Policy Agent Installation

Policy Agent Function installation is done via Azure Resource Manager template provided by Protegrity. Before running the template, some resources must be created manually.

ESA Server

Policy Agent function requires ESA server running and accessible from Agent Function App on TCP port 8443. Make sure inbound connections on TCP:8443 are allowed for the network where ESA is hosted. You can find the list of Agent Function Outbound IP addresses after you deploy the function in Agent Function Outbound IP address

Note down ESA IP to be accessed form Agent Function:

ESA IP Address (EsaIpAddress): ___________________

Certificates on ESA

By default, ESA is configured with self-signed certificates, which can only be validated using self-signed CA certificate supplied in policy agent Cloud Function Environment variables configuration.

In case ESA is configured with publicly signed certificates, this section can be skipped since the agent function will use public CA to validate ESA certificates.

To obtain self-signed CA certificate from ESA:

1. Log in to ESA Web UI.

2. Select Settings > Network > Manage Certificates.

3. Hover over Server Certificate and click on download icon to download the CA certificate.

4. After certificate is downloaded, open the PEM file in text editor and replace all new lines with escaped new line: \n.

   To escape new lines from command line, use one of the following commands depending on your operating system:

   Linux Bash:

   awk 'NF {printf "%s\\n",$0;}' ProtegrityCA.pem > output.txt
   

   Windows PowerShell:

   (Get-Content '.\ProtegrityCA.pem') -join '\n' | Set-Content 'output.txt'
   

5. Record the certificate content with new lines escaped.

   ESA CA Server Certificate (EsaCaCert): ___________________

   This value will be used to set PTY_ESA_CA_SERVER_CERT variable in the Policy Agent Function Configuration section Configure Function

For more information about ESA certificate management refer to Certificate Management Guide in ESA documentation.

Create Policy Encryption Key

Create a policy encryption key.

To create policy encryption key:

1. From Azure console, navigate to Key Vaults and select Key Vault created in Key Vault.

2. Under Objects, select Keys.

3. Click Generate/Import.

4. Specify the following:

   a. Key name for the Name field.

   b. RSA for Key type.

   c. 2048 for RSA key size.

   d. Set Enabled toggle to Yes.

5. Select Create.

6. Click on the key name after creation is complete, then click on the key identifier row under CURRENT VERSION.

7. Copy the full URL value of Key Identifier. Record it for later use:

   Policy Encryption Key ID (PolicyEncryptionKey): _________________

Agent Function User-Assigned Managed Identity

User-assigned Azure managed identities are optional. If a user-assigned identity is not provided, a system-assigned managed identity will be enabled the function. User-assigned managed identities offer less frequent updates to Azure resources and allow for configuration of permissions ahead of function creation.

1. In the search box, enter Managed Identities. Under Services, select Managed Identities

2. Select Create

3. For Subscription provide recorded value of AzureSubscriptionID

4. For Resource Group provide recorded value of ApiResourceGroup

5. For Region provide recorded value of ApiRegion

6. For Name provide a name of the new identity

7. Assign following roles to this identity:

   • Storage Blob Data Owner with scope Storage account
   • Monitoring Metrics Publisher with scope Resource Group
   • Website Contributor with scope Resource Group

8. Record Agent function user-assigned identity

   Agent Function User-Assigned Identity (AgentFuncUserAssignedIdentity): ____________________

Install Agent via ARM template

Resources created with ARM template include Function App, Premium V3 App Service Plan (optional) and Application Insights service. Run Azure Resource Manager deployment.

To install Agent via ARM template:

1. From Azure Console, select Create a resource, search for template and then select Template deployment > Create.

2. Select Build your own template in editor.

3. Select Load File and upload pty_agent_arm_v2.json. Click Save.

4. Select Resource Group.

5. Specify Name for the resources (All resources will be prefixed with Protegrity-Agent).

6. For Location input specify Azure region name or leave default to deploy in the same region as resource group

7. For Agent Function Blob Url use the value from Upload Files

8. For Function App Managed Identity Optionally use the value from Agent Function User-Assigned Managed Identity. If value is not given, a system-assigned managed identity will be enabled.

