Overview

The Manage Azure Resources feature in Cloudmersive Storage Protection lets you discover every Azure Blob Storage account and Event Hub across one or more Azure subscriptions from a single page, see which accounts are already protected, and onboard new accounts to Cloudmersive Storage Protection with a few clicks each.

Once onboarded, each storage account receives Advanced Virus and Multi-Threat Scanning from Cloudmersive, which includes:

• AI Detection - identification of AI-generated images and content.
• Fraud Detection - detection of fraudulent documents and patterns.
• Phishing and Spam Detection - analysis of message and document content for phishing and spam indicators.
• Content Moderation - detection of disallowed or sensitive content in images and documents.
• Personally Identifiable Information (PII) Detection - discovery of sensitive personal data in stored files.
• Many additional content threat checks, all delivered through a single scan call.

Rather than creating storage connections one at a time and manually copying connection strings, you create a single Azure Resource Manager (ARM) onboarding credential that holds the Azure access needed to enumerate and configure resources. You then onboard storage accounts directly from a unified resource view. Each onboarding wires up the Azure Event Grid system topic, the event subscription on the destination Event Hub, and the Cloudmersive scanning connection in one step.

Azure Resource Manager is the deployment and management layer that Azure exposes for creating, reading, updating, and deleting Azure resources. ARM is the same layer the Azure Portal itself uses, so any subscription and resource group you can see in the portal is reachable through this credential.

This guide covers the end-to-end setup, the two authentication options, the Azure Role-Based Access Control (RBAC) each option requires, and the click-by-click steps in both the Cloudmersive Management Portal and the Azure Portal.

When to Use This Feature

Use Manage Azure Resources when:

• You have multiple Azure Blob Storage accounts (typically more than three) that you want to bring under Cloudmersive Storage Protection.
• You want future storage accounts in the same subscription or resource group to be easy to onboard later without re-entering credentials.
• You want a single dashboard view of which storage accounts are protected, which are not, and which Event Hubs are in use.

For a single one-off storage account, the manual Add Storage Connection wizard is also a valid path. The remainder of this document focuses on the bulk path that uses an ARM onboarding credential.

Authentication Options

You choose the ARM onboarding credential's authentication mode once at the time you create the credential. The same credential is then reused for every storage account you onboard through Manage Azure Resources.

Option 1: Azure Managed Identity (recommended for Azure App Service deployments)

If your Cloudmersive Private Cloud is deployed as an Azure App Service container (or runs on an Azure Virtual Machine), the system-assigned managed identity on that App Service or Virtual Machine can be used as the ARM credential. A managed identity is an Azure-controlled identity that lets a resource authenticate to other Azure services without your application handling any secret.

This option is recommended because:

• There is no client secret to rotate - Azure manages the identity's credential lifecycle.
• The same managed identity can also be granted the data-plane role used for blob scanning, so a single identity covers both onboarding and ongoing scanning end to end.
• Permissions are granted once at subscription scope (or resource group scope) and cover all current and future storage accounts in that scope.

Option 2: Connection Strings (Service Principal plus Access Keys)

If your Cloudmersive Private Cloud is deployed elsewhere (on-premises, on Amazon Web Services, on Google Cloud Platform, or in any environment where you prefer explicit credential separation), use the Service Principal mode. A Service Principal is a Microsoft Entra ID application identity, similar to a service account, that authenticates with a client identifier and a client secret.

In this mode Cloudmersive Storage Protection uses:

• A Microsoft Entra ID application registration (the Service Principal) with a client secret for ARM enumeration and provisioning.
• The storage account access key (fetched automatically by the Service Principal during onboarding) for blob scanning.
• A Shared Access Signature (SAS) connection string on the Event Hub namespace for event consumption.

This option requires one extra Azure RBAC role on the Service Principal (Storage Account Key Operator Service Role), but does not require any data-plane RBAC on the storage accounts themselves.

Permissions and Scope

The two options differ in which roles are needed and which identity receives them. In both options, a small fixed set of role assignments is granted once, and those grants cover every current and future storage account in the targeted subscription or resource group.

