Prerequisites

Requirements before installing the protector.

Azure Services

The following table describes the Azure services that may be part of your Protegrity installation.

All permissions in the table must be granted with the Resource group scope.

Service	Description
Microsoft Entra ID Application	Allows authentication with Azure Function app
Azure Managed Identity	Allows functions assume user-defined managed identity
Function App	Provides serverless compute for Protegrity protection operations and ESA integration to fetch policy updates or deliver audit logs.
API Management Service	Provides the end-point and access control
Azure Key Vault	Provides cryptographic keys for envelope encryption/decryption of the policy. Stores secrets required during deployment, e.g., ESA credentials
Blob storage	Intermediate storage location for the encrypted ESA policy package
Application Insights	Application and audit logs, performance monitoring, and alerts
Azure Event Hubs	Required if audit logs are to be sent to ESA. Set up and configuration of a new Event Hub is covered in section Audit Log Forwarder Installation.

ESA Version Requirements

The Protector and Log Forwarder functions require a security policy from a compatible ESA version.

The table below shows compatibility between different Protector and ESA versions.

Note

For the latest up-to-date information refer to: Protegrity Compatibility Matrix

Protector Version	ESA Version
Protector Version	8.x	9.0	9.1 & 9.2	10.0
2.x	No	Yes	*	No
3.0.x & 3.1.x	No	No	Yes	No
3.2.x	No	No	Yes	*
4.0.x	No	No	No	Yes

Legend
Yes	Protector was designed to work with this ESA version
No	Protector will not work with this ESA version
*	Backward compatible policy download supported: Data elements and features which are common between this and previous ESA versions will be downloaded Data elements and features which are new to this ESA version and do not exist in previous ESA version will not be downloaded

Legend

Yes

Protector was designed to work with this ESA version

Protector will not work with this ESA version

Backward compatible policy download supported:

Data elements and features which are common between this and previous ESA versions will be downloaded
Data elements and features which are new to this ESA version and do not exist in previous ESA version will not be downloaded

Prerequisites

Requirement	Detail
Protegrity distribution and installation scripts	These artifacts are provided by Protegrity
Protegrity ESA 10.0+	The Cloud VNet must be able to obtain network access to the ESA
Azure Account (Azure Global or US Government Subscription)	Recommend creating a new resource group for Protegrity.

Required Skills and Abilities

Role / Skillset	Description
Azure Account Administrator	Ability to run Azure Resource Manager (or perform steps manually), create/configure Entra ID Application Registrations
Protegrity Administrator	The ESA credentials required to extract the policy for the Policy Agent
Snowflake Administrator	Account Admin access required to setup Snowflake integration
Network Administrator	Needed to open firewall to access ESA and evaluate Azure network setup

Tip

During the installation you will need to record output of certain steps that will be used in downstream installation procedures. We recommend copying the following cheat sheet into a notepad and fill in the information as you progress with the installation.

Azure Subscription ID (AzureSubscriptionID): ____________________

Azure Resource Group ID (ApiResourceGroup): ___________________

Azure Region (ApiRegion): ___________________

Key Vault Name (PolicyKeyValue): ___________________

Storage Account Name (StorageAccountName): ___________________

Storage Account Blob Service Url (StorageAccountBlobServiceUrl): ___________________

Protect Function Blob URL (ProtectFuncURL): ___________________

Forward Function Blob URL (ForwardFuncURL): ___________________

Agent Function Blob URL (AgentFuncURL): ___________________

Protect Function Policy Blob URL (ProtectFuncPolicyBlobUrl): ____________________

Agent Policy Blob Container Name (AgentPolicyBlobContainer): ___________________

Entra ID Application Name (EntraIDApplicationName): ___________________

Entra ID Application ID (EntraIDApplicationID): ___________________

Protect Function User-Assigned Identity (ProtectFuncUserAssignedIdentity): ___________________

Protect Function Name (ProtectFuncName): __________________

Protect Function System-Assigned Identity (ProtectFuncSystemAssignedIdentity): __________________

Protect Function App Key (FuncAppKey): ___________________

Sample Policy Blob Url (SamplePolicyBlobUrl): ___________________

ESA Credentials function URL (EsaCredentialsFnUrl): ___________________

ESA Credentials function key (EsaCredentialsFnKey): ___________________

ESA Credentials function key secret name (EsaCredentialsFnKeySecretName): ___________________

ESA Credentials function Application ID URI (EsaCredentialsFnAppIdUri): ___________________

Forward Function User-Assigned Identity (ForwardFuncUserAssignedIdentity): ___________________

Forward Function Name (ForwardFuncName): __________________

Azure Tenant ID (AzureTenantID): ____________________

ESA IP Address (EsaIpAddress): ___________________

ESA CA Server Certificate (EsaCaCert): ___________________

ESA Username Secret Name (UserSecretName): ___________________

ESA Password Secret Name (PasswordSecretName): ___________________

ESA Client Certificate (EsaClientCert): ___________________

ESA Client Certificate Key Secret Name (EsaClientCertKeySecretName): ___________________

Policy Encryption Key ID (PolicyEncryptionKey): _________________

Agent Function User-Assigned Identity (AgentFuncUserAssignedIdentity): __________________

Agent Function Name (AgentFuncName): __________________

Event Hub Name (EventHubName): __________________

Event Hub Namespace (EventHubNamespace): __________________

Feedback

Was this page helpful?

Last modified : January 18, 2026