This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Policy Agent Installation

Install the policy agent.

Policy Agent Function installation is done via Azure Resource Manager template provided by Protegrity. Before running the template, some resources must be created manually.

ESA Server

Policy Agent function requires ESA server running and accessible from Agent Function App on TCP port 8443. Make sure inbound connections on TCP:8443 are allowed for the network where ESA is hosted. You can find the list of Agent Function Outbound IP addresses after you deploy the function in Agent Function Outbound IP address

Note down ESA IP to be accessed form Agent Function:

ESA IP Address (EsaIpAddress): ___________________

Certificates on ESA

By default, ESA is configured with self-signed certificates, which can only be validated using self-signed CA certificate supplied in policy agent Cloud Function Environment variables configuration.

In case ESA is configured with publicly signed certificates, this section can be skipped since the agent function will use public CA to validate ESA certificates.

To obtain self-signed CA certificate from ESA:

Log in to ESA Web UI.
Select Settings > Network > Manage Certificates.
Hover over Server Certificate and click on download icon to download the CA certificate.
After certificate is downloaded, open the PEM file in text editor and replace all new lines with escaped new line: \n.
To escape new lines from command line, use one of the following commands depending on your operating system:
Linux Bash:
```
awk 'NF {printf "%s\\n",$0;}' ProtegrityCA.pem > output.txt
```
Windows PowerShell:
```
(Get-Content '.\ProtegrityCA.pem') -join '\n' | Set-Content 'output.txt'
```
Record the certificate content with new lines escaped.
ESA CA Server Certificate (EsaCaCert): ___________________
This value will be used to set PTY_ESA_CA_SERVER_CERT variable in the Policy Agent Function Configuration section Configure Function

For more information about ESA certificate management refer to Certificate Management Guide in ESA documentation.

Create Policy Encryption Key

Create a policy encryption key.

To create policy encryption key:

From Azure console, navigate to Key Vaults and select Key Vault created in Key Vault.
Under Objects, select Keys.
Click Generate/Import.
Specify the following:
a. Key name for the Name field.
b. RSA for Key type.
c. 2048 for RSA key size.
d. Set Enabled toggle to Yes.
Select Create.
Click on the key name after creation is complete, then click on the key identifier row under CURRENT VERSION.
Copy the full URL value of Key Identifier. Record it for later use:
Policy Encryption Key ID (PolicyEncryptionKey): _________________

Agent Function User-Assigned Managed Identity

User-assigned Azure managed identities are optional. If a user-assigned identity is not provided, a system-assigned managed identity will be enabled the function. User-assigned managed identities offer less frequent updates to Azure resources and allow for configuration of permissions ahead of function creation.

In the search box, enter Managed Identities. Under Services, select Managed Identities
Select Create
For Subscription provide recorded value of AzureSubscriptionID
For Resource Group provide recorded value of ApiResourceGroup
For Region provide recorded value of ApiRegion
For Name provide a name of the new identity
Assign following roles to this identity:
- Storage Blob Data Owner with scope Storage account
- Monitoring Metrics Publisher with scope Resource Group
- Website Contributor with scope Resource Group
Record Agent function user-assigned identity
Agent Function User-Assigned Identity (AgentFuncUserAssignedIdentity): ____________________

Install Agent via ARM template

Resources created with ARM template include Function App, Premium V3 App Service Plan (optional) and Application Insights service. Run Azure Resource Manager deployment.

Note

Refer to ARM Template Installation - Required Permissions for the list of IAM permissions required to deploy ARM template.

To install Agent via ARM template:

From Azure Console, select Create a resource, search for template and then select Template deployment > Create.
Select Build your own template in editor.
Select Load File and upload pty_agent_arm_v2.json. Click Save.
Select Resource Group.
Specify Name for the resources (All resources will be prefixed with Protegrity-Agent).
For Location input specify Azure region name or leave default to deploy in the same region as resource group
For Agent Function Blob Url use the value from Upload Files
For Function App Managed Identity Optionally use the value from Agent Function User-Assigned Managed Identity. If value is not given, a system-assigned managed identity will be enabled.
If you set Use Existing App Service Plan to True, you must specify existing Linux App Service Plan name in the next parameter.
For Storage Account Blob Service Url Optionally use the value recorded in Create Storage Account. If value is not given, it will be automatically derived from Agent Function Blob Url.
Select Review + create then Create. Wait for all resources to deploy
After deployment is complete, go to Outputs and record agentFunctionName:
Agent Function Name: __________________

Function System-Assigned Managed Identity

System-assigned Azure managed identity is enabled if user-assigned managed identity is not used. User-assigned managed identities offer less frequent updates to Azure resources and allow for configuration of permissions ahead of function creation.

