Open steffenbeermann opened 1 year ago
Had the exact same issue with MDE for Linux too:
The client # with object id # does not have authorization to perform action 'Microsoft.Security/mdeOnboardings/read' over scope .../providers/Microsoft.Security/mdeOnboardings/Linux' or the scope is invalid. If access was recently granted, please refresh your credentials
(IDs redacted)
What role is required to access 'Microsoft.Security/mdeOnboardings/read'. Has this been resolved or is a workaround available?
What role is required to access 'Microsoft.Security/mdeOnboardings/read'. Has this been resolved or is a workaround available?
I think I had to assign the service principal account "Security Reader" or similar to get around this error at the time.
Had the exact same issue with MDE for Linux too:
The client # with object id # does not have authorization to perform action 'Microsoft.Security/mdeOnboardings/read' over scope .../providers/Microsoft.Security/mdeOnboardings/Linux' or the scope is invalid. If access was recently granted, please refresh your credentials
(IDs redacted)
I confirm that I run into the same error on linux as well
ISSUE TITLE: ASC_MicrosoftDefenderForEndpoint_WindowsAgent_VM_Deploy: Assignment on Resource Group scope- insufficient right for 'Microsoft.Security/mdeOnboardings/read' ISSUE DESCRIPTION (this template): When assigning the policy definition ASC_MicrosoftDefenderForEndpoint_WindowsAgent_VM_Deploy with a system assigned managed identity on a resource level DeployIfNotExist fails because the managed identity does not have the right to read 'Microsoft.Security/mdeOnboardings/read'.
If a resource is redimitiated a deployment error is thrown: "The client with object id does not have authorization to perform action 'Microsoft.Security/mdeOnboardings/read' over scope * or the scope is invalid. If access was recently granted, please refresh your credentials."
-->
Details of the scenario you tried and the problem that is occurring
Assign the policy on resource group scope level causes that the system assigned managed identity only has the contributor role over the scope of the rg. Therefor it has no right to perform Microsoft.Security/mdeOnboardings/read
The task fails with an deployment error mentioned above.
Verbose logs showing the problem
"The client with object id does not have authorization to perform action 'Microsoft.Security/mdeOnboardings/read' over scope * or the scope is invalid. If access was recently granted, please refresh your credentials."
Suggested solution to the issue
If policy is Guest Configuration - details about target node