Welcome to the Netskope One DSPM Knowledge Base

You will find your answers here!

    Sorry, we didn't find any relevant articles for you.

    Send us your queries using the form below and we will get back to you with a solution.

    Onboarding Azure manually within Netskope One DSPM instances

    Overview

    These instructions are used for onboarding Azure Subscriptions and Tenants as Infrastructure Connections within Netskope One DSPM. Such connections permit Netskope One DSPM to discover your available Data Stores and facilitate scanning & classification activities. You will repeat these steps for each Azure Account you wish to onboard to Netskope One DSPM. In order to do that, you need to follow these steps.

    Register Netskope One DSPM App Service Principal

    1. Login to your Azure portal and search for App registration.
    2. Click on New Registrations and complete the registration by providing app Name. It is recommended  to include "Netskope One DSPM" in the name, to make it easier to identify.
    3. Go to Overview of the created app and capture Application ID and Tenant ID (Directory ID).

    Create Client Secret

    1. From Netskope One DSPM App overview, navigate to Certificates & secrets and click on New client secret
    2. Enter Description and validity of secret
    3. On clicking Add the secret is created. Copy and capture the Secret value as Application Secret. The secret is never shown again after this step

    Add Netskope One DSPM Role

    1. Click and navigate to Subscriptions and capture Subscription ID
    2. Navigate to Access control (IAM) and Add a custom role by clicking the Add menu bar at the top
    3. Navigate to JSON tab and click the Edit button
    4. In the text area, replace the default JSON with one of the following Netskope One DSPM-specific JSON content (expand to see the details).  Be sure to substitute your Azure Subscription ID value where you see <AZURE SUBSCRIPTION ID>

    Standard Permissions

    Use this JSON for the standard permissions required by Netskope One DSPM.

    {
        "properties": {
            "roleName": "Netskope One DSPM Role",
            "description": "",
            "assignableScopes": [
                "/subscriptions/<AZURE SUBSCRIPTION ID>"
            ],
            "permissions": [
                {
                    "actions": [
                          "Microsoft.Sql/servers/read",
                          "Microsoft.DBforPostgreSQL/servers/read",
                          "Microsoft.DBforPostgreSQL/servers/databases/read",
                          "Microsoft.DBforMySQL/servers/read",
                          "Microsoft.DBforMariaDB/servers/databases/read",
                          "Microsoft.DBforMariaDB/servers/read",
                          "Microsoft.Resources/subscriptions/resourceGroups/read",
                          "Microsoft.DBforPostgreSQL/serversv2/firewallRules/read",
                          "Microsoft.DBforPostgreSQL/servers/firewallRules/read",
                          "Microsoft.DBforMariaDB/servers/firewallRules/read",
                          "Microsoft.DBforMySQL/servers/firewallRules/read",
                          "Microsoft.Sql/servers/firewallRules/read",
                          "Microsoft.Sql/servers/administrators/read",
                          "Microsoft.DBforMySQL/flexibleServers/read",
                          "Microsoft.DBforMySQL/flexibleServers/firewallRules/read",
                          "Microsoft.DBforPostgreSQL/serversv2/read",
                          "Microsoft.DBforPostgreSQL/flexibleServers/read",
                          "Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/read",
                          "Microsoft.DBforPostgreSQL/flexibleServers/databases/read",
                          "Microsoft.Synapse/workspaces/read",
                          "Microsoft.Databricks/workspaces/read",
                          "Microsoft.Storage/storageAccounts/blobServices/read",
                          "Microsoft.Storage/storageAccounts/blobServices/containers/read",
                          "Microsoft.Storage/storageAccounts/read",
                          "Microsoft.Storage/storageAccounts/listkeys/action",
                          "Microsoft.Storage/storageAccounts/fileServices/shares/read"
                        ],
                    "notActions": [],
                    "dataActions": [
                          "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
                          "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read"
                        ],
                    "notDataActions": []
                }
            ]
        }
    }
     
     

    Standard + Snapshot Permissions

    Use this JSON for both the standard and snapshot scanning permissions required by Netskope One DSPM.