If you have not created a user-assigned managed identity at Agent Function User-Assigned Managed Identity, setup following role assignments for system-assigned managed identity:

Navigate to the function
Select Settings, Identity.
Confirm Status of system-assigned identity is already On on System Assigned tab
Click on Azure role assignments button.
Assign following roles to this identity:
- Storage Blob Data Owner with scope Storage account
- Monitoring Metrics Publisher with scope Resource Group
- Website Contributor with scope Resource Group

Creating ESA Credentials

Policy Agent Function requires ESA credentials to be provided as one of the two options:

Note

The username and password of the ESA user requires role with DPS Admin and Export Certificates permissions. Security Administrator is one of the predefined roles which contains the above permissions, however for separation of duties it is recommended to create custom role.

ESA Credentials In Azure Key Vault

Policy Agent Function uses Key Vault as secure store for sensitive information like ESA username and password.

Create ESA credentials secrets:

Navigate to Key Vault.
Under Objects, select Secrets > Generate/import.
Select Manual, then type in valid json as shown in the example for Secret value.
```
{"username": "<policy_export_user>", "password": "<password>"}
```
Select Create.
Navigate to the secret details in Key Vault by selecting the newly created secret.
Inspect the current secret version properties by selecting the current version.
Copy the Secret Identifier value. For example https://<myvault>.vault.azure.net/secrets/<mysecret>/abcdefgxyz8edef595adaehij0d99123.
Record the Secret Identifier for later use.

ESA Credentials From Custom Azure Function App

Policy Agent Function requests ESA username and password from a custom Azure Function App, further referred to as ESA Credentials function. This method may be used to get the username and password from external vaults.

There are four options for configuring Policy Agent authorization with ESA Credentials function: Option 1, Option 2, Option 3 and Option 4. Only one option is expected to be configured at a time.

Create ESA credentials function:

Create Azure HTTP triggered ESA Credentials function using any supported runtime.
a. There is no input needed.
b. The function must accept an HTTP POST request.
c. The function must return the following response schema
```
```
response: 
type: json object
  properties: 
    username: string 
    password: string  
```

For example,

```
{"username": "admin", "password": "Password1234"} 
```
```
Configure Policy Agent to use ESA Credentials function app.
a. Navigate to HTTP triggered function to open ‘Code + Test’ page.
b. Under ‘Code + Test’ tab on ‘Code + Test’ page select ‘Resource JSON’.
c. In ‘Resource JSON’ blade record the value of ‘invoke_url_template’ property.
```
**'invoke_url_template'** property is located towards the bottom of resource json.

URL must be in the form of 'https://[function-app-name].azurewebsites.[net|us]/api/[http-trigger-name]'.

**ESA Credentials function URL (EsaCredentialsFnUrl):__________**
```
d. Navigate to Policy Agent function app.
e. Expand Settings menu item.
f. Select Environment Variables menu item.
g. Click Add button.
h. For Name use PTY_ESA_CREDENTIALS_FUNCTION.
i. For Value use ESA Credentials function URL (EsaCredentialsFnUrl) recorded in previous steps.
j. Hit Apply in Add/Edit application setting blade.
k. Hit Apply in App Settings tab.
Configure Authorization Option 1: Function Key Option 2: Key Vault Option 3: System-assigned Identity Option 4: User-assigned Identity

Authorization Option 1: Configure Policy Agent to access ESA Credentials function using ESA Credentials function key from environment variables.

Warning

Function keys provide a good way for unwanted access mitigation during development and prototyping, however a better approach is to make authorization decisions based on identity. Review Option 3 and Option 4 below.

