-agent-azure-<version>.zip

      1. Record Protect function blob URL:

        Protect Function Blob URL (ProtectFuncURL): ____________________

      2. Record Forward function blob URL. Both Protect and Forward functions use the same protegrity-protect-azure-<version>.zip distribution:

        Forward Function Blob URL (ForwardFuncURL): ____________________

      3. Record Agent function blob URL:

        Agent Function Blob URL (AgentFuncURL): ____________________

      Create Protect Function Policy Blob

      Create a blob container for encrypted Protegrity security policy using Azure Blob Service. Agent will store encrypted policy in this container. Both Protect and Log Forwarder functions will load policy from this container.

      1. Go Storage Account created in the previous step.

      2. Under Data storage section, select Containers and click + Container .

      3. Type in container name and click Create .

      4. Right-click the container name, and select Container properties to obtain URL.

        Append the name of the policy file to the container URL, e.g, https://<your-storage-account>.blob.core.windows.net/<your-policy-container>/<your-policy-file-name>.zip. Record the blob url.

        Protect Function Policy Blob URL (ProtectFuncPolicyBlobUrl): ____________________

      Create Agent Policy Blob Container

      The Agent function uploads an encrypted policy zip package to a blob container which is used as a staging storage. Create the policy staging container

      To prepare the policy blob container:

      1. Under Storage account created in previous step, select Data storage > Containers and click + Container .

      2. Type in a container name and click Create .

        Agent Policy Blob Container Name (AgentPolicyBlobContainer): ___________________

      3 - Protect Service Installation

      Product Installation Guide.

        Preparation

        1. Ensure that all the steps in Pre-Configuration are performed.

        2. Login to the Azure account console where Protegrity will be installed.

        3. Ensure the Azure Resource Manager templates provided by Protegrity are available on your local computer.

        Register an Entra ID App

        A Microsoft Entra ID App provides the mechanism for Client to authenticate with the Function App instance. Creating an Entra ID app requires appropriate permissions to the Azure Subscription and is typically performed by the Azure Account Administrator.

        To register an Entra ID App:

        1. In the Azure portal navigate to Microsoft Entra ID.

        2. Click + Add and select App registration.

        3. Enter a Name and select Accounts in any organizational directory.

        4. Leave the Redirect URI empty and select Register.

        5. After registration is complete record the application name and application id displayed in the overview window.

          Entra ID Application Name (EntraIDApplicationName): ___________________

          Entra ID Application ID (EntraIDApplicationID): ___________________

        Protect Function User-Assigned Managed Identity

        User-assigned Azure managed identities are optional. If a user-assigned identity is not provided, a system-assigned managed identity will be enabled the function. User-assigned managed identities offer less frequent updates to Azure resources and allow for configuration of permissions ahead of function creation.

        1. In the search box, enter Managed Identities. Under Services, select Managed Identities

        2. Select Create

        3. For Subscription provide recorded value of AzureSubscriptionID

        4. For Resource Group provide recorded value of ApiResourceGroup

        5. For Region provide recorded value of ApiRegion

        6. For Name provide a name of the new identity

        7. Assign following roles to this identity:

          • Storage Blob Data Owner
          • Monitoring Metrics Publisher
          • Azure Event Hubs Data Sender: required only if function is sending logs to ESA

        8. Record Protect function user-assigned identity

          Protect Function User-Assigned Identity (ProtectFuncUserAssignedIdentity): ____________________

        Install Protect Function via Azure Resource Manager

        Resources created with the ARM template include API Management service, Function App, App Service Plan and Application Insights service.

        To install protect function via Azure Resource Manager:

        1. From Azure Console, select Create a resource, search for template then select Template deployment (deploy using custom templates) > Create.

        2. Select Build your own template in the editor.

        3. Click Load File and upload pty_protect_arm_v2.json, then click Save.

        4. Select a Resource group.

        5. Enter a Name for the resources. All resources will be prefixed with Protegrity-Protect except for log container which will be prefixed with ptylogs. For more information on naming rules see: Azure resource name rules.

        6. For Location input specify Azure region name or leave default to deploy in the same region as resource group.

        7. For Storage Account Blob Service Url Optionally use the value recorded in Create Storage Account. If value is not given, it will be automatically derived from Protect Function Blob Url.

        8. For Protect Function Blob Url use the value from Upload Files.

        9. For Function App Managed Identity Optionally use the value from Protect Function User-Assigned Managed Identity. If value is not given, a system-assigned managed identity will be enabled.

        10. For Function Sku either EP1 or EP3 are recommended. Note that this will affect the running cost.

        11. For Create Api Management Service select Do not create. API Management Service is required only for integration with Snowflake. This service is not required otherwise.

        12. For Api Management Service Sku Applicable only when API Management Service is created. Skip this if API Management Service is not created. Either Consumption (if available) or Premium are recommended. Note that this will affect the running cost.

        13. For Username Regex you can optionally specify regex to extract policy username from the request. See Configuring Regular Expression to Extract Policy Username for more details.

        14. For Entra ID Application ID enter the value recorded in Register an Entra ID App.

        15. For Forward Logs To ESA select whether audit logs are to be sent to ESA or not. If you are not planning on sending audit logs to ESA you can skip Event Hub Nameand Event Hub Namespace properties below. For details on creating and configuring Event Hubs see Audit Log Forwarder Installation

        16. For Event Hub Name provide the name of Event Hub which will be used to send audit logs to ESA.

        17. For Event Hub Namespace provide the name of Event Hub Namespace which is hosting Event Hub selected in previous step.

        18. Under Review + create, click Create. Wait for all resources to deploy. If the deployment fails for any resources of type Microsoft.Web/sites/host/functionKeys then click Redeploy and try deploying again.

        19. After deployment is complete, go to Outputs and record protectFunctionName, azureTenantId and apiGatewayUrl.

          Protect Function Name (ProtectFuncName): __________________

          Azure Tenant ID (AzureTenantID): __________________

          API Gateway URL (ApiGatewayURL): __________________

        Function System-Assigned Managed Identity

        System-assigned Azure managed identity is enabled if user-assigned managed identity is not used. User-assigned managed identities offer less frequent updates to Azure resources and allow for configuration of permissions ahead of function creation.

        If you have not created a user-assigned managed identity at Protect Function User-Assigned Managed Identity, setup following role assignments for system-assigned managed identity:

        1. Navigate to the function

        2. Select Settings, Identity.

        3. Confirm Status of system-assigned identity is already On on System Assigned tab

        4. Click on Azure role assignments button.

        5. Assign following roles to this identity:

          • Storage Blob Data Owner
          • Monitoring Metrics Publisher
          • Azure Event Hubs Data Sender: required only if function is sending logs to ESA

        6. From Azure console, navigate to Function App and select protect function deployed in previous section.

        7. Select Overview and click Restart button. Wait until function restart completes.

        Update Key Vault Access Policies

        The Key vault must be updated to allow the Function App to decrypt the policy files. Azure assigns a unique identifier to each Function App instance that can be used to grant permissions to that instance. Update the Key vault access policies with the Protect function. To update the key vault access policies:

        Obtain Function App identifier

        1. Navigate to the Function App service in the Azure portal.

        2. Select the newly created Protect Function App instance.

        3. Select the Identity option under Settings.

        4. Ensure that setting System assigned is set to Status On.

        5. Record the Object ID:

          Protect Function Object ID: ___________________

        Update the Key vault access policies with the Protect function’s Object ID

        1. From Azure console navigate to Key Vaults, select the Key Vault created in Key Vault.
        2. Select Access policies.
        3. Click Create.
        4. Select the following permissions in Permissions tab: a. Get under Key Management Operations. b. Unwrap Key under Cryptographic Operations. c. Get under Secret Permissions.
        5. Proceed Next to Principal.
        6. Enter the Protect Function Object ID recorded in this section into the search field.
        7. Select the Function App instance.
        8. Proceed Next to Application and Next again to Review + Create.
        9. Review permissions and Create.

