Connecting with Microsoft Azure cloud accounts

You can connect one or more Microsoft Azure subscriptions with IBM Guardium AI Security by using an Azure cloud shell script to provide access to your cloud environment and thereby discover AI deployments across the subscriptions.

Before you begin

AI Security This functionality is available only with the Guardium AI Security application.

Verify that you have the following items:

  • List of Azure subscriptions to be connected to Guardium AI Security
  • An Azure user with the permission to create the relevant service principal

For more information about the service principal, see Results.

Additionally, when you try to connect a Microsoft Azure account to Guardium AI Security, a Custom role is created during the connection. After the connection of Guardium AI Security with Microsoft Azure, we are using the default Reader role and the newly created Custom role Reader role to discover the AI deployments.

Permissions required to authorize connection

The following permissions are required to authorize the initial connection:

  • Global admin role for the Microsoft Azure tenant
  • Built-in owner role per Microsoft Azure subscription
Permissions to access an Azure connection

The following permissions are required to access Azure deployments:

Reader role
Scans and monitors the metadata of the AI deployments that Guardium AI Security discovers. It is a read-only role with no edit permission.
Custom role
Gathers information about the discovered AI deployments in the connected Azure subscriptions. The Custom role has the following permissions to access the metadata regarding AI deployments in the connected Azure subscriptions:
  • Microsoft.CognitiveServices/accounts/read to read the Azure OpenAI keys metadata
  • Microsoft.CognitiveServices/accounts/listKeys/action to use the OpenAI API

Use the following steps to connect Guardium AI Security with one or more Azure cloud accounts:

Procedure

  1. Complete one of the following tasks:
    • Click Add connections on the welcome page of Guardium AI Security.
    • Click the Connections icon from the Guardium AI Security navigation menu.
  2. In the Add connections wizard, select the Microsoft Azure tile, and then click Next.
  3. In the Add subscription details step, do the following, and then click Next.
    1. Enter the Subscription ID and Subscription name.
    2. Select Preproduction, Production, or Development as the Environment.
    3. Click Add.
    Note: You can add multiple subscription details by repeating step 3.
    All the subscriptions that you add get listed in a table in the Add subscription details tab. You can click Remove in the row of a subscription to remove the subscription.
  4. In the Run command step follow the onscreen instructions, and then click Next.
  5. In the Authorize connection step, follow the onscreen instructions, and then click Next.
    1. Ensure that you are signed in as a Global Admin in Azure.
    2. Open the Authorization window in Azure and allow the requested permissions.
  6. In the Installation progress step, verify that all the Azure subscriptions are added as your requirements, and then click Done.

    The status of Role Installation for the subscriptions in the Installation progress tab can be either In progress, Connected, or Failed.

Results

When you connect Guardium AI Security to Azure subscriptions, the App Registration with Service Principal is created as a read-only role. This principal scans and monitors the metadata of the data assets that Guardium AI Security discovers.