Update Azure Connector for AI security features

ℹ️

Third-party documentation and product interfaces are subject to change. These changes may not always be reflected in BeyondTrust documentation.

🚧

Important information

If you used a custom name when deploying your connector service principal, ensure you update the script to reflect this name before running it, to avoid creating a new service principal.

Prerequisites

• You must have auditing enabled in Azure. See View Microsoft's Audit documentation for more information and procedures.

• You must have Azure Global Administrator privileges to create this connector.

• You must have Azure Power Platform Administrator privilege to register the connector in Power Platform.

• You must have at minimum at least a Microsoft Entra ID P1 license.
  license. View Microsoft license documentation.

Update steps

1. Log into Insights and navigate to the connector creation screen for a new Microsoft Azure Connector. Follow steps 2 to 4 only and discard this connector configuration afterwards. You need to re-run the setup script to add custom permissions for the BT-SP-Connector Service Principal.

2. Register the connector as an admin management application. View Microsoft documentation.

   1. Requires PowerShell for Power Platform Administrators module
   2. Use the client ID of your configured BT-SP-Connector in Azure as the $appId in the script.
   3. Use the tenant ID of your Azure environment as the $tenantId in the script
      1. If you use the Microsoft script example, you may need to add the $tenantId variable
   4. Run the script to register the connector as an admin management application

3. From the Azure portal, launch Power Platform

4. Navigate to Manage > Environments

5. For each environment:

   🚧

   Important information

   Failure to configure all environments may result in connector errors indicating Insights is unable to retrieve data relating to agents. However it will only affect those environments which have not been configured.

   1. Select the environment

   2. If Dataverse has not been enabled in your environment, select Add Dataverse

   3. Elevate your user account to the System Administrator role. View Microsoft documentation.

   4. Navigate to Security Roles > + New Role and configure:

      1. Role Name: BT-Read-Only

      2. Business Unit: Select the current environment’s business unit

      3. Leave the Member's privilege inheritance on the default value of Direct User (Basic) access level and Team privileges

      4. Uncheck Include App Opener privileges for running Model‑Driven apps

      5. Select Save

      6. Select Organization for Read column for the following rows:

         Table	Name
         Copilot	bot
         Copilot component	botcomponent
         Process	workflow

   5. Return to the environment main page, navigate to S2S apps > + New app user and configure

   6. App: Add BT-SP-Connector as an app user

   7. Business Unit: Start typing the name of the current environment's business unit, and select the appropriate value

   8. Assign the BT-Read-Only role and accept the confirmation prompt

   9. Click Create to complete the setup