Protect Service Installation

Product Installation Guide.

Preparation

Ensure that all the steps in Pre-Configuration are performed.
Login to the Azure account console where Protegrity will be installed.
Ensure the Azure Resource Manager templates provided by Protegrity are available on your local computer.

Register an Entra ID App

A Microsoft Entra ID App provides the mechanism for Client to authenticate with the Function App instance. Creating an Entra ID app requires appropriate permissions to the Azure Subscription and is typically performed by the Azure Account Administrator.

To register an Entra ID App:

In the Azure portal navigate to Microsoft Entra ID.
Click + Add and select App registration.
Enter a Name and select Accounts in any organizational directory.
Leave the Redirect URI empty and select Register.
After registration is complete record the application name and application id displayed in the overview window.
Entra ID Application Name (EntraIDApplicationName): ___________________
Entra ID Application ID (EntraIDApplicationID): ___________________

Protect Function User-Assigned Managed Identity

User-assigned Azure managed identities are optional. If a user-assigned identity is not provided, a system-assigned managed identity will be enabled the function. User-assigned managed identities offer less frequent updates to Azure resources and allow for configuration of permissions ahead of function creation.

In the search box, enter Managed Identities. Under Services, select Managed Identities
Select Create
For Subscription provide recorded value of AzureSubscriptionID
For Resource Group provide recorded value of ApiResourceGroup
For Region provide recorded value of ApiRegion
For Name provide a name of the new identity
Assign following roles to this identity:
- Storage Blob Data Owner
- Monitoring Metrics Publisher
- Azure Event Hubs Data Sender: required only if function is sending logs to ESA
Record Protect function user-assigned identity
Protect Function User-Assigned Identity (ProtectFuncUserAssignedIdentity): ____________________

Install Protect Function via Azure Resource Manager

Resources created with the ARM template include API Management service, Function App, App Service Plan and Application Insights service.

Note

Refer to ARM Template Installation - Required Permissions for the list of IAM permissions required to deploy ARM template.

To install protect function via Azure Resource Manager:

From Azure Console, select Create a resource, search for template then select Template deployment (deploy using custom templates) > Create.
Select Build your own template in the editor.
Click Load File and upload pty_protect_arm_v2.json, then click Save.
Select a Resource group.
Enter a Name for the resources. All resources will be prefixed with Protegrity-Protect except for log container which will be prefixed with ptylogs. For more information on naming rules see: Azure resource name rules.
For Location input specify Azure region name or leave default to deploy in the same region as resource group.
For Storage Account Blob Service Url Optionally use the value recorded in Create Storage Account. If value is not given, it will be automatically derived from Protect Function Blob Url.
For Protect Function Blob Url use the value from Upload Files.
For Function App Managed Identity Optionally use the value from Protect Function User-Assigned Managed Identity. If value is not given, a system-assigned managed identity will be enabled.
For Function Sku either EP1 or EP3 are recommended. Note that this will affect the running cost.
For Create Api Management Service select Do not create. API Management Service is required only for integration with Snowflake. This service is not required otherwise.
For Api Management Service Sku Applicable only when API Management Service is created. Skip this if API Management Service is not created. Either Consumption (if available) or Premium are recommended. Note that this will affect the running cost.
For Username Regex you can optionally specify regex to extract policy username from the request. See Configuring Regular Expression to Extract Policy Username for more details.
For Entra ID Application ID enter the value recorded in Register an Entra ID App.
For Forward Logs To ESA select whether audit logs are to be sent to ESA or not. If you are not planning on sending audit logs to ESA you can skip Event Hub Nameand Event Hub Namespace properties below. For details on creating and configuring Event Hubs see Audit Log Forwarder Installation
For Event Hub Name provide the name of Event Hub which will be used to send audit logs to ESA.
For Event Hub Namespace provide the name of Event Hub Namespace which is hosting Event Hub selected in previous step.
Under Review + create, click Create. Wait for all resources to deploy. If the deployment fails for any resources of type Microsoft.Web/sites/host/functionKeys then click Redeploy and try deploying again.
After deployment is complete, go to Outputs and record protectFunctionName, azureTenantId and apiGatewayUrl.
Protect Function Name (ProtectFuncName): __________________
Azure Tenant ID (AzureTenantID): __________________
API Gateway URL (ApiGatewayURL): __________________

Function System-Assigned Managed Identity

System-assigned Azure managed identity is enabled if user-assigned managed identity is not used. User-assigned managed identities offer less frequent updates to Azure resources and allow for configuration of permissions ahead of function creation.

