Microsoft Azure | Insights

Prerequisites

• Enable auditing in Azure (Microsoft's Audit documentation)

• Minimum Microsoft Entra ID P1 license

Azure access

You must sign in as an Azure Global Administrator during setup.
Before running the install script, go to Entra ID → Properties (EntraID Properties) and toggle Access management for Azure resources to Yes.

ℹ️

This is a temporary requirement. You will toggle this back to No in the cleanup steps after the script runs.

AI security (if applicable)

For each environment in your Power Platform admin center:

• Dataverse is enabled in the environments being added (Microsoft documentation: Add a Microsoft Dataverse database)
• You are a System Administrator for the environment (Microsoft documentation: Manage high-privileged admin roles)
• All Azure Foundry resources are accessible by the app (Foundry Network Settings)

PowerShell module

The Az module is required.

ℹ️

☁️ Using CloudShell? Az is preinstalled. Skip this requirement.

If using local PowerShell on Windows: Install Azure PowerShell

Common configuration setup

You must pick one of the combinations below

• CloudShell

• Local PowerShell

• CloudShell + Event Hub (more than 20k users)

• Local PowerShell + Event Hub (more than 20k users)

Step 1 · Create the connector in Insights

1. From Insights Home, select ☰ → Connectors.
2. Click Create Connector and select Microsoft Azure. Enter a human-readable name.

3. Select your cloud environment. Use your Azure portal login URL to identify it.

   Azure Portal URL	Cloud Environment
   https://portal.azure.com	Commercial / GCC
   https://portal.azure.us	GCC High / DoD

⚠️

FedRAMP compliance notice

Insights Commercial is not FedRAMP-compliant. Do not use it with Azure Government Community Cloud (GCC), Azure GCC High, or Azure Government DoD — doing so may cause data residency issues and loss of compliance.

4. Click the sign-in link in Insights to open the Microsoft Azure Portal as a Global Administrator.
5. In Entra ID, go to Properties and toggle Access management for Azure resources to Yes.

Step 2 · Select Advanced Capabilities (Optional)

1. Make your selection for Advanced Capabilities (Optional)
   • AI Agents

     ℹ️

     You must be a System Administrator in each Power Platform Environment. See the prerequisites before proceeding.

Step 3 · Install using the connector script

Choose the method that fits your environment:

Option A · Azure CloudShell (recommended)

1. Open Azure CloudShell and sign in:

Connect-AzAccount -UseDeviceAuthentication

2. Download the Azure onboarding script from Insights, then upload it to CloudShell using the upload button in the CloudShell toolbar.
3. Run the command shown in Insights for your selection.
4. Copy the tenant ID, directory name, client ID, and client secret from the script output into the corresponding fields in Insights.
5. Remove the script from CloudShell:

Remove-Item -Path "./azuread_powerplatform_onboarding.ps1"

Option B · Local PowerShell

1. Ensure the Az module is installed. See Azure PowerShell documentation.

2. Open PowerShell as a standard user and sign in:

Connect-AzAccount

3. Verify and set your tenant context.
   View all directories you have access to:

Get-AzTenant

4. Set the correct tenant (replace TenantID with your directory's ID):

Set-AzContext -Tenant "TenantID"

5. Verify your selection:

Get-AzContext

ℹ️

If scripts must be digitally signed in your environment, first run:

PowerShell

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

6. Download the Azure onboarding script from Insights and run it using the command shown for your selection.
7. Copy the tenant ID, directory name, client ID, and client secret from the script output into the corresponding fields in Insights.

Step 4 · Grant admin consent

ℹ️

Required for all installation methods.

1. In the Azure Portal, navigate to Azure Services → Microsoft Entra ID.
2. Select App Registrations in the left menu.
3. Select the BT-SP-Connector application.
4. In the API permissions section, select Grant admin consent.
5. Confirm your selection.

Step 5 · Select Azure Event Hub option

Do you have 20,000+ users and access to Azure Event Hub?

• No → Select No from the Use Azure Event Hub dropdown, then click Create Connector. Proceed to the Cleanup section below.

• Yes → Select Yes from the dropdown, complete the Event Hub steps below, then click Create Connector. Proceed to the Cleanup section below.

Step 6 · Setup Azure Event Hub (optional)

ℹ️

If you selected No in the previous step, skip these instructions.

1. In Insights, copy the Insights-generated Azure Event Hub script.

2. In the shell environment, paste and run the Insights-generated Azure Event Hub script.

3. Once complete, copy the Fully Qualified Hub Namespace, Blob Container Url, and Hub Name in a secure location for use in the following step.

4. Follow Microsoft's procedure to stream logs to an event hub.

5. Within the Azure Diagnostics settings, select the following log Categories to stream:

   • SignInLogs
   • NonInteractiveUserSignInLogs
   • ServicePrincipalSignInLogs
   • ManagedIdentitySignInLogs

6. Within Azure's Destination details section, select Stream to an event hub, and select the Fully Qualified Hub Namespace and Hub Name you saved in step 3, above.

7. In Insights, enter the Fully Qualified Hub Namespace, Blob Container Url, and Hub Name in the appropriate fields.

8. Click Create Connector.
   The connector is created and displays in your Configured tab on the Connector page.

Final step · Cleanup

⚠️

Warning

Complete these steps before closing this guide. Both items pose a security risk if left in place.

Once you confirm the connector is created and toggled on:

• In Entra ID → Properties, toggle Access management for Azure resources back to No.
• Confirm the onboarding script has been removed from your shell environment. If you haven't already done this, run:

Remove-Item -Path "./azuread_powerplatform_onboarding.ps1"

Troubleshooting

Network access for Microsoft Foundry (optional)

ℹ️

This setup is only needed if you enable AI Agents

By default, Foundry environments are set to All networks, which is sufficient for Insights App access. If this is your setup, no additional changes are needed.

If not, go through these steps:

1. For each of your Foundry environments, navigate to your environment and select Networking under the Resource Management menu.
2. On the Firewalls and virtual networks tab, select Selected Networks and Private Endpoints.

1. Under Firewall, add the BeyondTrust Insights IP addresses:
   50.16.236.14
54.163.153.193
54.225.135.48
2. Click Save.
   For non-US environments, use the IP addresses listed:

Check your connector health

You may need to update your client secret if it is expired.

These steps are used when it is time to refresh the app registration secret.

Microsoft Azure steps

1. In Microsoft Azure, use the search box to search for Microsoft Entra ID and select it from the results.
2. Under the Manage section in the left menu, select App registrations.
3. Locate and select the BT-SP-Connector application under All applications. Note the Application (client) ID for reference.
4. Under the Manage section, select Certificates & Secrets.
5. Select + New client secret, provide a description and set an expiry date according to your company's guidelines, then click Add.
6. Copy the Secret Value and store it in a secure location.

Insights steps

1. From the top left of any page in Insights, click > Insights > Connectors. The Connectors page displays.
2. Locate and select the Microsoft Azure connector in the Configured Connectors list that requires attention.
3. Navigate to the Settings tab, confirm the Client ID matches the one from the Azure steps, and paste in the Secret Value.
4. Select Save Changes.

For information only

Required roles and permissions

The following read-only roles are required for this connector. You do not need to manually grant these roles, as this is managed by the connector install script.