Managed Identity Option - Required Roles

Identity receiving the roles: the system-assigned managed identity of the Azure App Service or Azure Virtual Machine hosting Cloudmersive Private Cloud.

• Reader

  • Scope: Subscription
  • Purpose: Enumerates storage accounts, resource groups, and Event Hub namespaces visible in the Manage Azure Resources view.

• EventGrid Contributor

  • Scope: Subscription
  • Purpose: Creates the Event Grid system topic on each onboarded storage account and the event subscription that routes blob events to the destination Event Hub.

• Defender for Storage Data Scanner

  • Scope: Subscription or Resource Group
  • Purpose: Provides the data-plane access the scanning engine needs: read, write, delete, move, and blob tag read and write. Covers every current and future storage account in the chosen scope.

• Owner

  • Scope: Event Hub namespace (single namespace only)
  • Purpose: Satisfies Azure's linked-authorization check when creating the Event Grid subscription, and allows the onboarding flow to automatically assign Azure Event Hubs Data Sender to the system topic's managed identity. With this role, no per-onboarding manual steps remain.

• Azure Event Hubs Data Receiver

  • Scope: Event Hub namespace (same namespace as Owner)
  • Purpose: Lets the Cloudmersive Storage Protection listener consume blob-created events from the hub.

Reader and EventGrid Contributor can be granted at the Management Group level if you want a single set of assignments to cover an entire group of subscriptions.

Connection Strings Option - Required Roles

Identity receiving the roles: a Microsoft Entra ID application registration (Service Principal) you create specifically for Cloudmersive Storage Protection.

• Reader

  • Scope: Subscription
  • Purpose: Enumerates storage accounts, resource groups, and Event Hub namespaces visible in the Manage Azure Resources view.

• EventGrid Contributor

  • Scope: Subscription
  • Purpose: Creates the Event Grid system topic on each onboarded storage account and the event subscription that routes blob events to the destination Event Hub.

• Storage Account Key Operator Service Role

  • Scope: Subscription
  • Purpose: Lets the Service Principal call the listKeys operation to fetch each storage account's access key at onboarding time. Storage account access keys are used for scanning in this mode instead of data-plane RBAC.

• Owner

  • Scope: Event Hub namespace (single namespace only)
  • Purpose: Satisfies Azure's linked-authorization check and allows the onboarding flow to automatically assign Azure Event Hubs Data Sender to the system topic's managed identity.

The Cloudmersive Storage Protection listener consumes Event Hub events using a SAS connection string in this mode, so no Event Hubs Data Receiver role is required on the namespace.

Setup

The setup has four phases:

1. In Azure - create the Event Hub namespace and Event Hub that will receive blob-created events.
2. In Azure - create the credential (Service Principal mode only) and grant the RBAC roles listed above.
3. In the Cloudmersive Management Portal - create the ARM onboarding connection.
4. In the Cloudmersive Management Portal - use Manage Azure Resources to discover and onboard storage accounts.

The Azure steps in phase 2 differ depending on which authentication option you chose. Follow either phase 2A or phase 2B, not both.

Phase 1 - Create the Event Hub Namespace and Event Hub in Azure

Cloudmersive Storage Protection receives blob-created events for every onboarded storage account through an Azure Event Hub. The Event Hub is a shared resource - you create a single Event Hub namespace and a single Event Hub within it, and every storage account you onboard later routes its blob events to that same hub. You do not need a separate Event Hub per storage account, per resource group, or per subscription, regardless of which subscription each storage account is in. If you already have an Event Hub namespace and hub provisioned for this purpose, you can skip to Phase 2.

