How to Configure Agentless VM Scanning for Azure Cloud Accounts in Compute SaaS

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L2 Linker
No ratings

                  By Brandon Goldstein, Senior Customer Success Engineer


This guide describes how to configure agentless vulnerability and compliance
scanning of virtual machines in Microsoft Azure subscriptions.
This example uses Prisma Cloud Enterprise Edition (PCEE, Compute SaaS)
which has a different configuration process from using the same feature in
the Compute Edition (Self-Hosted).
Additionally, we will be onboarding and scanning a single Azure subscription.
Before You Begin (Access / Permission Checks)
● The Compute module of Prisma Cloud
● Ability to onboard Prisma Cloud accounts
● In the Compute module: view cloud accounts, console logs, the
vulnerability monitor, and the compliance monitor.
● Azure Command Shell
● Global Admin permissions in your Azure Tenant
A useful list of reference material can be found at the bottom of this


Procedure 1: Onboard your Azure Subscription with Agentless

Step 1 Login to the Prisma Cloud Console and navigate to Settings / Cloud
Accounts and click “Add Cloud Account”



Figure 1: Settings_palo-alto-networks

Step 2 Click “Azure”



Figure 2: Add Cloud Account_palo-alto-networks

Step 3 On the “Get Started Page”

(1) Select “Subscription
(2) Select your subscription type (Commercial or Government)
(3) Select each of the “Security Capabilities and Permissions” that you’d like
to enable


Figure 3: Add Cloud Account_palo-alto-networks (cont.)

Step 4 On the “Configure Account” page, enter the following details:

(1) Enter an account name that you’d like to use (this can be changed later)
(2) Your Directory (Tenant) ID (process on finding this is shown in Appendix
(3) Your Subscription ID (process on finding this is shown in Appendix B)
(4) Click on “Download Terraform Script”
(5) Complete the remaining requested information after running the
Terraform Script (as shown below in Step 5)
(6) Select one or more Account Groups to place this account into
(7) Click “Next”

Step 5 Download and run the Terraform Script to create an App Registration with
the required permission assignments.



Figure 4: Add Cloud Account_palo-alto-networks (cont.)

(1) Open the Microsoft Azure Cloud Shell
(2) Upload the Terraform Script




Figure 5: Microsoft Azure_palo-alto-networks

(3) Execute “terraform init”



Figure 6: Azure Cloud Shell_palo-alto-networks


(4) Execute “terraform apply”

Step 6 ! Troubleshooting ! You may find that the “terraform apply”
command never seems to complete and you will receive similar
output as the below when canceling the command or potentially
receiving a timeout.

Error: Error obtaining Authorization Token from the Azure CLI: Error parsing
json result from the Azure CLI: Error waiting for the Azure CLI: exit status
1: ERROR: Tenant shouldn't be specified for Cloud Shell account with provider

[""], on line 91,
in provider "azuread": 91: provider "azuread" {



Figure 7: Terraform apply prompt_palo-alto-networks

Step 7 lf you receive an error similar to the one shown in Step 15, that is a
Microsoft issue and not a problem with the terraform script.

Authenticating to Azure prior to running the terraform script should
solve the problem. Execute “az login” and follow the prompts to
complete authentication via a web browser.

brandon@Azure:~$ az login

Cloud Shell is automatically authenticated under the initial account
signed-in with. Run 'az login' only if you need to use a different account.
To sign in, use a web browser to open the page and enter the code FZ2GSQHEX to

Step 8 Then you should have no problem continuing with the terraform
script. Execute “terraform init” and then “terraform apply”.

Step 9 When you reach the prompt “Do you want to perform these actions”
answer “yes”



Figure 7: Terraform prompt_palo-alto-networks

Step 10 You should receive results similar to the following:

Apply complete! Resources: 1 added, 1 changed, 1 destroyed.

a__directory_tenant_id = "YOUR-TENANT-ID"
b__subscription_id = "YOUR-SUBSCRIPTION-ID"
c__application_client_id = "APPLICATION-CLIENT-ID"
d__application_client_secret = "APPLICATION-CLIENT-SECRET"
e__enterprise_application_object_id = "ENTERPRISE-APPLICATION-OBJECTID"


Figure 8: Apply Complete_palo-alto-networks

Step 11 Review Status. You should find that each status check is green!



