icon-dspm.svg
Posture Control (DSPM)

Deploying the Tree Discovery Template

After adding the tenant details, deploy the tree discovery template.

This template:

  • Includes policies and permissions to create the service principal, resource discovery role with required permissions, and managed identities.
  • Assigns the service principal with permission to access resources in the Microsoft Entra tenant.
  • Generates the application ID and client secret that are required for the service principal to connect to the Microsoft Entra tenant.

To deploy the tree discovery template:

    1. In the Connect to the Tenant section, click Tree Discovery to download the template as a ZIP file. Extract the file to your local system and create a new folder to store the extracted files. The ZIP file contains two Terraform files (backend.tf and azure_tf_basic.tf).

    2. Update the following details in the backend.tf file:

    Close

  • Use any of the following methods:

      1. Sign in to the Azure portal, and click Cloud Shell.

      2. In the Welcome to Azure Cloud Shell window, select Bash or PowerShell, as required.

      3. In the Getting started window:

        1. Select Mount storage account.
        2. Select the storage account subscription from the list.
        3. Click Apply.

      4. In the Mount storage account window, select Select existing storage account and click Next.

      5. In the Select storage account window:

        1. Subscription: Select the subscription where the storage account is created.
        2. Resource group: Select the resource group from the list.
        3. Storage account name: Select the storage account.
        4. File share: Click Create a file share and enter a name for the new file.
        5. Click Select.

      6. Use any of the following:

          1. Run the following commands to prepare the PowerShell environment:

            1. To switch to the clouddrive folder:

              cd clouddrive

            2. To create a DSPM folder within the clouddrive folder and switch to the newly created DSPM folder:

              md dspm_onboarding
cd dspm_onboarding

            3. To create the logs and tree discovery folders:

              md logs
md tree discovery

            4. To verify if all the folders are created:

              ls

            5. To switch to the newly created tree discovery folder:

              cd tree discovery

          2. Zip the modified template and upload the folder:

            1. Click Manage files and select Upload.
            2. Browse for the template and click Open.

          3. Run the following commands:

            1. To extract the ZIP folder:

              expand -archive -path <folder name.zip>

            2. To switch to the folder within the ZIP folder:

              cd ./<folder name>/dspm-azure/
          Close
          1. Run the following commands to prepare the Bash environment:

            1. To switch to the clouddrive folder:

              cd clouddrive

            2. To create a DSPM folder within the clouddrive folder and switch to the newly created DSPM folder:

              mkdir dspm_onboarding
cd dspm_onboarding

            3. To create the logs and tree discovery folders:

              mkdir logs
mkdir tree discovery

            4. To verify if all the folders are created:

              ls

            5. To switch to the newly created folder:

              cd tree discovery
          2. Zip the modified template and upload the folder:
            1. Click Manage files and select Upload.
            2. Browse for the template and click Open.
          3. Run the following commands:

            1. To extract the ZIP folder:

              unzip <folder name.zip>

            2. To switch to the folder within the ZIP folder:

              cd ./<folder name>/dspm-azure/
          Close
      Close
      1. Open the Command Prompt or any other CLI app in your local system.
      2. Switch to the directory containing the downloaded Terraform file.

      3. Connect to the Microsoft Entra tenant by running the following command:

        az login --tenant <tenant ID>

        You are directed to a web browser to authorize the Microsoft Entra tenant. Select your account to confirm the authorization.

        The command output returns the subscriptions available.

      Close
    Close

  • Run the following commands:

    1. To set the subscription where the storage containers containing the Terraform state files are stored:

      az account set --subscription <subscription ID>

    2. (Optional) To verify if the subscription is accurately set:

      az account show

    3. To initialize the working directory and apply Terraform configuration:

      terraform init

    4. To verify the changes in the Terraform configuration:

      terraform plan

    5. To run the Terraform script:

      terraform apply

      Under Do you want to perform these actions?, enter yes and press Enter.

      The command output returns the client ID and client secret that DSPM requires to connect to the Microsoft Entra tenant.

    Close

  • After the template is deployed, a service principal or application is created in the Microsoft Entra tenant. You need to grant API permissions to the service principal to access resources within the tenant.

    1. Sign in to the Azure portal and go to Microsoft Entra ID.

    2. In the left-side navigation, go to Manage > App registrations.

    3. Select the Owned applications tab.

    4. In the table, search for and select the service principal.

    5. In the left-side navigation, select API permissions.

    6. Click Grant admin consent for <tenant name>.

    7. In the Grand admin consent confirmation window, click Yes.

    Close

    1. In the DSPM Admin Portal, under Connect to the Tenant:

    2. Click Validate.

      DSPM validates the template deployment by verifying the application ID, client secret, and the custom roles created. If the validation is successful, you are directed to the Orchestrator & Monitoring Scope section.

      If there is any issue while deploying the template, an error is displayed. Rerun the template. To learn more, see Resolving Configuration Issues for Microsoft Azure.

    Close
Related Articles
Onboarding a Microsoft Azure TenantAdding Tenant DetailsDeploying the Tree Discovery TemplateSelecting the Orchestrator and Monitoring ScopeDeploying the Azure Onboarding TemplateResolving Configuration Issues for Microsoft AzureViewing the Tenant Onboarding StatusChanging an Orchestrator SubscriptionManaging Monitoring Scope for Microsoft AzureManaging Application Details and Client SecretDownloading Roles and Templates for Microsoft AzureIAM Roles and Permissions for Microsoft AzureResetting Orchestrator & Monitoring Scope