9. If you set Use Existing App Service Plan to True, you must specify existing Linux App Service Plan name in the next parameter.

10. For Storage Account Blob Service Url Optionally use the value recorded in Create Storage Account. If value is not given, it will be automatically derived from Agent Function Blob Url.

11. Select Review + create then Create. Wait for all resources to deploy

12. After deployment is complete, go to Outputs and record agentFunctionName:

    Agent Function Name: __________________

Function System-Assigned Managed Identity

System-assigned Azure managed identity is enabled if user-assigned managed identity is not used. User-assigned managed identities offer less frequent updates to Azure resources and allow for configuration of permissions ahead of function creation.

If you have not created a user-assigned managed identity at Agent Function User-Assigned Managed Identity, setup following role assignments for system-assigned managed identity:

1. Navigate to the function

2. Select Settings, Identity.

3. Confirm Status of system-assigned identity is already On on System Assigned tab

4. Click on Azure role assignments button.

5. Assign following roles to this identity:

   • Storage Blob Data Owner with scope Storage account
   • Monitoring Metrics Publisher with scope Resource Group
   • Website Contributor with scope Resource Group

Creating ESA Credentials

Policy Agent Function requires ESA credentials to be provided as one of the two options:

• ESA credentials stored as secrets in Azure Key Vault
• ESA credentials provided by a custom Azure Function App )

ESA Credentials In Azure Key Vault

Policy Agent Function uses Key Vault as secure store for sensitive information like ESA username and password.

Create ESA credentials secrets:

1. Navigate to Key Vault.

2. Under Objects, select Secrets > Generate/import.

3. Select Manual, then type in valid json as shown in the example for Secret value.

   {"username": "<policy_export_user>", "password": "<password>"}
   

4. Select Create.

5. Navigate to the secret details in Key Vault by selecting the newly created secret.

6. Inspect the current secret version properties by selecting the current version.

7. Copy the Secret Identifier value. For example https://<myvault>.vault.azure.net/secrets/<mysecret>/abcdefgxyz8edef595adaehij0d99123.

8. Record the Secret Identifier for later use.

ESA Credentials From Custom Azure Function App

Policy Agent Function requests ESA username and password from a custom Azure Function App, further referred to as ESA Credentials function. This method may be used to get the username and password from external vaults.

There are four options for configuring Policy Agent authorization with ESA Credentials function: Option 1, Option 2, Option 3 and Option 4. Only one option is expected to be configured at a time.

Create ESA credentials function:

1. Create Azure HTTP triggered ESA Credentials function using any supported runtime.

   a. There is no input needed.

   b. The function must accept an HTTP POST request.

   c. The function must return the following response schema

   ```
   response: 
   type: json object
     properties: 
       username: string 
       password: string  
   ```
   
   For example,
   
   ```
   {"username": "admin", "password": "Password1234"} 
   ```
   

2. Configure Policy Agent to use ESA Credentials function app.

   a. Navigate to HTTP triggered function to open ‘Code + Test’ page.

   b. Under ‘Code + Test’ tab on ‘Code + Test’ page select ‘Resource JSON’.

   c. In ‘Resource JSON’ blade record the value of ‘invoke_url_template’ property.

   **'invoke_url_template'** property is located towards the bottom of resource json.
   
   URL must be in the form of 'https://[function-app-name].azurewebsites.[net|us]/api/[http-trigger-name]'.
   
   **ESA Credentials function URL (EsaCredentialsFnUrl):__________**
   

   d. Navigate to Policy Agent function app.

   e. Expand Settings menu item.

   f. Select Environment Variables menu item.

   g. Click Add button.

   h. For Name use PTY_ESA_CREDENTIALS_FUNCTION.

   i. For Value use ESA Credentials function URL (EsaCredentialsFnUrl) recorded in previous steps.

   j. Hit Apply in Add/Edit application setting blade.

   k. Hit Apply in App Settings tab.