Configure HTTP trigger of ESA Credentials function with authentication level FUNCTION.
Review Azure documentation on how to accomplish this.
Navigate to ESA Credentials function app.
Expand Functions menu item.
Select App Keys.
Record default key value.
ESA Credentials function key (EsaCredentialsFnKey):_______________
Navigate to Policy Agent function app.
Expand Settings menu item.
Select Environment Variables menu item.
Click Add button.
For Name use PTY_ESA_CREDENTIALS_FUNCTION_KEY.
For Value use ESA Credentials function key (EsaCredentialsFnKey) recorded in previous steps.
Hit Apply in Add/Edit application setting blade.
Hit Apply in App Settings tab.

Authorization Option 2: Configure Policy Agent to access ESA Credentials function using ESA Credentials function key from Azure Key Vault.

Warning

Configure HTTP trigger of ESA Credentials function with authentication level FUNCTION.
Review Azure documentation on how to accomplish this.
Navigate to ESA Credentials function app.
Expand Functions menu item.
Select App Keys.
Record default key value.
ESA Credentials function key (EsaCredentialsFnKey):_______________
Navigate to Key Vault.
Under Objects, select Secrets > Generate/import.
Select Manual, type in secret name and use ESA Credentials function key value recorded in previous steps (EsaCredentialsFnKey) for Secret value.
Select Create.
Record Key Vault secret name.
ESA Credentials function key secret name (EsaCredentialsFnKeySecretName):_______________
Navigate to Policy Agent function app.
Expand Settings menu item.
Select Environment Variables menu item.
Click Add button.
For Name use PTY_ESA_CREDENTIALS_FUNCTION_KEY_SECRET.
For Value use ESA Credentials function key secret name (EsaCredentialsFnKeySecretName) recorded in previous steps.
Hit Apply in Add/Edit application setting blade.
Hit Apply in App Settings tab.

Authorization Option 3: Configure ESA Credentials authentication provider to authorize Policy Agent system-assigned identity.

Navigate to Policy Agent function app
Expand Settings menu item
Select Identity
Select System assigned tab
Status should already be On
Other Status indicates Policy Agent was installed without system-assigned identity. Before proceeding any further you need to either install Policy Agent with system-assigned identity or follow Option 4 which describes configuration steps for Policy Agent installed with user-assigned managed identity.
Copy Object (principal) ID
Navigate to ESA Credentials function app
Expand Settings menu item
Select Authentication
Select Add identity provider
Review related Microsoft documentation
Select Microsoft in identity provider dropdown
For App registration type provide details of your choice
For Issuer URL accept the default value
For Client application requirement select Allow requests from any application
Access will be limited to only the Policy Agent identity in the next step
For Identity requirement select Allow requests from specific identities
For Allowed identities add Object (principal) ID copied in previous step
For Restrict access select Require authentication
For Unauthenticated requests select HTTP 401 Unauthorized: recommended for APIs
Check Token store
Select Add
Click OK to apply constraint
Click Save
Navigate to Application of Microsoft identity provider
A link to identity providers application is available under Authentication menu item of ESA Credentials function
Expand Manage menu item
Select Expose an API
Copy Application ID URI or select Add if it does not exist and Save to accept the default value
Record Application ID URI of identity provider
ESA Credentials function Application ID URI (EsaCredentialsFnAppIdUri):_______________
Navigate to Policy Agent function app.
Expand Settings menu item.
Select Environment Variables menu item.
Click Add button.
For Name use PTY_ESA_CREDENTIALS_FUNCTION_SCOPE.
For Value use ESA Credentials function Application ID URI (EsaCredentialsFnAppIdUri) recorded in previous steps appended with /.default
Review Microsoft identity platform default scope
Hit Apply in Add/Edit application setting blade.
Hit Apply in App Settings tab.

Authorization Option 4: Configure ESA Credentials authentication provider to authorize Policy Agent user-assigned identity.