To create one:

1. Sign in to the Azure Portal.
2. In the top search bar, type Event Hubs and open the Event Hubs service.
3. Click + Create.
4. Fill in the namespace fields:
   • Subscription: pick one of the subscriptions you intend to onboard. The Event Hub namespace's subscription must appear in the ARM onboarding connection's allowed-subscription list.
   • Resource Group: pick an existing resource group or create a new one.
   • Namespace name: enter a unique name, for example cloudmersive-storage-protect-eh.
   • Location: pick the same region as the storage accounts you intend to scan, if possible.
   • Pricing tier: Basic is sufficient. Blob-created events from Event Grid are low-volume and need only one consumer group (the Cloudmersive Storage Protection listener), and 1-day retention is typically adequate because events are consumed in near real time.
5. Click Review + create and then Create. Deployment takes about a minute.
6. When deployment is complete, click Go to resource.
7. On the namespace's left blade, click + Event Hub in the toolbar.
8. Name: enter a hub name, for example storage-protect. Leave the other defaults.
9. Click Review + create and then Create.

The Event Hub namespace and hub are now ready. Make a note of the namespace name - you will return to it in Phase 2 to grant role assignments, and you will pick this Event Hub in the per-account onboarding wizard in Phase 4.

Phase 2A - Azure Setup for Managed Identity Mode

Skip this phase if you have already enabled a system-assigned managed identity on your Cloudmersive Private Cloud App Service or Virtual Machine. Otherwise:

1. Sign in to the Azure Portal and navigate to the App Service (or Virtual Machine) hosting your Cloudmersive Private Cloud node.

2. In the left blade, click Identity.

3. On the System assigned tab, set Status to On and click Save.

4. After save completes, copy the Object (principal) ID that appears - you'll use it to identify this managed identity when assigning roles.

5. In the top search bar, type the name of the first Azure Subscription you want to onboard, and open it.

6. In the subscription's left blade, click Access control (IAM), then in the top toolbar click + Add → Add role assignment.

7. Repeat the role-assignment flow once for each of the three subscription-scoped roles below, against this subscription:

   • Reader
   • EventGrid Contributor
   • Defender for Storage Data Scanner

   In each assignment: on the Role tab pick the role and click Next; on the Members tab set "Assign access to" to Managed identity, click + Select members, choose App Service (or Virtual Machine), select your Cloudmersive Private Cloud resource, click Select, then Review + assign → Review + assign.

   If you prefer that the scanning role only cover a specific resource group, perform the Defender for Storage Data Scanner assignment at the Resource Group level instead of the subscription level.

8. Repeat steps 5-7 for every other subscription you want to onboard.

9. Now grant the Event Hub namespace roles. In the top search bar, navigate to the Event Hub namespace you created in Phase 1.

10. In the namespace's left blade, click Access control (IAM) → + Add → Add role assignment.

11. On the Role tab, switch to the Privileged administrator roles sub-tab, select Owner, click Next, then on the Members tab assign access to your Private Cloud App Service or Virtual Machine's managed identity. Click Review + assign.

12. Repeat steps 10-11 for Azure Event Hubs Data Receiver on the same namespace. This role appears on the standard Job function roles sub-tab rather than Privileged administrator roles.

Azure setup is complete. Continue with Phase 3.

Phase 2B - Azure Setup for Connection Strings (Service Principal) Mode

1. Sign in to the Azure Portal and navigate to Microsoft Entra ID → App registrations → + New registration.
2. Name: Cloudmersive Storage Protection ARM. Leave the other fields at their defaults and click Register.
3. On the application's Overview page, copy the Directory (tenant) ID and the Application (client) ID. You'll paste these into the Cloudmersive Management Portal in Phase 3.
4. Click Certificates & secrets → + New client secret. Add a description and choose an expiration period, then click Add. Copy the Value immediately - Azure shows it only once.
5. Navigate to the first Subscription you want to onboard.
6. Click Access control (IAM) → + Add → Add role assignment.
7. Repeat the role-assignment flow once for each of these three subscription-scoped roles, assigning each one to the application registration you just created (search by application name in the Members tab via + Select members):
   • Reader
   • EventGrid Contributor
   • Storage Account Key Operator Service Role
8. Repeat steps 5-7 for every other subscription you want to onboard.
9. Navigate to the Event Hub namespace you created in Phase 1.
10. Access control (IAM) → + Add → Add role assignment → Privileged administrator roles sub-tab → Owner → assign to the application registration → Review + assign.

