azure-policy icon indicating copy to clipboard operation
azure-policy copied to clipboard
verified publisher icon Azure

ASC_MicrosoftDefenderForEndpoint_WindowsAgent_VM_Deploy: Assignment on ResourceGroup level - insufficient right for 'Microsoft.Security/mdeOnboardings/read'

Open steffenbeermann opened this issue 3 years ago • 6 comments

ISSUE TITLE: ASC_MicrosoftDefenderForEndpoint_WindowsAgent_VM_Deploy: Assignment on Resource Group scope- insufficient right for 'Microsoft.Security/mdeOnboardings/read' ISSUE DESCRIPTION (this template): When assigning the policy definition ASC_MicrosoftDefenderForEndpoint_WindowsAgent_VM_Deploy with a system assigned managed identity on a resource level DeployIfNotExist fails because the managed identity does not have the right to read 'Microsoft.Security/mdeOnboardings/read'.

If a resource is redimitiated a deployment error is thrown: "The client * with object id * does not have authorization to perform action 'Microsoft.Security/mdeOnboardings/read' over scope * or the scope is invalid. If access was recently granted, please refresh your credentials."

-->

Details of the scenario you tried and the problem that is occurring

Assign the policy on resource group scope level causes that the system assigned managed identity only has the contributor role over the scope of the rg. Therefor it has no right to perform Microsoft.Security/mdeOnboardings/read

The task fails with an deployment error mentioned above.

Verbose logs showing the problem

"The client * with object id * does not have authorization to perform action 'Microsoft.Security/mdeOnboardings/read' over scope * or the scope is invalid. If access was recently granted, please refresh your credentials."

Suggested solution to the issue

If policy is Guest Configuration - details about target node

steffenbeermann avatar Dec 05 '22 15:12 steffenbeermann

Had the exact same issue with MDE for Linux too:

The client # with object id # does not have authorization to perform action 'Microsoft.Security/mdeOnboardings/read' over scope .../providers/Microsoft.Security/mdeOnboardings/Linux' or the scope is invalid. If access was recently granted, please refresh your credentials

(IDs redacted)

mav147 avatar Jun 19 '23 13:06 mav147

What role is required to access 'Microsoft.Security/mdeOnboardings/read'. Has this been resolved or is a workaround available?

slivoski avatar Aug 14 '23 21:08 slivoski

What role is required to access 'Microsoft.Security/mdeOnboardings/read'. Has this been resolved or is a workaround available?

I think I had to assign the service principal account "Security Reader" or similar to get around this error at the time.

mav147 avatar Aug 15 '23 09:08 mav147

Had the exact same issue with MDE for Linux too:

The client # with object id # does not have authorization to perform action 'Microsoft.Security/mdeOnboardings/read' over scope .../providers/Microsoft.Security/mdeOnboardings/Linux' or the scope is invalid. If access was recently granted, please refresh your credentials

(IDs redacted)

I confirm that I run into the same error on linux as well

fslef avatar Jan 31 '24 14:01 fslef