Navigate to Policy Agent function app
Expand Settings menu item
Select Identity
Select User assigned tab
User-assigned identity should already be provided. Missing user-assigned identity indicates Policy Agent was installed without user-assigned identity. Before proceeding any further you need to either install Policy Agent with user-assigned identity or follow Option 3 which describes configuration steps for Policy Agent installed with system-assigned managed identity.
Copy Client ID
Copy Object (principal) ID
Navigate to ESA Credentials function app
Expand Settings menu item
Select Authentication
Select Add identity provider
Review related Microsoft documentation
Select Microsoft in identity provider dropdown
For App registration type provide details of your choice
For Issuer URL accept the default value
For Client application requirement select Allow requests from specific client applications
For Allowed client applications add Client ID copied in previous step
Click OK to apply constraint
For Identity requirement select Allow requests from specific identities
For Allowed identities add Object (principal) ID copied in previous step
Click OK to apply constraint
Click Save
Navigate to Application of Microsoft identity provider
A link to identity providers application is available under Authentication menu item of ESA Credentials function
Expand Manage menu item
Select Expose an API
Copy Application ID URI or select Add if it does not exist and Save to accept the default value
Record Application ID URI of identity provider
ESA Credentials function Application ID URI (EsaCredentialsFnAppIdUri):_______________
Navigate to Policy Agent function app.
Expand Settings menu item.
Select Environment Variables menu item.
Click Add button.
For Name use PTY_ESA_CREDENTIALS_FUNCTION_SCOPE.
For Value use ESA Credentials function Application ID URI (EsaCredentialsFnAppIdUri) recorded in previous steps appended with /.default
Review Microsoft identity platform default scope
Hit Apply in Add/Edit application setting blade.
Hit Apply in App Settings tab.

Agent Function Key Vault Access Policies

Agent Function requires access to Key Vault created in Key Vault to encrypt policy and to access configuration secrets.

From Azure console navigate to Key Vaults, select the Key Vault created in Key Vault.
Select Access policies.
Click Create.
Select the following permissions in Permissions tab: a. Get under Key Management Operations. b. Wrap Key under Cryptographic Operations. c. Get under Secret Permissions.
For Principal provide function identity a. For functions with user-assigned identity enter identity recorded in step Agent Function User-Assigned Managed Identity b. For functions with system-assigned identity enter function name recorded in step Install Agent via ARM template
Proceed Next to Application and Next again to Review + Create.
Review permissions and Create.

Agent Function Outbound IP address

Agent Function App IP addresses may be useful for configuring ESA policy store and allowing traffic between Agent and ESA.

Note

Add IP addresses in the ESA network inbound port rules.
Add the list of IPs to Policy data store in ESA

To obtain the list of Outbound IP addresses:

From Azure console navigate to Function App, select the Agent Function App.
Select Settings > Networking.
Under Outbound traffic configuration, select Show More next to Outbound addresses

Configure Function

Agent Function must be configured with parameters recorded in steps above.

To configure Function:

Open Function App service from the Azure console. Select the Function App created for policy agent in previous steps.
Navigate to Settings > Environment variables .
On the App Settings pane, click on Show values to reveal all configuration values
To modify multiple parameters, click the pencil icon Advanced edit at the top. Alternatively you may click on the environment variable name to edit single values.
Modify parameters according to the table below. If configuration has a default value you don’t have to change it