Azure setup is complete. Continue with Phase 3.

Phase 3 - Create the ARM Onboarding Connection in the Cloudmersive Management Portal

1. Sign in to the Cloudmersive Management Portal.
2. In the left navigation, click Storage Protection → Add Connection.
3. Under Cloud Storage Type, choose Azure Resource Manager (Onboarding Connection).
4. Connection Name: enter a descriptive name, for example Production ARM Onboarding.
5. Infrastructure: select the Cloudmersive Private Cloud node that will host this connection.
6. ARM Auth Mode: choose either Azure Managed Identity (Passwordless) or Service Principal (Client ID + Secret), matching the option you configured in Phase 2.
7. Fill in the credential fields:
   • Managed Identity mode: select the Managed Identity Type, which is typically System-Assigned. For User-Assigned, paste the user-assigned identity's Client ID.
   • Service Principal mode: paste the Tenant ID, Client ID, and Client Secret values you saved during Phase 2B.
8. Subscription IDs: paste a comma-separated list of every Azure subscription identifier this credential should cover.
9. Click Create Connection.

The ARM onboarding connection is now ready. From this point forward you do not need to revisit it for individual storage account onboardings - the same credential is reused for every onboarding.

Phase 4 - Discover and Onboard Storage Accounts

1. In the Cloudmersive Management Portal, click Storage Protection → Manage Azure Resources.
2. The page enumerates every storage account and every Event Hub across all subscriptions covered by every ARM onboarding connection in your organization. This typically completes within 10 to 60 seconds depending on the number of subscriptions. If a Private Cloud node is slow to respond, increase the Load timeout dropdown at the top of the page and reload.
3. The Storage Accounts table shows each account's name, subscription, resource group, location, blob type (Standard Blob or Azure Data Lake Storage Gen2), and protection status. Accounts that are already onboarded show a Protected link to their existing connection; unprotected accounts show an Add Connection... link.
4. To onboard an unprotected account, click Add Connection... in its row. This opens the per-account onboarding wizard pre-populated with the storage account and the ARM connection it came from.
5. Fill in the onboarding wizard:
   • Connection Name - defaults to the storage account name; edit if desired.
   • API Key - pick the Cloudmersive API key to use for scanning.
   • Auth Mode - match what you configured in Phase 2 (Managed Identity or Connection String). If you chose Managed Identity at the ARM credential level, Managed Identity is also recommended here.
   • Connection Scope - Single Container (specify the container name) or All Containers in Storage Account.
   • Event Hub - pick the shared Event Hub you created in Phase 1 from the dropdown. The list is filtered to Event Hubs reachable by the ARM onboarding connection's allowed subscriptions. The same Event Hub is selected for every storage account you onboard.
   • Outcome Actions - pick defaults for Clean File Action, Infected File Action, and Scan Type. These can be changed later from the Manage Connection page.
6. Click Create Connection and Enable Scanning.

Behind the scenes the wizard:

• Creates the Cloudmersive Storage Protection connection in your organization.
• Creates an Azure Event Grid system topic on the storage account, if one does not already exist.
• Creates an event subscription on that system topic, routing blob events to the Event Hub you selected.
• In Managed Identity mode, automatically assigns Azure Event Hubs Data Sender to the system topic's managed identity. This is why the Owner role on the Event Hub namespace is required in Phase 2A.
• Triggers the Cloudmersive Storage Protection listener on the Private Cloud node to reload its configuration and begin receiving blob events.

You can now repeat step 4 for every other unprotected storage account in the table. Each onboarding takes roughly 10 to 20 seconds.

What Happens If I Add a New Storage Account to Azure Later?

Provided the new storage account is in a subscription (or, for Defender for Storage Data Scanner, a resource group) covered by your existing Phase 2 role assignments, no further Azure-side setup is needed. To onboard the new account:

1. Open Manage Azure Resources in the Cloudmersive Management Portal.
2. The new storage account appears in the table with a status of Unprotected.
3. Click Add Connection... and complete the wizard.