3. Configure Authorization Option 1: Function Key Option 2: Key Vault Option 3: System-assigned Identity Option 4: User-assigned Identity

Authorization Option 1: Configure Policy Agent to access ESA Credentials function using ESA Credentials function key from environment variables.

1. Configure HTTP trigger of ESA Credentials function with authentication level FUNCTION.

   Review Azure documentation on how to accomplish this.

2. Navigate to ESA Credentials function app.

3. Expand Functions menu item.

4. Select App Keys.

5. Record default key value.

   ESA Credentials function key (EsaCredentialsFnKey):_______________

6. Navigate to Policy Agent function app.

7. Expand Settings menu item.

8. Select Environment Variables menu item.

9. Click Add button.

10. For Name use PTY_ESA_CREDENTIALS_FUNCTION_KEY.

11. For Value use ESA Credentials function key (EsaCredentialsFnKey) recorded in previous steps.

12. Hit Apply in Add/Edit application setting blade.

13. Hit Apply in App Settings tab.

Authorization Option 2: Configure Policy Agent to access ESA Credentials function using ESA Credentials function key from Azure Key Vault.

1. Configure HTTP trigger of ESA Credentials function with authentication level FUNCTION.

   Review Azure documentation on how to accomplish this.

2. Navigate to ESA Credentials function app.

3. Expand Functions menu item.

4. Select App Keys.

5. Record default key value.

   ESA Credentials function key (EsaCredentialsFnKey):_______________

6. Navigate to Key Vault.

7. Under Objects, select Secrets > Generate/import.

8. Select Manual, type in secret name and use ESA Credentials function key value recorded in previous steps (EsaCredentialsFnKey) for Secret value.

9. Select Create.

10. Record Key Vault secret name.

    ESA Credentials function key secret name (EsaCredentialsFnKeySecretName):_______________

11. Navigate to Policy Agent function app.

12. Expand Settings menu item.

13. Select Environment Variables menu item.

14. Click Add button.

15. For Name use PTY_ESA_CREDENTIALS_FUNCTION_KEY_SECRET.

16. For Value use ESA Credentials function key secret name (EsaCredentialsFnKeySecretName) recorded in previous steps.

17. Hit Apply in Add/Edit application setting blade.

18. Hit Apply in App Settings tab.

Authorization Option 3: Configure ESA Credentials authentication provider to authorize Policy Agent system-assigned identity.

1. Navigate to Policy Agent function app

2. Expand Settings menu item

3. Select Identity

4. Select System assigned tab

5. Status should already be On

   Other Status indicates Policy Agent was installed without system-assigned identity. Before proceeding any further you need to either install Policy Agent with system-assigned identity or follow Option 4 which describes configuration steps for Policy Agent installed with user-assigned managed identity.

6. Copy Object (principal) ID

7. Navigate to ESA Credentials function app

8. Expand Settings menu item

9. Select Authentication

10. Select Add identity provider

    Review related Microsoft documentation

11. Select Microsoft in identity provider dropdown

12. For App registration type provide details of your choice

13. For Issuer URL accept the default value

14. For Client application requirement select Allow requests from any application

    Access will be limited to only the Policy Agent identity in the next step

15. For Identity requirement select Allow requests from specific identities

16. For Allowed identities add Object (principal) ID copied in previous step

17. For Restrict access select Require authentication

18. For Unauthenticated requests select HTTP 401 Unauthorized: recommended for APIs

19. Check Token store

20. Select Add

21. Click OK to apply constraint

22. Click Save

23. Navigate to Application of Microsoft identity provider

    A link to identity providers application is available under Authentication menu item of ESA Credentials function

24. Expand Manage menu item

25. Select Expose an API

26. Copy Application ID URI or select Add if it does not exist and Save to accept the default value

27. Record Application ID URI of identity provider

    ESA Credentials function Application ID URI (EsaCredentialsFnAppIdUri):_______________

28. Navigate to Policy Agent function app.

29. Expand Settings menu item.

30. Select Environment Variables menu item.

31. Click Add button.

32. For Name use PTY_ESA_CREDENTIALS_FUNCTION_SCOPE.

33. For Value use ESA Credentials function Application ID URI (EsaCredentialsFnAppIdUri) recorded in previous steps appended with /.default

    Review Microsoft identity platform default scope

34. Hit Apply in Add/Edit application setting blade.

35. Hit Apply in App Settings tab.

Authorization Option 4: Configure ESA Credentials authentication provider to authorize Policy Agent user-assigned identity.