Parameter	Notes
AZURE_KEY_VAULT_NAME	Key Vault
AZURE_POLICY_BLOB_URL	URL of the Azure Blob file which is used to store Protegrity security policies for protector consumption. See ProtectFuncPolicyBlobUrl in Protect Function Policy Blob
AZURE_RETAIN_POLICY_BLOB	The amount of policy backups to retain. Default: 10. Allowed values: -1, >1. Value of -1 will disable cleanup of backup policies.
PROTEGRITY_PROTECT_FUNCTION	Protegrity function to be updated when new policy is deployed. Provide a comma separated list of protect function app names for updating multiple protectors: `Protegrity-Protect-func1,Protegrity-Protect-func2`
PTY_ESA_IP	ESA Server
AZURE_ESA_CREDENTIALS_SECRET_ID	ESA Credentials In Azure Key Vault
AZURE_ENCRYPTION_KEY_ID	Create Policy Encryption Key
PEP_CONFIG_CASE_SENSITIVE	Default: No Allowed values: yes/no Specifies whether policy usernames should be case sensitive
PTY_ADDIPADDRESSHEADER	When enabled, agent will send its source IP address in the request header. This configuration works in conjunction with ESA hubcontroller configuration ASSIGN_DATASTORE_USING_NODE_IP (default=false). See Associating ESA Data Store With Cloud Protect Agent for more information. Default: yes Allowed values: yes no
PEP_CONFIG_EMPTY_STRING	Default: empty Allowed values: null empty Determines outcome of empty value operation. For example, (un)protect(’’) -> null (un)protect(’’) ->
DISABLE_DEPLOY	Default: 0
POLICY_PULL_TIMEOUT	Default: 20s
ESA_CONNECTION_TIMEOUT	Default: 5s
LOG_LEVEL	Default: INFO. Allowed values: DEBUG, INFO, WARNING, ERROR
AZURE_SUBSCRIPTION_ID	Default: Same as ARM Resource group
AZURE_RESOURCE_GROUP_NAME	Default: Same as ARM Resource group
POLICY_DOWNLOAD_CRON_EXPRESSION	Describes how often Agent Function will run Default: 0 0 * * * * (Every hour)
PTY_ESA_CA_SERVER_CERT	ESA self-signed CA certificate used by policy Agent function to ensure ESA is the trusted server. Recorded in step Certificates on ESA In case ESA is configured with publicly signed certificates, the PTY_ESA_CA_SERVER_CERT configuration will be ignored.
PTY_ESA_CREDENTIALS_FUNCTION	Instead of supplying AZURE_ESA_CREDENTIALS_SECRET_ID environment variable, ESA credentials can be provided by a custom Azure Function App. Provide a value recorded for EsaCredentialsFnUrl
PTY_ESA_CREDENTIALS_FUNCTION_KEY	When ESA credentials are provided by a custom Azure Function App, Policy Agent can request credentials using function app key. Provide a value recorded for EsaCredentialsFnKey
PTY_ESA_CREDENTIALS_FUNCTION_KEY_SECRET	When ESA credentials are provided by a custom Azure Function App, Policy Agent can request credentials using function app key stored in Azure Key Vault. Provide a value recorded for EsaCredentialsFnKeySecretName
PTY_ESA_CREDENTIALS_FUNCTION_SCOPE	When ESA credentials are provided by a custom Azure Function App, Policy Agent can request credentials using its own identity. Provide a value here recorded for EsaCredentialsFnAppIdUri appended with /.default to create authentication scope. Review Microsoft identity platform default scope
PTY_SYNC_DATASTORE	Note This configuration is not applicable for ESA versions lower than 10.2. Name of the target datastore
PTY_DATASTORE_KEY	Note This configuration is not applicable for ESA versions lower than 10.2. The export key is the public part of an asymmetric key pair created in a Create Policy Encryption Key. A user with Security Officer permissions adds the public key to the data store in ESA via Policy Management > Data Stores > Export Keys. The fingerprint can then be copied using the Copy Fingerprint icon next to the key. Refer to Exporting Keys to Datastore for details. Note For PPC deployments, see PPC Appendix: Policy Agent Certificate and Key Guidance for details on obtaining and using the datastore key fingerprint.

Click Apply at the bottom of the screen and then Confirm to save the changes.

Note

The following environment variables are listed for completeness, however they are maintained by Protegrity ARM templates and users are not expected to manually update them.

Parameter	Notes
AZURE_CLIENT_ID	Sets the Managed Identity Client ID for Function App runtime. System-Assigned Identity is used when variable is not set.
APPLICATIONINSIGHTS_AUTHENTICATION_STRING	Define identity for Application Insights access. Managed Identity Client ID is provided to this setting with Function App Managed Identity ARM template parameter. See the corresponding Azure AD Authentication documentation: Azure AD authentication
APPLICATIONINSIGHTS_CONNECTION_STRING	Connection String for Application Insights instance. See the corresponding Azure Connection String documentation: Connection strings
FUNCTIONS_EXTENSION_VERSION	Azure Functions extension version
FUNCTIONS_WORKER_RUNTIME	Runtime of the function
WEBSITE_RUN_FROM_PACKAGE	URL to the zip file in blob storage with function runtime source
WEBSITE_RUN_FROM_PACKAGE_BLOB_MI_RESOURCE_ID	Managed Identity used to load function runtime source
AzureWebJobsStorage__blobServiceUri	URL of the storage account which hosts the blob identified in WEBSITE_RUN_FROM_PACKAGE

Test Agent Function Installation

After configuration is complete you can test the function.