        Upload the Sample Policy

        The Protegrity installation bundle contains a sample policy which can be used to test the protect service installation without an ESA. Upload the sample policy artifact to the policy Blob storage container:

        1. Go to Azure console and select Storage Account Name (StorageAccountName) recorded in step Create Storage Account.

        2. Under Data storage select Blob Containers and select container created in Protect Function Policy Blob Container

        3. Click Upload and select protegrity-sample-policy-<version>.zip file from your local computer.

        4. Click Upload and wait for the file to complete uploading.

        5. Record the sample policy blob url:

          Sample Policy Blob Url (SamplePolicyBlobUrl): ___________________

        Test the Protect Function Installation

        Before continuing with next steps, you may verify the protect service is installed correctly. This step is optional and can be skipped.

        1. From Azure console, navigate to Function App and select protect function app.

        2. Select Overview and record URL value as <Protect Function URL>.

        3. Navigate to Settings > Environment variables and click OPENID_ENABLED.

        4. Change value to false and click Apply.

        5. Select or create variable AZURE_POLICY_BLOB_URL.

        6. Set value of AZURE_POLICY_BLOB_URL to value recorded for SamplePolicyBlobUrl and click Apply.

        7. Select Apply and Confirm to finalize setting changes.

        8. Go to Functions > App keys and record the value of default key under Host Keys (All functions) as <Protect Function app key>.

        9. Run the following CURL command to test Function deployment.

          curl -X POST "<Protect Function URL>/api/v1/unprotect" -k \
-H 'x-functions-key: <Protect Function app key>' \
-H 'Content-Type: application/json' \
-d '{
  "data": ["UtfVk UHgcD!"],
  "user": "MARIA",
  "data_element": "alpha"
}'

        10. Replace <Protect Function URL> and <Protect Function app key> with the values recorded in step 2 And 5.

        11. Run curl command. Verify the following output.

          {"data":["hello world!"], "success": true, "encoding": "utf8"}

        12. Go back to Function app. Select Settings > Environment variables and click OPENID_ENABLED,

        13. Change value to true and click Apply. Select Apply and Confirm to finalize.

        Troubleshooting

        To review live requests, navigate to Application Insights service and select item with the same name as the protect function. Under Investigate, select Live Metrics. Wait for the dashboard to load, then go to Sample Telemetry pane on the right and look for the requests in question.

        To review the full history of requests from Application Insights under Monitoring select Logs:

        1. Select the Tables tab.
        2. Hover over one of the table names under Application Insights header, for example exceptions.
        3. Click on See preview data.
        4. Click Use in editor.

        You can also run the query directly in the query editor. For instance to select the 10 latest exceptions run the following query.

        exceptions 
| where timestamp > ago(24h)
| order by timestamp
| limit 10

        Protect Function App Configuration

        Protect Function app can be customized using environment variables. From Azure console, navigate to Function App service and select protect function app. Navigate to Settings > Environment variables. Add or Edit environment variables based on the following information.

        ParameterDescriptionNotes
        OPENID_ENABLEDWhen set to true, every request is required to have an Authorization header with the bearer token set to a valid OAuth access token.The following configuration attributes will also be required: OPENID_AUDIENCES, OPENID_ISSUERS, OPENID_METADATA_URL.
        OPENID_AUDIENCESThe JWT token must have the “aud” claim and it must match one of the values in this attribute. Can be either one value or comma separated list.applicable when OPENID_ENABLED= “true”.
        OPENID_ISSUERSThe JWT token must have the “iss” claim and it must match one of the values in this attribute. Can be either one value or comma separated list.applicable when OPENID_ENABLED= “true”.
        OPENID_METADATA_URLA URL that points to an OpenID Connect identity provider configuration document, which is also known as OpenID well-known configuration endpoint.applicable when OPENID_ENABLED= “true”.
        authorizationWhen equals “jwt”, Authorization Header JWT will be required in the Rest API Protect payload.
        Supported Values: [“jwt”, “”]When equals to “jwt”, any request without Valid JWT in the Authorization header, will result in an error from API Gateway: 502 Bad Gateway.
        allow_assume_userIf set to 0, The user from the payload will not be used, and the policy user is the JWT user.
        Supported Values: [0, 1]applicable when authorization = “jwt”.
        Default Value: 0
        jwt_user_claimThe JWT payload claim with username. Common claims: name, preferred_username, cognito:usernameApplicable when authorization = “jwt”
        Default Value: cognito:username
        service_userIf service_user is set the protect request will use it for the policy user.service_user should be used when the Cloud API should always run as one service_user no matter what user is in the request. service_user will always take priority over any other user in the payload or in the JWT header.
        AZURE_POLICY_BLOB_URLThis points to Protegrity security policy blob. It is updated by the Agent to point to latest security policy.
        USERNAME_REGEXIf USERNAME_REGEX is set, the effective policy user will be extracted from the user in the request.
        EVENTHUB_NAMEEvent Hub name where audit logs are to be sent to. Logs are not forwarded to ESA when this parameter is empty.
        EventHub__fullyQualifiedNamespaceEvent Hub fully qualified namespace. Logs are not forwarded to ESA when this parameter is empty.
        PTY_CORE_FLUSHINTERVALTime interval in seconds used to accumulate audit logs before sending to Event Hub. Default value: 10.Audit logs are always aggregated into one minute buckets. A value greater than 60 will influence only audit log batching while sending logs to Event Hub. A value less than 60 will influence both aggregation and audit log batching.
        PTY_LOG_LEVELFunction min log level. Default: SevereOne of case-insensitive strings: off, severe, warning, info, config, all.
        PTY_WRITE_LOG_ON_SINGLE_LINEWhether to write log level and message on one line or separate lines. Default: trueStarting from version 3.1.0, log level and message are printed on single line. Use this environment variable to switch to multi-line logging for backward compatibility with pre-3.1.0 release.
        EVENT_LEVELLevel of logs produced by Azure services. Default: ErrorOne of case-insensitive strings: LogAlways, Critical, Error, Warning, Informational, Verbose. Set to at least ‘Informational’ during initial configuration, set to at most ‘Error’ in production environments.
        ParameterNotes
        AZURE_CLIENT_IDSets the Managed Identity Client ID for Function App runtime. System-Assigned Identity is used when variable is not set.
        APPLICATIONINSIGHTS_AUTHENTICATION_STRINGDefine identity for Application Insights access. Managed Identity Client ID is provided to this setting with Function App Managed Identity ARM template parameter. See the corresponding Azure AD Authentication documentation: Azure AD authentication
        APPLICATIONINSIGHTS_CONNECTION_STRINGConnection String for Application Insights instance. See the corresponding Azure Connection String documentation: Connection strings
        FUNCTIONS_EXTENSION_VERSIONAzure Functions extension version
        FUNCTIONS_WORKER_RUNTIMERuntime of the function
        WEBSITE_RUN_FROM_PACKAGEURL to the zip file in blob storage with function runtime source
        WEBSITE_RUN_FROM_PACKAGE_BLOB_MI_RESOURCE_IDManaged Identity used to load function runtime source
        AzureWebJobsStorage__blobServiceUriURL of the storage account which hosts the blob identified in WEBSITE_RUN_FROM_PACKAGE
        AZURE_TENANT_IDTenant identifier in Azure Active Directory
        AzureWebJobs.AuditLogForwarder.DisabledDefines whether audit log forwarder function is disabled or not
        AzureWebJobs.Protect.DisabledDefines whether Protect function is disabled or not
        AzureWebJobs.v1-openapi.DisabledDefines whether v1-openapi function is disabled or not
        AzureWebJobs.v1-protect.DisabledDefines whether v1-protect function is disabled or not
        AzureWebJobs.v1-unprotect.DisabledDefines whether v1-unprotect function is disabled or not

        4 - Policy Agent Installation

        Install the policy agent.

