Finalize Microsoft Azure onboarding by executing the authentication template - Learn how to execute the authentication template file in Microsoft Azure for subscriptions, tenants, and management groups. We provide instructions both for applying the Terraform template's configuration and for deploying the Microsoft Azure Resource Manager (ARM) template. - Administrator Guide - Cortex CLOUD

Cortex Cloud Posture Management Documentation
Product
Cortex Cloud Application Security > Cortex CLOUD
License
Cloud Posture Management
Creation date
2025-01-22
Last date published
2026-06-04
Category
Administrator Guide
Abstract

Learn how to execute the authentication template file in Microsoft Azure for subscriptions, tenants, and management groups. We provide instructions both for applying the Terraform template's configuration and for deploying the Microsoft Azure Resource Manager (ARM) template.

While onboarding Microsoft Azure with the onboarding wizard, you have to choose one of the following options for executing an authentication template: Download Terraform or Azure Resource Manager.

After running the wizard, you finalize the onboarding by executing the template to provision the resources for subscriptions, management groups, and tenants in your cloud environment.

After the template is successfully executed, the initial discovery scan starts. When the scan completes, view your cloud assets in Asset Inventory.

Finalize onboarding by applying the Terraform template's configuration

If you selected the Download Terraform option in the Microsoft Azure onboarding wizard, execute the template with the CLI. You decide, based on your own use case, how you would like to perform the CLI commands, for example, locally or in CloudShell.

Prerequisite

Before you begin, ensure you have:

  • An Azure subscription.

  • A user with the required permissions for the relevant scope (subscription, management group, tenant). We recommend you create a dedicated role.

  • Tenant ID and subscription ID. You can view these in Microsoft Azure Portal in Management groups.

  • Installed Terraform on your local machine. You can download Terraform from the official Terraform website and follow the installation instructions for your operating system.

    Tip

    Review the Introduction to Terraform for Cloud service provider (CSP) onboarding to get familiar with how Cortex works with Terraform for cloud onboarding.

  • Installed the Azure CLI tool.

  1. In your local terminal, log in to your Azure account using the Azure CLI:

    az login

  2. Create a directory on your local machine to store and run the Terraform code. If you have more than one Azure connector, you need a separate directory for each one:

    mkdir -p ~/terraform/azure-connector-1

  3. Navigate to the directory you created and extract the Terraform files. Ensure all necessary Terraform files are present (main.tf, template_params.tfvars, and so on).

    Important

    Do not delete or move the Terraform files from this folder. It will prevent you from being able to edit your cloud instance in the future.

    cd ~/terraform/azure-connector-1
tar -xzvf <your_template>.tar.gz.

  4. Initialize Terraform in your project directory:

    terraform init

  5. Apply your Terraform configuration using the downloaded parameter file:

    terraform apply --var-file=template_params.tfvars

    • When the CLI prompts you for a Group ID, enter the management group ID or the root tenant ID where you want to create Cortex Cloud resources.

    • When the CLI prompts you for a Subscription ID, enter the subscription ID where you want to create Cortex Cloud resources. (This subscription is typically a subscription that the security team manages.)

  6. When prompted, review the actions the Terraform will perform and approve them by entering yes.

The Terraform template is executed.

Finalize onboarding of subscriptions by deploying the Microsoft Azure Resource Manager (ARM) template

If you selected the Azure Resource Manager option in the Microsoft Azure onboarding wizard to onboard subscriptions, deploy the template with the CLI. You decide, based on your use case, how you would like to perform the CLI commands, for example, locally or in CloudShell.

Prerequisite

Before you begin, ensure you have:

  • An Azure subscription.

  • A user with the required permissions for the relevant scope (subscription, management group, tenant). We recommend you create a dedicated role.

  • Tenant ID and subscription ID. You can view these in Microsoft Azure Portal in Management groups.

  • Installed the Azure CLI tool.

  • Authorization to create management group policies.

  1. In your local terminal or CloudShell, log in to your Azure account using the Azure CLI:

    az login

  2. Deploy the template file.

    az deployment sub create \
   --location <LOCATION> \
   --subscription <SUBSCRIPTION_ID> \
   --template-file <JSON_TEMPLATE>

    where:

    • <LOCATION> is the location of the management group, such as eastus or westus.

    • <SUBSCRIPTION_ID> is the ID of the subscription you want to onboard.

    • <JSON_TEMPLATE> is the JSON template file that you downloaded at the end of the onboarding wizard.

To verify the deployment was successful, check the Azure Portal under the "Deployments" section of the targeted subscription.

Finalize onboarding of tenants and management groups by deploying the Microsoft Azure Resource Manager (ARM) template

If you selected the Azure Resource Manager option in the Microsoft Azure onboarding wizard to onboard tenants or management groups, deploy the template with the CLI using Bash in CloudShell.

Prerequisite

Before you begin, ensure you have:

  • An Azure subscription.

  • A user with the required permissions for the relevant scope (subscription, management group, tenant). We recommend you create a dedicated role.

  • Tenant ID and subscription ID. You can view these in Microsoft Azure Portal in Management groups.

  • Installed the Azure CLI tool.

  • Authorization to create management group policies.

  1. To prepare for deployment, execute the following commands in a Bash-compliant terminal, such as the Bash environment in Azure Cloud Shell:

    Step

    Command

    Create a folder on your local machine to store the tar file. If you have more than one Azure connector, you need a separate directory for each one.

    mkdir -p ~/azure-connector-1

    Navigate to the directory you created and extract the files.

    cd ~/azure-connector-1 tar -xzvf <your_template>.tar.gz.

  2. Deploy the template file: bash onboard.sh

    When prompted, enter the following values:

    • The Azure region where you want the resources to be created, such as eastus or westus.

    • The ID of the management group or tenant that you want to onboard.

    • The ID of the subscription where the deployment script will run.

To verify the deployment was successful, check the Azure Portal under the "Deployments" section of the targeted management group, or tenant.

See also