1. Navigate to Policy Agent function app

2. Expand Settings menu item

3. Select Identity

4. Select User assigned tab

   User-assigned identity should already be provided. Missing user-assigned identity indicates Policy Agent was installed without user-assigned identity. Before proceeding any further you need to either install Policy Agent with user-assigned identity or follow Option 3 which describes configuration steps for Policy Agent installed with system-assigned managed identity.

5. Copy Client ID

6. Copy Object (principal) ID

7. Navigate to ESA Credentials function app

8. Expand Settings menu item

9. Select Authentication

10. Select Add identity provider

    Review related Microsoft documentation

11. Select Microsoft in identity provider dropdown

12. For App registration type provide details of your choice

13. For Issuer URL accept the default value

14. For Client application requirement select Allow requests from specific client applications

15. For Allowed client applications add Client ID copied in previous step

16. Click OK to apply constraint

17. For Identity requirement select Allow requests from specific identities

18. For Allowed identities add Object (principal) ID copied in previous step

19. Click OK to apply constraint

20. Click Save

21. Navigate to Application of Microsoft identity provider

    A link to identity providers application is available under Authentication menu item of ESA Credentials function

22. Expand Manage menu item

23. Select Expose an API

24. Copy Application ID URI or select Add if it does not exist and Save to accept the default value

25. Record Application ID URI of identity provider

    ESA Credentials function Application ID URI (EsaCredentialsFnAppIdUri):_______________

26. Navigate to Policy Agent function app.

27. Expand Settings menu item.

28. Select Environment Variables menu item.

29. Click Add button.

30. For Name use PTY_ESA_CREDENTIALS_FUNCTION_SCOPE.

31. For Value use ESA Credentials function Application ID URI (EsaCredentialsFnAppIdUri) recorded in previous steps appended with /.default

    Review Microsoft identity platform default scope

32. Hit Apply in Add/Edit application setting blade.

33. Hit Apply in App Settings tab.

Agent Function Key Vault Access Policies

Agent Function requires access to Key Vault created in Key Vault to encrypt policy and to access configuration secrets.

1. From Azure console navigate to Key Vaults, select the Key Vault created in Key Vault.
2. Select Access policies.
3. Click Create.
4. Select the following permissions in Permissions tab: a. Get under Key Management Operations. b. Wrap Key under Cryptographic Operations. c. Get under Secret Permissions.
5. For Principal provide function identity a. For functions with user-assigned identity enter identity recorded in step Agent Function User-Assigned Managed Identity b. For functions with system-assigned identity enter function name recorded in step Install Agent via ARM template
6. Proceed Next to Application and Next again to Review + Create.
7. Review permissions and Create.

Agent Function Outbound IP address

Agent Function App IP addresses may be useful for configuring ESA policy store and allowing traffic between Agent and ESA.

To obtain the list of Outbound IP addresses:

1. From Azure console navigate to Function App, select the Agent Function App.
2. Select Settings > Networking.
3. Under Outbound traffic configuration, select Show More next to Outbound addresses

Configure Function

Agent Function must be configured with parameters recorded in steps above.

To configure Function:

1. Open Function App service from the Azure console. Select the Function App created for policy agent in previous steps.

2. Navigate to Settings > Environment variables .

3. On the App Settings pane, click on Show values to reveal all configuration values

4. To modify multiple parameters, click the pencil icon Advanced edit at the top. Alternatively you may click on the environment variable name to edit single values.