          Policy Agent Function installation is done via Azure Resource Manager template provided by Protegrity. Before running the template, some resources must be created manually.

          ESA Server

          Policy Agent function requires ESA server running and accessible from Agent Function App on TCP port 8443. Make sure inbound connections on TCP:8443 are allowed for the network where ESA is hosted. You can find the list of Agent Function Outbound IP addresses after you deploy the function in Agent Function Outbound IP address

          Note down ESA IP to be accessed form Agent Function:

          ESA IP Address (EsaIpAddress): ___________________

          Certificates on ESA

          By default, ESA is configured with self-signed certificates, which can only be validated using self-signed CA certificate supplied in policy agent Cloud Function Environment variables configuration.

          In case ESA is configured with publicly signed certificates, this section can be skipped since the agent function will use public CA to validate ESA certificates.

          To obtain self-signed CA certificate from ESA:

          1. Log in to ESA Web UI.

          2. Select Settings > Network > Manage Certificates.

          3. Hover over Server Certificate and click on download icon to download the CA certificate.

          4. After certificate is downloaded, open the PEM file in text editor and replace all new lines with escaped new line: \n.

            To escape new lines from command line, use one of the following commands depending on your operating system:

            Linux Bash:

            awk 'NF {printf "%s\\n",$0;}' ProtegrityCA.pem > output.txt

            Windows PowerShell:

            (Get-Content '.\ProtegrityCA.pem') -join '\n' | Set-Content 'output.txt'

          5. Record the certificate content with new lines escaped.

            ESA CA Server Certificate (EsaCaCert): ___________________

            This value will be used to set PTY_ESA_CA_SERVER_CERT variable in the Policy Agent Function Configuration section Configure Function

          For more information about ESA certificate management refer to Certificate Management Guide in ESA documentation.

          Create Policy Encryption Key

          Create a policy encryption key.

          To create policy encryption key:

          1. From Azure console, navigate to Key Vaults and select Key Vault created in Key Vault.

          2. Under Objects, select Keys.

          3. Click Generate/Import.

          4. Specify the following:

            a. Key name for the Name field.

            b. RSA for Key type.

            c. 2048 for RSA key size.

            d. Set Enabled toggle to Yes.

          5. Select Create.

          6. Click on the key name after creation is complete, then click on the key identifier row under CURRENT VERSION.

          7. Copy the full URL value of Key Identifier. Record it for later use:

            Policy Encryption Key ID (PolicyEncryptionKey): _________________

          Agent Function User-Assigned Managed Identity

          User-assigned Azure managed identities are optional. If a user-assigned identity is not provided, a system-assigned managed identity will be enabled the function. User-assigned managed identities offer less frequent updates to Azure resources and allow for configuration of permissions ahead of function creation.

          1. In the search box, enter Managed Identities. Under Services, select Managed Identities

          2. Select Create

          3. For Subscription provide recorded value of AzureSubscriptionID

          4. For Resource Group provide recorded value of ApiResourceGroup

          5. For Region provide recorded value of ApiRegion

          6. For Name provide a name of the new identity

          7. Assign following roles to this identity:

            • Storage Blob Data Owner with scope Storage account
            • Monitoring Metrics Publisher with scope Resource Group
            • Website Contributor with scope Resource Group

          8. Record Agent function user-assigned identity

            Agent Function User-Assigned Identity (AgentFuncUserAssignedIdentity): ____________________

          Install Agent via ARM template

          Resources created with ARM template include Function App, Premium V3 App Service Plan (optional) and Application Insights service. Run Azure Resource Manager deployment.

          To install Agent via ARM template:

          1. From Azure Console, select Create a resource, search for template and then select Template deployment > Create.

          2. Select Build your own template in editor.

          3. Select Load File and upload pty_agent_arm_v2.json. Click Save.

          4. Select Resource Group.

          5. Specify Name for the resources (All resources will be prefixed with Protegrity-Agent).

          6. For Location input specify Azure region name or leave default to deploy in the same region as resource group

          7. For Agent Function Blob Url use the value from Upload Files

          8. For Function App Managed Identity Optionally use the value from Agent Function User-Assigned Managed Identity. If value is not given, a system-assigned managed identity will be enabled.

          9. If you set Use Existing App Service Plan to True, you must specify existing Linux App Service Plan name in the next parameter.

          10. For Storage Account Blob Service Url Optionally use the value recorded in Create Storage Account. If value is not given, it will be automatically derived from Agent Function Blob Url.

          11. Select Review + create then Create. Wait for all resources to deploy

          12. After deployment is complete, go to Outputs and record agentFunctionName:

            Agent Function Name: __________________

          Function System-Assigned Managed Identity

          System-assigned Azure managed identity is enabled if user-assigned managed identity is not used. User-assigned managed identities offer less frequent updates to Azure resources and allow for configuration of permissions ahead of function creation.

          If you have not created a user-assigned managed identity at Agent Function User-Assigned Managed Identity, setup following role assignments for system-assigned managed identity:

          1. Navigate to the function

          2. Select Settings, Identity.

          3. Confirm Status of system-assigned identity is already On on System Assigned tab

          4. Click on Azure role assignments button.

          5. Assign following roles to this identity:

            • Storage Blob Data Owner with scope Storage account
            • Monitoring Metrics Publisher with scope Resource Group
            • Website Contributor with scope Resource Group

          Creating ESA Credentials

          Policy Agent Function requires ESA credentials to be provided as one of the two options:

          ESA Credentials In Azure Key Vault

          Policy Agent Function uses Key Vault as secure store for sensitive information like ESA username and password.

          Create ESA credentials secrets:

          1. Navigate to Key Vault.

          2. Under Objects, select Secrets > Generate/import.

          3. Select Manual, then type in valid json as shown in the example for Secret value.

            {"username": "<policy_export_user>", "password": "<password>"}

          4. Select Create.

          5. Navigate to the secret details in Key Vault by selecting the newly created secret.

          6. Inspect the current secret version properties by selecting the current version.

          7. Copy the Secret Identifier value. For example https://<myvault>.vault.azure.net/secrets/<mysecret>/abcdefgxyz8edef595adaehij0d99123.

          8. Record the Secret Identifier for later use.

          ESA Credentials From Custom Azure Function App

          Policy Agent Function requests ESA username and password from a custom Azure Function App, further referred to as ESA Credentials function. This method may be used to get the username and password from external vaults.

          There are four options for configuring Policy Agent authorization with ESA Credentials function: Option 1, Option 2, Option 3 and Option 4. Only one option is expected to be configured at a time.