If you have not created a user-assigned managed identity at Protect Function User-Assigned Managed Identity, setup following role assignments for system-assigned managed identity:

Navigate to the function
Select Settings, Identity.
Confirm Status of system-assigned identity is already On on System Assigned tab
Click on Azure role assignments button.
Assign following roles to this identity:
- Storage Blob Data Owner
- Monitoring Metrics Publisher
- Azure Event Hubs Data Sender: required only if function is sending logs to ESA
From Azure console, navigate to Function App and select protect function deployed in previous section.
Select Overview and click Restart button. Wait until function restart completes.

Update Key Vault Access Policies

The Key vault must be updated to allow the Function App to decrypt the policy files. Azure assigns a unique identifier to each Function App instance that can be used to grant permissions to that instance. Update the Key vault access policies with the Protect function. To update the key vault access policies:

Obtain Function App identifier

Navigate to the Function App service in the Azure portal.
Select the newly created Protect Function App instance.
Select the Identity option under Settings.
Ensure that setting System assigned is set to Status On.
Record the Object ID:
Protect Function Object ID: ___________________

Update the Key vault access policies with the Protect function’s Object ID

From Azure console navigate to Key Vaults, select the Key Vault created in Key Vault.
Select Access policies.
Click Create.
Select the following permissions in Permissions tab: a. Get under Key Management Operations. b. Unwrap Key under Cryptographic Operations. c. Get under Secret Permissions.
Proceed Next to Principal.
Enter the Protect Function Object ID recorded in this section into the search field.
Select the Function App instance.
Proceed Next to Application and Next again to Review + Create.
Review permissions and Create.

Upload the Sample Policy

The Protegrity installation bundle contains a sample policy which can be used to test the protect service installation without an ESA. Upload the sample policy artifact to the policy Blob storage container:

Go to Azure console and select Storage Account Name (StorageAccountName) recorded in step Create Storage Account.
Under Data storage select Blob Containers and select container created in Protect Function Policy Blob Container
Click Upload and select protegrity-sample-policy-<version>.zip file from your local computer.
Click Upload and wait for the file to complete uploading.
Record the sample policy blob url:
Sample Policy Blob Url (SamplePolicyBlobUrl): ___________________

Test the Protect Function Installation

Before continuing with next steps, you may verify the protect service is installed correctly. This step is optional and can be skipped.

From Azure console, navigate to Function App and select protect function app.
Select Overview and record URL value as <Protect Function URL>.
Navigate to Settings > Environment variables and click OPENID_ENABLED.
Change value to false and click Apply.
Select or create variable AZURE_POLICY_BLOB_URL.
Set value of AZURE_POLICY_BLOB_URL to value recorded for SamplePolicyBlobUrl and click Apply.
Select Apply and Confirm to finalize setting changes.
Go to Functions > App keys and record the value of default key under Host Keys (All functions) as <Protect Function app key>.

Run the following CURL command to test Function deployment.

curl -X POST "<Protect Function URL>/api/v1/unprotect" -k \
-H 'x-functions-key: <Protect Function app key>' \
-H 'Content-Type: application/json' \
-d '{
  "data": ["UtfVk UHgcD!"],
  "user": "MARIA",
  "data_element": "alpha"
}'

Note

When you copy-paste the curl command, make sure each header is in a separate line.

Replace <Protect Function URL> and <Protect Function app key> with the values recorded in step 2 And 5.

Run curl command. Verify the following output.

{"data":["hello world!"], "success": true, "encoding": "utf8"}

Go back to Function app. Select Settings > Environment variables and click OPENID_ENABLED,
Change value to true and click Apply. Select Apply and Confirm to finalize.

Troubleshooting

To review live requests, navigate to Application Insights service and select item with the same name as the protect function. Under Investigate, select Live Metrics. Wait for the dashboard to load, then go to Sample Telemetry pane on the right and look for the requests in question.

To review the full history of requests from Application Insights under Monitoring select Logs:

Select the Tables tab.
Hover over one of the table names under Application Insights header, for example exceptions.
Click on See preview data.
Click Use in editor.

You can also run the query directly in the query editor. For instance to select the 10 latest exceptions run the following query.

exceptions 
| where timestamp > ago(24h)
| order by timestamp
| limit 10

Protect Function App Configuration

Protect Function app can be customized using environment variables. From Azure console, navigate to Function App service and select protect function app. Navigate to Settings > Environment variables. Add or Edit environment variables based on the following information.