5. Modify parameters according to the table below. If configuration has a default value you don’t have to change it

Protegrity-Protect-func1,Protegrity-Protect-func2

6. Click Apply at the bottom of the screen and then Confirm to save the changes.

Test Agent Function Installation

After configuration is complete you can test the function.

To test Agent function installation:

1. Navigate to Overview.

2. Select the function agent from the Functions tab.

3. Click Code + Test > Test/Run and then Run to execute the function.

4. You should see a 202 Accepted response.

5. Expand Logs output at the bottom of the page. Click Maximize to enlarge log output.

   Note

   It may take 1-2 minutes for the logs to begin populating in the console. Logging in the console is best effort and it is possible for the logs to be cut off. Navigate to Application Insights for full logs.

6. Below is an example log output from successful agent run.

   
   INFO:AZURE_SUBSCRIPTION_ID: [xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx]
   INFO:AZURE_KEY_VAULT_NAME: [vault-name]
   INFO:AZURE_ENCRYPTION_KEY_ID: [https://vault-name.vault.azure.net/keys/key-name/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
   INFO:AZURE_RESOURCE_GROUP_NAME: [resource-group-name]
   INFO:AZURE_POLICY_BLOB_URL: [https://resource-group-name.blob.core.windows.net/policy/protegrity-policy-name.zip]
   INFO:AZURE_RETAIN_POLICY_BLOB: [3]
   INFO:PROTEGRITY_PROTECT_FUNCTION: [Protegrity-Protect-xxxx]
   INFO:DISABLE_DEPLOY: [0]
   INFO:PTY_ESA_IP: [xxx.xxx.xxx.xxx]
   INFO:PTY_SYNC_DATASTORE: []
   INFO:POLICY_PULL_TIMEOUT: [40]
   INFO:LOG_LEVEL: [info]
   INFO:PTY_CORE_EMPTYSTRING: [empty]
   INFO:PTY_CORE_CASESENSITIVE: [no]
   INFO:PTY_ADDIPADDRESSHEADER: [yes]
   INFO:Starting policy agent [4.0.3] ...
   INFO:ESA_CONNECTION_TIMEOUT: [60]
   INFO:Using ESA CA certificate from PTY_ESA_CA_SERVER_CERT environment variable.
   INFO:ResilientPackageClient initialized.
   INFO:Retrieving ESA rps version
   INFO:Resilient package correlation_id=[xxxxxxxxxxxxxxxxxxxxxxxxx] datastore=[]
   INFO:RPS Version: 1.9.2, Build: 1.9.2+1.g4bfba.1.9
   INFO:Checking ESA rps export availability
   INFO:Resilient package correlation_id=[xxxxxxxxxxxxxxxxxxxxxxxxx] datastore=[QA_DATA_STORE]
   INFO:Export available, Last-Modified: [Thu, 01 Jan 2026 00:00:00 GMT]
   INFO:Getting current policy metadata [https://resource-group-name.blob.core.windows.net/policy/protegrity-policy-name.zip] ...
   INFO:Last modified: [Thu, 01 Jan 2026 00:00:00 GMT], Last deployed: [Thu, 01 Jan 2026 00:00:00 GMT]
   WARNING:Current policy deployment has no checksum_mapping metadata:
   INFO:No changes in the policy since last download. Skipping policy deployment.
   INFO:Checking container for the last deployed policy [https://resource-group-name.blob.core.windows.net/policy]...
   INFO:[Protegrity-Protect-xxxx] current policy blob url: [https://resource-group-name.blob.core.windows.net/policy/2026-02-01_18-00-00/protegrity-policy-name.zip]
   INFO:Policy blob in sync for function [Protegrity-Protect-xxxx]
   INFO:[0] blobs are outside of the retention period [3]
   

7. If the log output in this window pauses or is difficult to read, you may navigate back to the Agent Function App overview and select Monitoring > Logs from the menu on the left. Run the query traces in the query editor to view logs.

Troubleshooting

To review the most recent invocation traces, navigate to the function app instance. Select Monitoring > Logs from the menu on the left. Run the query traces in the query editor to retrieve the full history of executions with detailed traces.