          Create ESA credentials function:

          1. Create Azure HTTP triggered ESA Credentials function using any supported runtime.

            a. There is no input needed.

            b. The function must accept an HTTP POST request.

            c. The function must return the following response schema

            ```
response: 
type: json object
  properties: 
    username: string 
    password: string  
```

For example,

```
{"username": "admin", "password": "Password1234"} 
```

          2. Configure Policy Agent to use ESA Credentials function app.

            a. Navigate to HTTP triggered function to open ‘Code + Test’ page.

            b. Under ‘Code + Test’ tab on ‘Code + Test’ page select ‘Resource JSON’.

            c. In ‘Resource JSON’ blade record the value of ‘invoke_url_template’ property.

            **'invoke_url_template'** property is located towards the bottom of resource json.

URL must be in the form of 'https://[function-app-name].azurewebsites.[net|us]/api/[http-trigger-name]'.

**ESA Credentials function URL (EsaCredentialsFnUrl):__________**

            d. Navigate to Policy Agent function app.

            e. Expand Settings menu item.

            f. Select Environment Variables menu item.

            g. Click Add button.

            h. For Name use PTY_ESA_CREDENTIALS_FUNCTION.

            i. For Value use ESA Credentials function URL (EsaCredentialsFnUrl) recorded in previous steps.

            j. Hit Apply in Add/Edit application setting blade.

            k. Hit Apply in App Settings tab.

          3. Configure Authorization Option 1: Function Key Option 2: Key Vault Option 3: System-assigned Identity Option 4: User-assigned Identity

          Authorization Option 1: Configure Policy Agent to access ESA Credentials function using ESA Credentials function key from environment variables.

          1. Configure HTTP trigger of ESA Credentials function with authentication level FUNCTION.

            Review Azure documentation on how to accomplish this.

          2. Navigate to ESA Credentials function app.

          3. Expand Functions menu item.

          4. Select App Keys.

          5. Record default key value.

            ESA Credentials function key (EsaCredentialsFnKey):_______________

          6. Navigate to Policy Agent function app.

          7. Expand Settings menu item.

          8. Select Environment Variables menu item.

          9. Click Add button.

          10. For Name use PTY_ESA_CREDENTIALS_FUNCTION_KEY.

          11. For Value use ESA Credentials function key (EsaCredentialsFnKey) recorded in previous steps.

          12. Hit Apply in Add/Edit application setting blade.

          13. Hit Apply in App Settings tab.

          Authorization Option 2: Configure Policy Agent to access ESA Credentials function using ESA Credentials function key from Azure Key Vault.

          1. Configure HTTP trigger of ESA Credentials function with authentication level FUNCTION.

            Review Azure documentation on how to accomplish this.

          2. Navigate to ESA Credentials function app.

          3. Expand Functions menu item.

          4. Select App Keys.

          5. Record default key value.

            ESA Credentials function key (EsaCredentialsFnKey):_______________

          6. Navigate to Key Vault.

          7. Under Objects, select Secrets > Generate/import.

          8. Select Manual, type in secret name and use ESA Credentials function key value recorded in previous steps (EsaCredentialsFnKey) for Secret value.

          9. Select Create.

          10. Record Key Vault secret name.

            ESA Credentials function key secret name (EsaCredentialsFnKeySecretName):_______________

          11. Navigate to Policy Agent function app.

          12. Expand Settings menu item.

          13. Select Environment Variables menu item.

          14. Click Add button.

          15. For Name use PTY_ESA_CREDENTIALS_FUNCTION_KEY_SECRET.

          16. For Value use ESA Credentials function key secret name (EsaCredentialsFnKeySecretName) recorded in previous steps.

          17. Hit Apply in Add/Edit application setting blade.

          18. Hit Apply in App Settings tab.

          Authorization Option 3: Configure ESA Credentials authentication provider to authorize Policy Agent system-assigned identity.

          1. Navigate to Policy Agent function app

          2. Expand Settings menu item

          3. Select Identity

          4. Select System assigned tab

          5. Status should already be On

            Other Status indicates Policy Agent was installed without system-assigned identity. Before proceeding any further you need to either install Policy Agent with system-assigned identity or follow Option 4 which describes configuration steps for Policy Agent installed with user-assigned managed identity.

          6. Copy Object (principal) ID

          7. Navigate to ESA Credentials function app

          8. Expand Settings menu item

          9. Select Authentication

          10. Select Add identity provider

            Review related Microsoft documentation

          11. Select Microsoft in identity provider dropdown

          12. For App registration type provide details of your choice

          13. For Issuer URL accept the default value

          14. For Client application requirement select Allow requests from any application

            Access will be limited to only the Policy Agent identity in the next step

          15. For Identity requirement select Allow requests from specific identities

          16. For Allowed identities add Object (principal) ID copied in previous step

          17. For Restrict access select Require authentication

          18. For Unauthenticated requests select HTTP 401 Unauthorized: recommended for APIs

          19. Check Token store

          20. Select Add

          21. Click OK to apply constraint

          22. Click Save

          23. Navigate to Application of Microsoft identity provider

            A link to identity providers application is available under Authentication menu item of ESA Credentials function

          24. Expand Manage menu item

          25. Select Expose an API

          26. Copy Application ID URI or select Add if it does not exist and Save to accept the default value

          27. Record Application ID URI of identity provider

            ESA Credentials function Application ID URI (EsaCredentialsFnAppIdUri):_______________

          28. Navigate to Policy Agent function app.

          29. Expand Settings menu item.

          30. Select Environment Variables menu item.

          31. Click Add button.

          32. For Name use PTY_ESA_CREDENTIALS_FUNCTION_SCOPE.

          33. For Value use ESA Credentials function Application ID URI (EsaCredentialsFnAppIdUri) recorded in previous steps appended with /.default

            Review Microsoft identity platform default scope

          34. Hit Apply in Add/Edit application setting blade.

          35. Hit Apply in App Settings tab.

          Authorization Option 4: Configure ESA Credentials authentication provider to authorize Policy Agent user-assigned identity.

          1. Navigate to Policy Agent function app

          2. Expand Settings menu item

          3. Select Identity

          4. Select User assigned tab

            User-assigned identity should already be provided. Missing user-assigned identity indicates Policy Agent was installed without user-assigned identity. Before proceeding any further you need to either install Policy Agent with user-assigned identity or follow Option 3 which describes configuration steps for Policy Agent installed with system-assigned managed identity.

          5. Copy Client ID

          6. Copy Object (principal) ID

          7. Navigate to ESA Credentials function app

          8. Expand Settings menu item

          9. Select Authentication

          10. Select Add identity provider

            Review related Microsoft documentation

          11. Select Microsoft in identity provider dropdown

          12. For App registration type provide details of your choice

          13. For Issuer URL accept the default value

          14. For Client application requirement select Allow requests from specific client applications

          15. For Allowed client applications add Client ID copied in previous step

          16. Click OK to apply constraint

          17. For Identity requirement select Allow requests from specific identities

          18. For Allowed identities add Object (principal) ID copied in previous step

          19. Click OK to apply constraint

          20. Click Save

          21. Navigate to Application of Microsoft identity provider

            A link to identity providers application is available under Authentication menu item of ESA Credentials function

          22. Expand Manage menu item

          23. Select Expose an API