Parameter	Description	Notes
OPENID_ENABLED	When set to true, every request is required to have an Authorization header with the bearer token set to a valid OAuth access token.	The following configuration attributes will also be required: OPENID_AUDIENCES, OPENID_ISSUERS, OPENID_METADATA_URL.
OPENID_AUDIENCES	The JWT token must have the “aud” claim and it must match one of the values in this attribute. Can be either one value or comma separated list.	applicable when OPENID_ENABLED= “true”.
OPENID_ISSUERS	The JWT token must have the “iss” claim and it must match one of the values in this attribute. Can be either one value or comma separated list.	applicable when OPENID_ENABLED= “true”.
OPENID_METADATA_URL	A URL that points to an OpenID Connect identity provider configuration document, which is also known as OpenID well-known configuration endpoint.	applicable when OPENID_ENABLED= “true”.
authorization	When equals “jwt”, Authorization Header JWT will be required in the Rest API Protect payload.
Supported Values: [“jwt”, “”]	When equals to “jwt”, any request without Valid JWT in the Authorization header, will result in an error from API Gateway: 502 Bad Gateway.
allow_assume_user	If set to 0, The user from the payload will not be used, and the policy user is the JWT user.
Supported Values: [0, 1]	applicable when authorization = “jwt”.
Default Value: 0
jwt_user_claim	The JWT payload claim with username. Common claims: name, preferred_username, cognito:username	Applicable when authorization = “jwt”
Default Value: cognito:username
service_user	If service_user is set the protect request will use it for the policy user.	service_user should be used when the Cloud API should always run as one service_user no matter what user is in the request. service_user will always take priority over any other user in the payload or in the JWT header.
AZURE_POLICY_BLOB_URL	This points to Protegrity security policy blob. It is updated by the Agent to point to latest security policy.
USERNAME_REGEX	If USERNAME_REGEX is set, the effective policy user will be extracted from the user in the request.	Note See Configuring Regular Expression to Extract Policy Username to learn how to extract username from the request
EVENTHUB_NAME	Event Hub name where audit logs are to be sent to. Logs are not forwarded to ESA when this parameter is empty.	Note Set up and configuration of a new Event Hub is covered in section Audit Log Forwarder Installation
EventHub__fullyQualifiedNamespace	Event Hub fully qualified namespace. Logs are not forwarded to ESA when this parameter is empty.	Note Set up and configuration of a new Event Hub is covered in section Audit Log Forwarder Installation
PTY_CORE_FLUSHINTERVAL	Time interval in seconds used to accumulate audit logs before sending to Event Hub. Default value: 10.	Audit logs are always aggregated into one minute buckets. A value greater than 60 will influence only audit log batching while sending logs to Event Hub. A value less than 60 will influence both aggregation and audit log batching.
PTY_LOG_LEVEL	Function min log level. Default: Severe	One of case-insensitive strings: off, severe, warning, info, config, all.
PTY_WRITE_LOG_ON_SINGLE_LINE	Whether to write log level and message on one line or separate lines. Default: true	Starting from version 3.1.0, log level and message are printed on single line. Use this environment variable to switch to multi-line logging for backward compatibility with pre-3.1.0 release.
EVENT_LEVEL	Level of logs produced by Azure services. Default: Error	One of case-insensitive strings: LogAlways, Critical, Error, Warning, Informational, Verbose. Set to at least ‘Informational’ during initial configuration, set to at most ‘Error’ in production environments.

Note

The following environment variables are listed for completeness, however they are maintained by Protegrity ARM templates and users are not expected to manually update them.

Parameter	Notes
AZURE_CLIENT_ID	Sets the Managed Identity Client ID for Function App runtime. System-Assigned Identity is used when variable is not set.
APPLICATIONINSIGHTS_AUTHENTICATION_STRING	Define identity for Application Insights access. Managed Identity Client ID is provided to this setting with Function App Managed Identity ARM template parameter. See the corresponding Azure AD Authentication documentation: Azure AD authentication
APPLICATIONINSIGHTS_CONNECTION_STRING	Connection String for Application Insights instance. See the corresponding Azure Connection String documentation: Connection strings
FUNCTIONS_EXTENSION_VERSION	Azure Functions extension version
FUNCTIONS_WORKER_RUNTIME	Runtime of the function
WEBSITE_RUN_FROM_PACKAGE	URL to the zip file in blob storage with function runtime source
WEBSITE_RUN_FROM_PACKAGE_BLOB_MI_RESOURCE_ID	Managed Identity used to load function runtime source
AzureWebJobsStorage__blobServiceUri	URL of the storage account which hosts the blob identified in WEBSITE_RUN_FROM_PACKAGE
AZURE_TENANT_ID	Tenant identifier in Azure Active Directory
AzureWebJobs.AuditLogForwarder.Disabled	Defines whether audit log forwarder function is disabled or not
AzureWebJobs.Protect.Disabled	Defines whether Protect function is disabled or not
AzureWebJobs.v1-openapi.Disabled	Defines whether v1-openapi function is disabled or not
AzureWebJobs.v1-protect.Disabled	Defines whether v1-protect function is disabled or not
AzureWebJobs.v1-unprotect.Disabled	Defines whether v1-unprotect function is disabled or not

Feedback

Was this page helpful?

Last modified : January 12, 2026