Figure 9: Review Status_palo-alto-networks

Step 12 Troubleshooting

(1) If any of the checks are red, you’ll receive feedback on which
check has failed and why. The most common scenario is missing
(2) New service and API ingestions are being added to Prisma Cloud
frequently and it's possible that the Terraform Script has not been
updated yet. In this case, you can add the missing permissions to
the custom Prisma Cloud role without any problem.

Step 13 Now you will be able to find your successfully onboarded Azure
subscription in the Cloud Accounts section.


Figure 10: Settings > Cloud Accounts_palo-alto-networks

Procedure 2: Configure Agentless Scanning

Step 1 Navigate to Compute / Manage / Cloud Accounts

(1) You should find that your new account has automatically been
inherited by Compute as a Cloud Account. There should be a blue
Prisma Cloud symbol in the left column next to “Account Name”
(2) You should find that your new Cloud Account has already started
an agentless scan


Figure 11: Accounts and Agentless_palo-alto-networks

Procedure 3: Check the status of the first agentless scan

Step 1 You should find the activity and progress for Azure agentless
scanning in the top right corner of the console window



Figure 12: Activity and Progress for agentless scanning_palo-alto-networks

Step 2 You can also search for the keyword “scan” in the Virtual Machine list
within the Azure console to confirm that the temporary scanners
have been created.


Figure 12: Virtual machines list_palo-alto-networks

Eventually you will see more progress in the Compute console



Figure 13: Agentless scanning progress_palo-alto-networks

Step 3 View the console logs at Manage / Logs / Console and search for

to see the related API activity



Figure 14: Console debug logs_palo-alto-networks

Procedure 4: Confirm Success!


Step 1 In the Compute console, navigate to Monitor / Vulnerabilities / Hosts
then select the Hosts subsection. Set the filter to “Scanned by:
Agentless” and add a VM name or keyword to the search for virtual
machines which should be scanned.


Figure 15: Monitor > Vulnerabilities > Hosts subsection_palo-alto-networks

Step 2 Click on one of the entries to see the scan details. Check the scan
time to see that it’s recent. You’ll also be able to confirm that it was
discovered in Azure.


Figure 16: Host details_palo-alto-networks

Step 3 Check the Compliance Monitor under Monitor / Compliance / Hosts
and the Hosts subsection to ensure you are getting valuable results
there as well!


Figure 17: Monitor > Compliance > Hosts_palo-alto-networks

Step 4 Check that agentless image scanning has succeeded by viewing
results under Monitor / Vulnerabilities / Images / Deployed

(1) Filter your results using “Scanned by” and select “Agentless”
(2) You can also see the cluster where the image is deployed


Figure 18: Deployed images_palo-alto-networks

Step 5 You’re Done! You have successfully configured and completed
agentless virtual machine scanning of your Azure subscription!

Note: Please refer to Appendix A (Find your Tenant ID) or Appendix B
(Find your Subscription ID) for additional guidance

APPENDIX A - Find your Tenant ID

Navigate to the Tenant Properties and copy the Tenant ID.


Figure 19: Tenant Properties



Figure 20: Tenant Properties_palo-alto-networks

APPENDIX B - Find your Subscription ID

Navigate to the Subscriptions service.




Figure 21: Subscription ID_palo-alto-networks

Click on the subscription that you want to onboard.



Figure 21: Subscription Example_palo-alto-networks

In the subscription’s “Essentials” section, you can easily copy the subscription ID.


Figure 22: Subscriptions example_palo-alto-networks


  1. Prisma Cloud - Onboard Your Azure Account
  2. PCEE - Onboard Azure Accounts for Agentless Scanning
  3. PCEE - Manually Authorize Prisma Cloud


About the Author:

Brandon Goldstein is the Senior Customer Success Engineer specializing in Prisma

Cloud, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes.

Brandon uses collaborative approaches to break down complex problems into solutions

for global enterprise customers and leverage his multi-industry knowledge to inspire success.

Rate this article:
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎09-19-2023 10:03 AM
Updated by: