search

Azure / azure-policy

Repository for Azure Resource Policy built-in definitions and samples
MIT License
1.51k stars 1.09k forks source link

ASC_MicrosoftDefenderForEndpoint_WindowsAgent_VM_Deploy: Assignment on ResourceGroup level - insufficient right for 'Microsoft.Security/mdeOnboardings/read' #1070

Open steffenbeermann opened 1 year ago

steffenbeermann commented 1 year ago

ISSUE TITLE: ASC_MicrosoftDefenderForEndpoint_WindowsAgent_VM_Deploy: Assignment on Resource Group scope- insufficient right for 'Microsoft.Security/mdeOnboardings/read' ISSUE DESCRIPTION (this template): When assigning the policy definition ASC_MicrosoftDefenderForEndpoint_WindowsAgent_VM_Deploy with a system assigned managed identity on a resource level DeployIfNotExist fails because the managed identity does not have the right to read 'Microsoft.Security/mdeOnboardings/read'.

If a resource is redimitiated a deployment error is thrown: "The client with object id does not have authorization to perform action 'Microsoft.Security/mdeOnboardings/read' over scope * or the scope is invalid. If access was recently granted, please refresh your credentials."

-->

Details of the scenario you tried and the problem that is occurring

Assign the policy on resource group scope level causes that the system assigned managed identity only has the contributor role over the scope of the rg. Therefor it has no right to perform Microsoft.Security/mdeOnboardings/read

The task fails with an deployment error mentioned above.

Verbose logs showing the problem

"The client with object id does not have authorization to perform action 'Microsoft.Security/mdeOnboardings/read' over scope * or the scope is invalid. If access was recently granted, please refresh your credentials."

Suggested solution to the issue

If policy is Guest Configuration - details about target node

mav147 commented 1 year ago

Had the exact same issue with MDE for Linux too:

The client # with object id # does not have authorization to perform action 'Microsoft.Security/mdeOnboardings/read' over scope .../providers/Microsoft.Security/mdeOnboardings/Linux' or the scope is invalid. If access was recently granted, please refresh your credentials

(IDs redacted)

slivoski commented 1 year ago

What role is required to access 'Microsoft.Security/mdeOnboardings/read'. Has this been resolved or is a workaround available?

mav147 commented 1 year ago

What role is required to access 'Microsoft.Security/mdeOnboardings/read'. Has this been resolved or is a workaround available?

I think I had to assign the service principal account "Security Reader" or similar to get around this error at the time.

fslef commented 8 months ago

Had the exact same issue with MDE for Linux too:

The client # with object id # does not have authorization to perform action 'Microsoft.Security/mdeOnboardings/read' over scope .../providers/Microsoft.Security/mdeOnboardings/Linux' or the scope is invalid. If access was recently granted, please refresh your credentials

(IDs redacted)

I confirm that I run into the same error on linux as well