Follow the Azure onboarding wizard, and Cortex creates a custom authentication template to be executed in Azure.
Notice
This feature is included with a Cortex XSIAM Premium license. It is also included with any other Cortex XSIAM license that has the Cloud Runtime Security or Cloud Posture Security add-ons.
For Cortex XSIAM NG SIEM, Cortex XSIAM Enterprise, and Cortex XSIAM Enterprise+ licenses, see How to onboard Microsoft Azure with foundational configuration.
Use the cloud onboarding wizard to integrate a Microsoft Azure environment with Cortex XSIAM. The onboarding wizard requires minimal configuration to set up the integration. To complete the minimum configuration, define the scope of the Microsoft Azure accounts and specify the scan mode. Alternatively, configure the advanced settings for full control of the onboarding process.
Cortex XSIAM generates a Terraform or ARM authentication template based on the configuration settings. The authentication template establishes trust with Microsoft Azure. The authentication template also grants required permissions to Cortex XSIAM. Execute the authentication template in Microsoft Azure to complete the onboarding process. Executing the authentication template notifies Cortex XSIAM of the execution details. Cortex XSIAM then creates a new cloud instance.
Onboard Microsoft Entra ID only
You can onboard Microsoft Entra ID independently of a full tenant-level onboarding. When you select the Onboard Microsoft Entra ID only only option during onboarding with Tenant scope, Cortex XSIAM connects to Entra ID to unlock identity-based capabilities, including Cloud Infrastructure Entitlement Management (CIEM), identity posture assessment, and Entra ID sign-in log ingestion. This approach enables identity visibility without requiring Cortex XSIAM to scan or manage the broader Azure tenant environment.
When you onboard Entra ID only, Cortex XSIAM operates in collection-only mode. Scan mode selection and scope modification are not available for this configuration. Both Terraform and ARM authentication templates are supported, and manual onboarding is also available. Cortex XSIAM generates the appropriate authentication template based on your selection, and you execute it in Microsoft Azure to complete the onboarding process.
If you enable audit log collection with Entra ID-only onboarding using automated collection, Cortex XSIAM ingests sign-in and activity log categories including: SignInLogs, AuditLogs, NonInteractiveUserSignInLogs, ServicePrincipalSignInLogs, ManagedIdentitySignInLogs, ProvisioningLogs, ADFSSignInLogs, and MicrosoftGraphActivityLogs. Administrative category logs are excluded from automated collection. If you configure custom diagnostic settings, log ingestion follows your specified configuration.
You can later expand an Entra ID-only configuration to full tenant scope by editing the onboarding configuration. This allows you to begin with identity-focused onboarding and transition to comprehensive tenant coverage as requirements evolve.