          24. Copy Application ID URI or select Add if it does not exist and Save to accept the default value

          25. Record Application ID URI of identity provider

            ESA Credentials function Application ID URI (EsaCredentialsFnAppIdUri):_______________

          26. Navigate to Policy Agent function app.

          27. Expand Settings menu item.

          28. Select Environment Variables menu item.

          29. Click Add button.

          30. For Name use PTY_ESA_CREDENTIALS_FUNCTION_SCOPE.

          31. For Value use ESA Credentials function Application ID URI (EsaCredentialsFnAppIdUri) recorded in previous steps appended with /.default

            Review Microsoft identity platform default scope

          32. Hit Apply in Add/Edit application setting blade.

          33. Hit Apply in App Settings tab.

          Agent Function Key Vault Access Policies

          Agent Function requires access to Key Vault created in Key Vault to encrypt policy and to access configuration secrets.

          1. From Azure console navigate to Key Vaults, select the Key Vault created in Key Vault.
          2. Select Access policies.
          3. Click Create.
          4. Select the following permissions in Permissions tab: a. Get under Key Management Operations. b. Wrap Key under Cryptographic Operations. c. Get under Secret Permissions.
          5. For Principal provide function identity a. For functions with user-assigned identity enter identity recorded in step Agent Function User-Assigned Managed Identity b. For functions with system-assigned identity enter function name recorded in step Install Agent via ARM template
          6. Proceed Next to Application and Next again to Review + Create.
          7. Review permissions and Create.

          Agent Function Outbound IP address

          Agent Function App IP addresses may be useful for configuring ESA policy store and allowing traffic between Agent and ESA.

          To obtain the list of Outbound IP addresses:

          1. From Azure console navigate to Function App, select the Agent Function App.
          2. Select Settings > Networking.
          3. Under Outbound traffic configuration, select Show More next to Outbound addresses

          Configure Function

          Agent Function must be configured with parameters recorded in steps above.

          To configure Function:

          1. Open Function App service from the Azure console. Select the Function App created for policy agent in previous steps.

          2. Navigate to Settings > Environment variables .

          3. On the App Settings pane, click on Show values to reveal all configuration values

          4. To modify multiple parameters, click the pencil icon Advanced edit at the top. Alternatively you may click on the environment variable name to edit single values.

          5. Modify parameters according to the table below. If configuration has a default value you don’t have to change it

          Parameter

          Notes

          AZURE_KEY_VAULT_NAME

          Key Vault

          AZURE_POLICY_BLOB_URL

          URL of the Azure Blob file which is used to store Protegrity security policies for protector consumption. See ProtectFuncPolicyBlobUrl in Protect Function Policy Blob

          AZURE_RETAIN_POLICY_BLOB

          The amount of policy backups to retain. Default: 10. Allowed values: -1, >1. Value of -1 will disable cleanup of backup policies.

          PROTEGRITY_PROTECT_FUNCTION

          Protegrity function to be updated when new policy is deployed. Provide a comma separated list of protect function app names for updating multiple protectors:

          Protegrity-Protect-func1,Protegrity-Protect-func2

          PTY_ESA_IP

          ESA Server

          AZURE_ESA_CREDENTIALS_SECRET_ID

          ESA Credentials In Azure Key Vault

          AZURE_ENCRYPTION_KEY_ID

          Create Policy Encryption Key

          PEP_CONFIG_CASE_SENSITIVE

          Default: No Allowed values: yes/no

          Specifies whether policy usernames should be case sensitive

          PTY_ADDIPADDRESSHEADER

          When enabled, agent will send its source IP address in the request header. This configuration works in conjunction with ESA hubcontroller configuration ASSIGN_DATASTORE_USING_NODE_IP (default=false). See Associating ESA Data Store With Cloud Protect Agent for more information.

          Default: yes

          Allowed values:

          yes

          no

          PEP_CONFIG_EMPTY_STRING

          Default: empty Allowed values: null empty

          Determines outcome of empty value operation. For example, (un)protect(’’) -> null (un)protect(’’) ->

          DISABLE_DEPLOY

          Default: 0

          POLICY_PULL_TIMEOUT

          Default: 20s

          ESA_CONNECTION_TIMEOUT

          Default: 5s

          LOG_LEVEL

          Default: INFO. Allowed values: DEBUG, INFO, WARNING, ERROR

          AZURE_SUBSCRIPTION_ID

          Default: Same as ARM Resource group

          AZURE_RESOURCE_GROUP_NAME

          Default: Same as ARM Resource group

          POLICY_DOWNLOAD_CRON_EXPRESSION

          Describes how often Agent Function will run Default: 0 0 * * * * (Every hour)

          PTY_ESA_CA_SERVER_CERT

          ESA self-signed CA certificate used by policy Agent function to ensure ESA is the trusted server.

          Recorded in step Certificates on ESA

          In case ESA is configured with publicly signed certificates, the PTY_ESA_CA_SERVER_CERT configuration will be ignored.

          PTY_ESA_CREDENTIALS_FUNCTION

          Instead of supplying AZURE_ESA_CREDENTIALS_SECRET_ID environment variable, ESA credentials can be provided by a custom Azure Function App. Provide a value recorded for EsaCredentialsFnUrl

          PTY_ESA_CREDENTIALS_FUNCTION_KEY

          When ESA credentials are provided by a custom Azure Function App, Policy Agent can request credentials using function app key. Provide a value recorded for EsaCredentialsFnKey

          PTY_ESA_CREDENTIALS_FUNCTION_KEY_SECRET

          When ESA credentials are provided by a custom Azure Function App, Policy Agent can request credentials using function app key stored in Azure Key Vault. Provide a value recorded for EsaCredentialsFnKeySecretName

          PTY_ESA_CREDENTIALS_FUNCTION_SCOPE

          When ESA credentials are provided by a custom Azure Function App, Policy Agent can request credentials using its own identity. Provide a value here recorded for EsaCredentialsFnAppIdUri appended with /.default to create authentication scope. Review Microsoft identity platform default scope

          PTY_SYNC_DATASTORE

          		Name of the target datastore

          PTY_DATASTORE_KEY

          The export key is the public part of an asymmetric key pair created in a Create Policy Encryption Key. A user with Security Officer permissions adds the public key to the data store in ESA via Policy Management > Data Stores > Export Keys. The fingerprint can then be copied using the Copy Fingerprint icon next to the key. Refer to Exporting Keys to Datastore for details.

          1. Click Apply at the bottom of the screen and then Confirm to save the changes.

          Parameter

          Notes

          AZURE_CLIENT_ID

          Sets the Managed Identity Client ID for Function App runtime. System-Assigned Identity is used when variable is not set.

          APPLICATIONINSIGHTS_AUTHENTICATION_STRING

          Define identity for Application Insights access. Managed Identity Client ID is provided to this setting with Function App Managed Identity ARM template parameter. See the corresponding Azure AD Authentication documentation: Azure AD authentication

          APPLICATIONINSIGHTS_CONNECTION_STRING

          Connection String for Application Insights instance. See the corresponding Azure Connection String documentation: Connection strings

          FUNCTIONS_EXTENSION_VERSION

          Azure Functions extension version

          FUNCTIONS_WORKER_RUNTIME

          Runtime of the function

          WEBSITE_RUN_FROM_PACKAGE

          URL to the zip file in blob storage with function runtime source

          WEBSITE_RUN_FROM_PACKAGE_BLOB_MI_RESOURCE_ID

          Managed Identity used to load function runtime source

          AzureWebJobsStorage__blobServiceUri

          URL of the storage account which hosts the blob identified in WEBSITE_RUN_FROM_PACKAGE

          Test Agent Function Installation

          After configuration is complete you can test the function.

          To test Agent function installation:

          1. Navigate to Overview.

          2. Select the function agent from the Functions tab.

          3. Click Code + Test > Test/Run and then Run to execute the function.

          4. You should see a 202 Accepted response.

          5. Expand Logs output at the bottom of the page. Click Maximize to enlarge log output.

          6. Below is an example log output from successful agent run.

            