To test Agent function installation:

Navigate to Overview.
Select the function agent from the Functions tab.
Click Code + Test > Test/Run and then Run to execute the function.
You should see a 202 Accepted response.
Expand Logs output at the bottom of the page. Click Maximize to enlarge log output.
Note
It may take 1-2 minutes for the logs to begin populating in the console. Logging in the console is best effort and it is possible for the logs to be cut off. Navigate to Application Insights for full logs.

Below is an example log output from successful agent run.


INFO:AZURE_SUBSCRIPTION_ID: [xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx]
INFO:AZURE_KEY_VAULT_NAME: [vault-name]
INFO:AZURE_ENCRYPTION_KEY_ID: [https://vault-name.vault.azure.net/keys/key-name/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
INFO:AZURE_RESOURCE_GROUP_NAME: [resource-group-name]
INFO:AZURE_POLICY_BLOB_URL: [https://resource-group-name.blob.core.windows.net/policy/protegrity-policy-name.zip]
INFO:AZURE_RETAIN_POLICY_BLOB: [3]
INFO:PROTEGRITY_PROTECT_FUNCTION: [Protegrity-Protect-xxxx]
INFO:DISABLE_DEPLOY: [0]
INFO:PTY_ESA_IP: [xxx.xxx.xxx.xxx]
INFO:PTY_SYNC_DATASTORE: []
INFO:POLICY_PULL_TIMEOUT: [40]
INFO:LOG_LEVEL: [info]
INFO:PTY_CORE_EMPTYSTRING: [empty]
INFO:PTY_CORE_CASESENSITIVE: [no]
INFO:PTY_ADDIPADDRESSHEADER: [yes]
INFO:Starting policy agent [4.0.3] ...
INFO:ESA_CONNECTION_TIMEOUT: [60]
INFO:Using ESA CA certificate from PTY_ESA_CA_SERVER_CERT environment variable.
INFO:ResilientPackageClient initialized.
INFO:Retrieving ESA rps version
INFO:Resilient package correlation_id=[xxxxxxxxxxxxxxxxxxxxxxxxx] datastore=[]
INFO:RPS Version: 1.9.2, Build: 1.9.2+1.g4bfba.1.9
INFO:Checking ESA rps export availability
INFO:Resilient package correlation_id=[xxxxxxxxxxxxxxxxxxxxxxxxx] datastore=[QA_DATA_STORE]
INFO:Export available, Last-Modified: [Thu, 01 Jan 2026 00:00:00 GMT]
INFO:Getting current policy metadata [https://resource-group-name.blob.core.windows.net/policy/protegrity-policy-name.zip] ...
INFO:Last modified: [Thu, 01 Jan 2026 00:00:00 GMT], Last deployed: [Thu, 01 Jan 2026 00:00:00 GMT]
WARNING:Current policy deployment has no checksum_mapping metadata:
INFO:No changes in the policy since last download. Skipping policy deployment.
INFO:Checking container for the last deployed policy [https://resource-group-name.blob.core.windows.net/policy]...
INFO:[Protegrity-Protect-xxxx] current policy blob url: [https://resource-group-name.blob.core.windows.net/policy/2026-02-01_18-00-00/protegrity-policy-name.zip]
INFO:Policy blob in sync for function [Protegrity-Protect-xxxx]
INFO:[0] blobs are outside of the retention period [3]

If the log output in this window pauses or is difficult to read, you may navigate back to the Agent Function App overview and select Monitoring > Logs from the menu on the left. Run the query traces in the query editor to view logs.

Troubleshooting

To review the most recent invocation traces, navigate to the function app instance. Select Monitoring > Logs from the menu on the left. Run the query traces in the query editor to retrieve the full history of executions with detailed traces.