    {
        "properties": {
            "roleName": "Netskope One DSPM Role",
            "description": "",
            "assignableScopes": [
                "/subscriptions/<AZURE SUBSCRIPTION ID>"
            ],
            "permissions": [
                {
                    "actions": [
                          "Microsoft.Sql/servers/write", 
                          "Microsoft.Sql/servers/delete", 
                          "Microsoft.Sql/servers/firewallRules/write", 
                          "Microsoft.Sql/servers/databases/read", 
                          "Microsoft.Sql/servers/databases/write", 
                          "Microsoft.Sql/servers/databases/delete",
                          "Microsoft.Sql/servers/read",
                          "Microsoft.DBforPostgreSQL/servers/read",
                          "Microsoft.DBforPostgreSQL/servers/databases/read",
                          "Microsoft.DBforMySQL/servers/read",
                          "Microsoft.DBforMariaDB/servers/databases/read",
                          "Microsoft.DBforMariaDB/servers/read",
                          "Microsoft.Resources/subscriptions/resourceGroups/read",
                          "Microsoft.DBforPostgreSQL/serversv2/firewallRules/read",
                          "Microsoft.DBforPostgreSQL/servers/firewallRules/read",
                          "Microsoft.DBforMariaDB/servers/firewallRules/read",
                          "Microsoft.DBforMySQL/servers/firewallRules/read",
                          "Microsoft.Sql/servers/firewallRules/read",
                          "Microsoft.Sql/servers/administrators/read",
                          "Microsoft.DBforMySQL/flexibleServers/read",
                          "Microsoft.DBforMySQL/flexibleServers/firewallRules/read",
                          "Microsoft.DBforPostgreSQL/serversv2/read",
                          "Microsoft.DBforPostgreSQL/flexibleServers/read",
                          "Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/read",
                          "Microsoft.DBforPostgreSQL/flexibleServers/databases/read",
                          "Microsoft.Synapse/workspaces/read",
                          "Microsoft.Databricks/workspaces/read",
                          "Microsoft.Storage/storageAccounts/blobServices/read",
                          "Microsoft.Storage/storageAccounts/blobServices/containers/read",
                          "Microsoft.Storage/storageAccounts/read",
                          "Microsoft.Storage/storageAccounts/listkeys/action",
                          "Microsoft.Storage/storageAccounts/fileServices/shares/read"
                        ],
                    "notActions": [],
                    "dataActions": [
                          "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
                          "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read"
                        ],
                    "notDataActions": []
                }
            ]
        }
    }
     
     

    1. Click the Save button.
    2. Click the Review + Create button.  The review screen is displayed.
    3. Click the Create button.

    Assign Role to Netskope One DSPM App

    Add Netskope One DSPM RoleClick on Review and Create and Click OK button to complete creation of required custom role. 
    Next, we have to assign this custom role to our app. For this click on Add role assignment

    1. Filter for custom roles, click View of role created for Netskope One DSPM and click Select role.
    2. Click on Next and move to Add members.
    3. Search for Netskope One DSPM and Select Netskope One DSPMApp
    4. Click Next and on Review + Assign to complete role assignment

    Grant permissions for automatic misconfiguration analysis (Optional)

    1. Click and navigate to App registrations, select Netskope One DSPM App and navigate to API permissions
    2. Click on Microsoft Graph (1) and click checkbox for permission Application > Application.Read.All and Update permissions
    3. Once above permission is added, Grant admin consent to remove the warning icon.

    Create Netskope One DSPM Infrastructure Connection

    1. Log into Netskope One DSPM
    2. Navigate to the Administration > Infrastructure Connections screen > Azure tab
    3. Click the Add Infrastructure button
    4. Enter the following values:
    Field Value
    Account Name Any value (this is used to identify your infrastructure connection within the Netskope One DSPM UI).
    Tenant ID Enter the Tenant ID captured in point 3 in Register Netskope One DSPM App Service Principal section above
    Application ID Enter the Application ID captured in point 3 in Register Netskope One DSPM App Service Principal section above
    Application Secret Enter the Application Secret (value) captured in point 3 in Create Client Secret section above
    Subscription ID Enter the Subscription ID captured in point 1 in Add Netskope One DSPM Role section above 
    1. Click the Acknowledge button

    Next Steps

    • If you have additional Azure Accounts to onboard in Netskope One DSPM, repeat the above steps.
    • Connect your discovered Data Stores. For more information, visit our Connecting Azure Data Stores category and select the article(s) applicable to the Data Store Type(s) you wish to connect.

    Was this article helpful?

    Still can't find what you are looking for?

    Contact Netskope Technical Support