INFO:AZURE_SUBSCRIPTION_ID: [xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx]
INFO:AZURE_KEY_VAULT_NAME: [vault-name]
INFO:AZURE_ENCRYPTION_KEY_ID: [https://vault-name.vault.azure.net/keys/key-name/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
INFO:AZURE_RESOURCE_GROUP_NAME: [resource-group-name]
INFO:AZURE_POLICY_BLOB_URL: [https://resource-group-name.blob.core.windows.net/policy/protegrity-policy-name.zip]
INFO:AZURE_RETAIN_POLICY_BLOB: [3]
INFO:PROTEGRITY_PROTECT_FUNCTION: [Protegrity-Protect-xxxx]
INFO:DISABLE_DEPLOY: [0]
INFO:PTY_ESA_IP: [xxx.xxx.xxx.xxx]
INFO:PTY_SYNC_DATASTORE: []
INFO:POLICY_PULL_TIMEOUT: [40]
INFO:LOG_LEVEL: [info]
INFO:PTY_CORE_EMPTYSTRING: [empty]
INFO:PTY_CORE_CASESENSITIVE: [no]
INFO:PTY_ADDIPADDRESSHEADER: [yes]
INFO:Starting policy agent [4.0.3] ...
INFO:ESA_CONNECTION_TIMEOUT: [60]
INFO:Using ESA CA certificate from PTY_ESA_CA_SERVER_CERT environment variable.
INFO:ResilientPackageClient initialized.
INFO:Retrieving ESA rps version
INFO:Resilient package correlation_id=[xxxxxxxxxxxxxxxxxxxxxxxxx] datastore=[]
INFO:RPS Version: 1.9.2, Build: 1.9.2+1.g4bfba.1.9
INFO:Checking ESA rps export availability
INFO:Resilient package correlation_id=[xxxxxxxxxxxxxxxxxxxxxxxxx] datastore=[QA_DATA_STORE]
INFO:Export available, Last-Modified: [Thu, 01 Jan 2026 00:00:00 GMT]
INFO:Getting current policy metadata [https://resource-group-name.blob.core.windows.net/policy/protegrity-policy-name.zip] ...
INFO:Last modified: [Thu, 01 Jan 2026 00:00:00 GMT], Last deployed: [Thu, 01 Jan 2026 00:00:00 GMT]
WARNING:Current policy deployment has no checksum_mapping metadata:
INFO:No changes in the policy since last download. Skipping policy deployment.
INFO:Checking container for the last deployed policy [https://resource-group-name.blob.core.windows.net/policy]...
INFO:[Protegrity-Protect-xxxx] current policy blob url: [https://resource-group-name.blob.core.windows.net/policy/2026-02-01_18-00-00/protegrity-policy-name.zip]
INFO:Policy blob in sync for function [Protegrity-Protect-xxxx]
INFO:[0] blobs are outside of the retention period [3]

          7. If the log output in this window pauses or is difficult to read, you may navigate back to the Agent Function App overview and select Monitoring > Logs from the menu on the left. Run the query traces in the query editor to view logs.

          Troubleshooting

          To review the most recent invocation traces, navigate to the function app instance. Select Monitoring > Logs from the menu on the left. Run the query traces in the query editor to retrieve the full history of executions with detailed traces.

          5 - Audit Log Forwarder Installation

          Install the audit log forwarder.

            The following sections provide installation steps for the Log Forwarder component in Azure. The Log Forwarder deployment allows for the audit logs generated by Protect Service to be delivered to ESA for auditing and governance purposes. Log Forwarder component is optional and is not required for the Protect Service to work properly. See Audit Log Forwarder Architecture for more information. Some of the installation steps are not required for the operation of the software but recommended for establishing a secure environment. Contact Protegrity for further guidance on configuration alternatives in the cloud.

            ESA Audit Store Configuration

            ESA server is required as the recipient of audit logs. Verify the information below to ensure ESA is accessible and configured properly.

            1. ESA server running and accessible on TCP port 9200 (Audit Store) or 24284 (td-agent).

            2. Audit Store service is configured and running on ESA. Applies when audit logs are output to Audit Store directly or through td-agent. For information related to ESA Audit Store configuration, refer to Audit Store Guide.

            3. (Optional) td-agent is configured for external input. For more information related to td-agent configuration, refer to ESA guide Sending logs to an external security information and event management (SIEM).

            Certificates on ESA

            By default, ESA is configured with self-signed certificates, which can only be validated using self-signed CA certificate supplied in Log Forwarder configuration.

            In case ESA is configured with publicly signed certificates, this section can be skipped since the Log Forwarder will use public CA to validate ESA certificates.

            To obtain self-signed CA certificate from ESA:

            1. Download ESA CA certificate from the /etc/ksa/certificates/plug directory of the ESA

            2. After certificate is downloaded, open the PEM file in text editor and replace all new lines with escaped new line: \n.

              To escape new lines from command line, use one of the following commands depending on your operating system:

              Linux Bash:

              awk 'NF {printf "%s\\n",$0;}' CA.pem > output.txt

              Windows PowerShell:

              (Get-Content '.\CA.pem') -join '\n' | Set-Content 'output.txt'

            3. Record the certificate content with new lines escaped.

              ESA CA Server Certificate (EsaCaCert): ___________________

              This value will be used to set PTY_ESA_CA_SERVER_CERT Log Forwarder variable in section Install Log Forwarder via ARM template

            For more information about ESA certificate management refer to Certificate Management Guide in ESA documentation.

            ESA Authentication

            Audit Log Forwarder must authenticate with ESA using certificate-based authentication with client certificate and certificate key. Download the following certificates from the /etc/ksa/certificates/plug directory of the ESA:

            • client.key
            • client.pem

            Both certificate and certificate key must be converted to single-line values using code similar to the following examples.

            Client certificate (client.pem):

            $folder = 'C:\Temp'
cd $folder
(Get-Content "$folder\client.pem") -join '\n' | Set-Content "$folder\one-liner-client.pem"
cat "$folder\one-liner-client.pem"

            folder="/tmp"
cd "$folder"
awk 'NF {printf "%s\\n",$0}' "client.pem" > "one-liner-client.pem"
cat "one-liner-client.pem"

            Client certificate key (client.key):

            $folder = 'C:\Temp'
cd $folder
(Get-Content "$folder\client.key") -join '\n' | Set-Content "$folder\one-liner-client.key"
cat "$folder\one-liner-client.key"

            folder="/tmp"
cd "$folder"
awk 'NF {printf "%s\\n",$0}' "client.key" > "one-liner-client.key"
cat "one-liner-client.key"

            There are two options to configure Log Forwarder for certificate authentication:

            • While installing using ARM template
              1. Provide single-line client certificate for Esa Client Cert
              2. Provide Azure Key Vault secret name for Esa Client Cert Key Secret Name which stores single-line certificate key file.
            • When re-configuring after installation using environment variables
              1. Provide single-line client certificate for ESA_CLIENT_CERT
              2. Provide Azure Key Vault secret name for ESA_CLIENT_CERT_KEY_SECRET_NAME which stores single-line certificate key file.

            Create Key Vault Secrets

            Log Forwarder uses Key Vault as a secure store for certificate key file.

            Create secret in Key Vault for certificate key file:

            1. Navigate to Key Vault.

            2. Under Objects, select Secrets > Generate/import.

            3. Select Manual, type in secret name and specify single-line certificate key file value for Secret value.

            4. Select Create.

            5. Record secret name:

              ESA Client Cert Key Secret Name (EsaClientCertKeySecretName): ___________________

            Function User-Assigned Managed Identity

            User-assigned Azure managed identities are optional. If a user-assigned identity is not provided, a system-assigned managed identity will be enabled the function. User-assigned managed identities offer less frequent updates to Azure resources and allow for configuration of permissions ahead of function creation.

            1. In the search box, enter Managed Identities. Under Services, select Managed Identities

            2. Select Create

            3. For Subscription provide recorded value of AzureSubscriptionID

            4. For Resource Group provide recorded value of ApiResourceGroup

            5. For Region provide recorded value of ApiRegion

            6. For Name provide a name of the new identity

            7. Assign following roles to this identity:

              • Storage Blob Data Owner
              • Monitoring Metrics Publisher
              • Azure Event Hubs Data Receiver

            8. Record Forward function user-assigned identity

              Forward Function User-Assigned Identity (ForwardFuncUserAssignedIdentity): ____________________

            Install Log Forwarder via ARM template

            Resources created with ARM template include Function App, App Service Plan and Application Insights service. Optionally, a new Event Hub namespace and Event Hub instance can be created.

            To install Log Forwarder via ARM template:

            1. From Azure Console, select Create a resource, search for template and then select Template deployment > Create.

            2. Select Build your own template in editor.

            3. Select Load File and upload pty_forward_arm_v2.json. Click Save.

            4. Select Resource Group.

            5. Specify Name for the resources (All resources will be prefixed with Protegrity-Forward).

            6. For Location input specify Azure region name or leave default to deploy in the same region as resource group

            7. For Storage Account Blob Service Url Optionally use the value recorded in Create Storage Account. If value is not given, it will be automatically derived from Forward Function Blob Url.

            8. For Forward Function Blob Url use the value from Upload Files.

            9. For Function Sku either EP1 or EP3 are recommended. Note that this will affect the running cost.

            10. For Function Sku Count Minimum number of workers to keep active.

            11. For WorkSpace Sku Azure Monitor log analytics pricing plan. See Azure Monitor Pricing tiers documentation for details: Azure Monitor Pricing

            12. For Log Retention In Days The workSpace data retention in days. Allowed values are per pricing plan. See Azure Monitor Pricing tiers documentation for details: Azure Monitor Pricing

            13. For Forward Logs to ESA select whether to collect audit logs from a new or an existing Event Hub. A new Event Hub namespace and new Event Hub instance will be created for ‘From new Event Hub’ option.

            14. For Audit Log Output select whether to send logs directly to Audit Store or td-agent on ESA

            15. For Event Hub Namespace enter Event Hub namespace name. Depending on previous option, a new namespace with this name will be created or an existing namespace with this name will be used.

            16. For New Event Hub Namespace Sku Name select Event Hub namespace SKU name. Applicable only when ‘From new Event Hub’ is selected.

            17. For New Event Hub Namespace Sku Tier select Event Hub namespace SKU Tier used for new Event Hub namespace. Applicable only when ‘From new Event Hub’ is selected.

            18. For New Event Hub Namespace Sku Capacity enter a value of Event Hub throughput units for Basic or Standard tiers, where value should be 0 to 20 throughput units. The Event Hubs premium units for Premium tier, where value should be 0 to 10 premium units. Applicable only when ‘From new Event Hub’ is selected.

            19. For Event Hub Name enter Event Hub instance name. A new Event Hub instance with this name will be created or an existing Event Hub instance with this name will be used.

            20. For Event Hub Name DLQ enter Event Hub name for the dead-letter queue, where messages will be delivered to in case connection to ESA is lost. A new Event Hub instance with this name will be created or an existing Event Hub with this name will be used.

            21. For New Event Hub Partition Count enter number of partitions to create in a new Event Hub. Allowed values are from 1 to 32 partitions. Applicable only when ‘From new Event Hub’ is selected.

            22. For New Event Hub Audit Log Retention In Days enter number of days audit logs will be available in Event Hub. Applies to both primary Event Hub and dead-letter queue Event Hub. Applicable only when ‘From new Event Hub’ is selected.

            23. For Log Destination Esa Ip enter ESA IP address.

            24. For Esa Client Cert enter single-line ESA client certificate. See section Certificate Authentication for details.

            25. For Esa Client Cert Key Secret Name enter secret name which stores ESA client certificate single-line private key. See section Certificate Authentication for details.

            26. For Key Vault Uri enter URI of the Key Vault that stores ESA username/password secrets.

            27. For Esa Tls Disable Cert Verify Set to ‘0’ to enable ESA certificate validation. Set to ‘1’ to disable ESA certificate verification. Disable only for initial setup and development purposes, do not disable in production environments.

            28. If ESA is configured with self-signed certificate, set Pty Esa Ca Server Cert. Use the ESA CA Server Certificate escaped content recorded in Certificates on ESA.

              Note that for development and troubleshooting purposes, ESA certificate validation can be disabled by either redeploying this function with this ARM template where Esa Tls Disable Cert Verify option is set to ‘1’ or by directly setting PTY_ESA_DISABLE_TLS_CERT_VERIFY environment variable to ‘1’.

            29. For Esa Connect Timeout set time in seconds to wait for the ESA connection response. Minimum value: 1. Default: 5.

            30. For Esa Virtual Host provide ESA virtual hostname. This configuration is optional. It can be used when proxy server is present and supports TLS SNI extension.

            31. For Min Log Level select minimum log level. Accepted values: off, severe, warning, info, config, all

            32. Select Review + create then Create. Wait for all resources to deploy

            After deployment is complete:

            1. Go to Outputs and record:

              Forward Function Name (ForwardFuncName):__________________

            2. Record:

              Event Hub Name (EventHubName):__________________

              Event Hub Namespace (EventHubNamespace):__________________

            Function System-Assigned Managed Identity

            System-assigned Azure managed identity is enabled if user-assigned managed identity is not used. User-assigned managed identities offer less frequent updates to Azure resources and allow for configuration of permissions ahead of function creation.

            If you have not created a user-assigned managed identity at Function User-Assigned Managed Identity, setup following role assignments for system-assigned managed identity:

            1. Navigate to the function

            2. Select Settings, Identity.

            3. Confirm Status of system-assigned identity is already On on System Assigned tab

            4. Click on Azure role assignments button.

            5. Assign following roles to this identity:

              • Storage Blob Data Owner
              • Monitoring Metrics Publisher
              • Azure Event Hubs Data Receiver

            6. From Azure console, navigate to Function App and select audit log forwarder function deployed in previous section.

            7. Select Overview and click Restart button. Wait until function restart completes.

            Update Function Key Vault Access Policies

            The Key vault must be updated to allow the Function App to decrypt the policy files. The Forwarder is using policy to confirm the authenticity of audit logs it receives from Event Hub and to digitally sign the aggregated logs that it sends to ESA. Update the Key vault access policies with function identity. To update the key vault access policies:

            1. From Azure console navigate to Key Vaults, select the Key Vault created in Key Vault.
            2. Select Access policies.
            3. Click Create.
            4. Select the following permissions in Permissions tab: a. Get under Key Management Operations. b. Unwrap Key under Cryptographic Operations. c. Get under Secret Permissions.
            5. Proceed Next to Principal.
            6. For Principal provide function identity a. For functions with user-assigned identity enter identity recorded in step Function User-Assigned Managed Identity b. For functions with system-assigned identity enter function name recorded in step Install Log Forwarder via ARM template
            7. Proceed Next to Application and Next again to Review + Create.
            8. Review permissions and Create.

            Test Log Forwarder Installation

            Follow the steps to validate Log Forwarder installation. Successful Log Forwarder installation will aggregate logs, connect to ESA and send audit log events.

            Testing in this section validates the connectivity between Log Forwarder and ESA. The sample policy included with the initial installation and test event below are not based on your ESA policy. Any logs forwarded to ESA which are not signed with a policy generated by your ESA will not be added to the audit store.

            Install Log Forwarder and configure according to previous sections. Log Forwarder configuration MinLogLevel must be at least info level.

            1. In the following command, replace ‘forwarder-function-name’ with your function name

            2. In the following command, replace ‘forwarder-function-key’ with your function key

            3. Run the command in PowerShell:

              
$forwarderFunctionName='forwarder-function-name'
$forwarderFunctionKey='forwarder-function-key'

Invoke-WebRequest -UseBasicParsing -Uri "https://$forwarderFunctionName.azurewebsites.net/admin/functions/auditlogforwarder" `
-Method POST `
-Headers @{
  "x-functions-key" = $forwarderFunctionKey
} `
-ContentType "application/json" `
-Body "{`"input`":`"{\`"additional_info\`":{\`"description\`":\`"Data unprotect operation was successful.\`",\`"request_id\`":\`"f0ffbbf8-ab5b-42b7-90f4-51db7443af77\`"},\`"cnt\`": 1,\`"correlationid\`": \`"clfwrqgme0021nj329mijk52w\`",\`"logtype\`": \`"Protection\`",\`"level\`": \`"SUCCESS\`",\`"origin\`": {  \`"hostname\`": \`"169.254.197.189\`",  \`"ip\`": \`"169.254.197.189\`", \`"time_utc\`": 1722941687},\`"protection\`": {\`"dataelement\`": \`"alpha\`", \`"operation\`": \`"Unprotect\`",\`"audit_code\`": 8,\`"policy_user\`": \`"test_user\`",\`"datastore\`": \`"SAMPLE_POLICY\`"},\`"process\`": {  \`"name\`": \`"N/A\`",  \`"id\`": \`"15\`",\`"thread_id\`": \`"2243954624\`",\`"user\`": \`"sbx_user1051\`", \`"platform\`": \`"Linux_x32\`"},\`"client\`": {\`"username\`":\`"sbx_user1051\`",\`"ip\`":\`"169.254.197.189\`"},\`"protector\`": {\`"family\`": \`"IAP Lambda\`",\`"version\`": \`"3.1.0\`",\`"vendor\`": \`"Cloud Protect\`",\`"pcc_version\`": \`"3.5.0.1\`", \`"core_version\`": \`"2.0.1\`"},\`"signature\`": { \`"key_id\`":\`"5f143892-bbe4-4794-b1f4-ed28ca2a077e\`", \`"checksum\`": \`"90BC9BF39354869BD4BC5381820D201797DF4AF53B5A7F5F3AE01EC607C41A6E\`"}}`"}"

            4. Run following query to see your function logs, allow for a few minutes for Azure to deliver the logs

              
traces
| project timestamp, message
| where timestamp > ago(5m)

            5. Test is successful if the logs contain the following entry:

              opensearch.0: All logs successfully send to destination

              If the log entry is not present, please consult the Troubleshooting section for common errors and solutions.

            Update Protect Service With Event Hub details

            In this section, Event Hub details will be provided to the Protect Service installation.

            1. Navigate to the Protect function environment variables.

            2. Set EVENTHUB_NAME to the output value recorded in Install Log Forwarder via ARM template.

            3. Set EventHub__fullyQualifiedNamespace to the output value recorded in Install Log Forwarder via ARM template.

            4. Apply and Confirm to apply the changes.

            Update Policy Agent With Log Forwarder Function Target

            Log Forwarder requires a Protegrity policy which is in sync with the Protector Service. This section will describe the steps to update the Policy Agent to include updating the Log Forwarder.

            1. Navigate to the Policy Agent function created in Install Agent via ARM template

            2. Select Settings > Environment variables > PROTEGRITY_PROTECT_FUNCTION

            3. Edit the value for environment variable PROTEGRITY_PROTECT_FUNCTION to include the Log Forwarder function’s name in the comma separated list of function names.

            4. Select Apply > Apply > Confirm to save the changes

            5. Test Policy Agent installation as described in Test Agent Function Installation

            Test Full Log Forwarder Installation

            1. Install and configure Protegrity Agent, Protect Service and Log Forwarder components.
            2. Set EVENT_LEVEL environment variable on Protect Service function to Informational.
            3. Set PTY_LOG_LEVEL environment variable on both Protect Service function and Log Forwarder function to config.

            Test Installation

            1. Make a protect operation using a data element or user which will result in audit log generation

            2. Navigate to the Logs for the Protect Service function

            3. Execute ’traces’ query

            4. Expect to see a log similar to the below:

              
Completed publishing events for Event Hub: audit-logs (Partition Id/Key: '0'), Operation Id: 'e17bacd6-91e6-4fb5-8281-2929788bef09'. Service Retry Count: 0; Duration: '0.02' seconds

            5. Navigate to the Logs for the Log Forwarder function

            6. Execute ’traces’ query

            7. Expect to see a log similar to the below:

              
opensearch.0: All logs successfully send to destination

            Troubleshooting

            Configure additional logging for functions:

            1. Set EVENT_LEVEL environment variable on Protect function to Informational.
            2. Set PTY_LOG_LEVEL environment variable on both Protect function and Log Forwarder function to config.

            Error

            Detail

            
Unhandled exception. System.Exception: Failed to initialize 
function type,expecting environment variable 
'AzureWebJobs.AuditLogForwarder.Disabled' 
to be set to either 'true' or 'false'
            1. An environment variable ‘AzureWebJobs.AuditLogForwarder.Disabled’ is expected. This environment variable is added automatically when functions are deployed with ARM templates.
            2. Verify this environment variable exists and is set to ’true’ for Protect Service functions and is set to ‘false’ for Log Forwarder functions.
            
[2024/08/08 10:00:00] [error] [tls] error: unexpected EOF

            Log Forwarder failed to verify ESA certificate

            1. If ESA is configured with self-signed certificate, verify that Log Forwarder ‘PTY_ESA_CA_SERVER_CERT’ is correctly set to ESA CA certificate string. Refer to Certificates on ESA for details.
            2. If ESA is configured with publicly signed certificate, ensure Log Forwarder ‘PTY_LOG_LEVEL’ is set to ‘all’ level, restart and re-test the Log Forwarder. Review the logs to see if your root CA is used. If not used, you may supply your public CA in Log forwarder configuration ‘PTY_ESA_CA_SERVER_CERT’.
            3. During initial non-production setup, SSL verification can be disabled by setting ‘PTY_ESA_DISABLE_TLS_CERT_VERIFY’ environment variable to ‘1’ or ’true’
            
Failed to aggregate audit logs, 1 audit logs dropped, error: 
The user, group or application 'appid=;oid=;iss=' does not have 
secrets get permission on key vault ';location='...
Status: 403 (Forbidden)
ErrorCode: Forbidden

            Log Forwarder has no permissions to use Key Vault

            1. Verify Log Forwarder has access to the Key Vault.
            2. Consult section Update Function Key Vault Access Policies
            
TCP connection timed out: 001.001.001.001:9200

            Log Forwarder failed to connect to ESA

            1. Ensure ESA is available on given IP address and 9200 port
            2. Consult section ESA Audit Store Configuration
            
fail: Protect.Aggregate[0] Failed to aggregate audit logs, 
1 audit logs dropped, error: Invalid URI: The format of the URI 
could not be determined. 
info: iap[0] Shared memory segment POLICY does not exist: The 
system cannot find the file specified.

            Invalid Key Vault Uri format

            1. Ensure that environment variable KEY_VAULT_URI has correctly formatted url.
            2. Example 1: https://<keyvaultname>.vault.azure.net/
            3. Example 2: https://<keyvaultname>.vault.usgovcloudapi.net/
            
[Error] Azure-Messaging-EventHubs: An exception occurred while 
publishing a batch of events for buffered producer instance with 
identifier 'x' to Event Hub: audit-logs, Partition Id: '0', 
Operation Id: 'x'. Error Message: 'Unauthorized access.

            Protect Service function failed to send messages to Event Hub

            1. Ensure Forwarder Function managed identity has ‘Azure Event Hubs Data Sender’ role assigned for the Event Hub resource.
            2. See Function User-Assigned Managed Identity and Function System-Assigned Managed Identity

            6 -

            Prerequisites

            RequirementDetail
            Protegrity distribution and installation scriptsThese artifacts are provided by Protegrity
            Protegrity ESA 10.0+The Cloud VNet must be able to obtain network access to the ESA
            Azure Account (Azure Global or US Government Subscription)Recommend creating a new resource group for Protegrity.

            7 -

            Required Skills and Abilities

            Role / Skillset

            Description

            Azure Account Administrator

            Ability to run Azure Resource Manager (or perform steps manually), create/configure Entra ID Application Registrations

            Protegrity Administrator

            The ESA credentials required to extract the policy for the Policy Agent

            Network Administrator

            Needed to open firewall to access ESA and evaluate Azure network setup

            8 -