Troubleshoot Azure Connections

This page helps you troubleshoot Azure cloud account setup.

Insufficient Permissions on Subscription

This error might occur if your current Azure authentication session does not have the required permissions to create resources in the specified subscription.

Solution: Ensure you are authenticated to Azure using a Non-Guest user with the Contributor or Owner role on the target subscription.

Error: Error Creating/Updating Lighthouse Definition "dd9be15b-0ee9-7daf-b942-5e173dae13fb" (Scope "/subscriptions/***"): managedservices.RegistrationDefinitionsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="InsufficientPrivilegesForManagedServiceResource" Message="The requested user doesn't have sufficient privileges to perform the operation."

     with module.cloudvision_example_existing_resource_group.module.cloud_bench.module.trust_relationship["***"].azurerm_lighthouse_definition.lighthouse_definition,
         on ../../../modules/services/cloud-bench/trust_relationship/main.tf line 28, in resource "azurerm_lighthouse_definition" "lighthouse_definition":
         28: resource "azurerm_lighthouse_definition" "lighthouse_definition" {

Insufficient Permissions on Tenant

User Access Administrator

The following error might occur if the User Access Administrator role was assigned on child management group levels only:

│ Error: reading Management Group (Display Name "Tenant Root Group"): Management Group (Display Name "Tenant Root Group") was not found
│ 
│   with module.vm-workload-scanning.data.azurerm_management_group.root_management_group[0],
│   on .terraform/modules/vm-workload-scanning/modules/vm-workload-scanning/organizational.tf line 4, in data "azurerm_management_group" "root_management_group":
│    4: data "azurerm_management_group" "root_management_group" {

To address this, assign Reader role to the Installer security principal on root management group level with the following command template:

az role assignment create --assignee ”<SP_ID>” --role "Reader" --scope "<ROOT_MANAGEMENT_GROUP_ID>"

Fill in the values SP_ID, and ROOT_MANAGEMENT_GROUP_ID. For example:

az role assignment create --assignee "a686e05a-191d-48ba-a74e-6daf9445ef71" --role "Reader" --scope "/providers/Microsoft.Management/managementGroups/d1aed736-5b36-41ff-9d78-c8181a3435bb"

The Reader role is required to list all management groups by using this terraform code.

Permission to Modify Diagnostic Settings

These errors might occur if you attempt to modify diagnostic settings without the appropriate permission:

│ Error: checking for presence of existing Diagnostic Setting (Diagnostic Setting Name: "sysdig-entra-diagnostic-settings-de20e4f3"): unexpected status 403 (403 Forbidden) with error: AuthorizationFailed: The client '67848d30-0bc5-4c3d-b92e-da2c6cc3671e' with object id '67848d30-0bc5-4c3d-b92e-da2c6cc3671e' does not have authorization to perform action 'Microsoft.AADIAM/diagnosticSettings/read' over scope '/providers/Microsoft.AADIAM/diagnosticSettings/sysdig-entra-diagnostic-settings-de20e4f3' or the scope is invalid. If access was recently granted, please refresh your credentials.
│ 
│   with module.event-hub.azurerm_monitor_aad_diagnostic_setting.sysdig_entra_diagnostic_setting[0],
│   on .terraform/modules/event-hub/modules/integrations/event-hub/main.tf line 139, in resource "azurerm_monitor_aad_diagnostic_setting" "sysdig_entra_diagnostic_setting":
│  139: resource "azurerm_monitor_aad_diagnostic_setting" "sysdig_entra_diagnostic_setting" {
│

│ Error: creating Monitor Diagnostics Setting "sysdig-diagnostic-settings-158dd88c" for Resource "/subscriptions/77016a5a-e464-4730-a8db-39cb1b562bfd": unexpected status 403 (403 Forbidden) with error: AuthorizationFailed: The client '67848d30-0bc5-4c3d-b92e-da2c6cc3671e' with object id '67848d30-0bc5-4c3d-b92e-da2c6cc3671e' does not have authorization to perform action 'Microsoft.Insights/diagnosticSettings/write' over scope '/subscriptions/77016a5a-e464-4730-a8db-39cb1b562bfd/providers/Microsoft.Insights/diagnosticSettings/sysdig-diagnostic-settings-158dd88c' or the scope is invalid. If access was recently granted, please refresh your credentials.
│ 
│   with module.event-hub.azurerm_monitor_diagnostic_setting.sysdig_org_diagnostic_setting[3],
│   on .terraform/modules/event-hub/modules/integrations/event-hub/organizational.tf line 32, in resource "azurerm_monitor_diagnostic_setting" "sysdig_org_diagnostic_setting":
│   32: resource "azurerm_monitor_diagnostic_setting" "sysdig_org_diagnostic_setting" {
│

To remedy this, Assign the Contributor Permission.

Conflicting Resources

This error might occur if the specified Azure Subscription has already been onboarded to Sysdig

Solution: You can import the resource into Terraform using the terraform import command. This will bring the resource under management in the current Terraform workspace.

Error: A resource with the ID "/subscriptions/***/resourceGroups/sfc-resourcegroup" already exists - to be managed via Terraform this resource needs to be imported into the State. For details, see the resource documentation for `azurerm_resource_group`.

         with module.cloudvision_example_existing_resource_group.module.infrastructure_eventhub.azurerm_resource_group.rg[0],
         on ../../../modules/infrastructure/eventhub/main.tf line 6, in resource "azurerm_resource_group" "rg":
          6: resource "azurerm_resource_group" "rg" {

Missing Microsoft.ManagedServices Namespace Registration

This error occurs if the specified Azure Subscription is not registered in the Microsoft.ManagedServices namespace.

│ Error: creating Scoped Registration Assignment (Scope: "/subscriptions/65574bab-1b53-4fa5-a082-e4d158aad670"
│ Registration Assignment: "da52bf86-4451-8704-f46a-50f427698202"): performing CreateOrUpdate: unexpected status 409 (409 Conflict) with error: MissingSubscriptionRegistration: The managed services resource provider not allowed to access the subscription '65574bab-1b53-4fa5-a082-e4d158aad670'. The subscription must be registered to use namespace 'Microsoft.ManagedServices'. Please see https://aka.ms/rp-not-register-error for details on how to register subscriptions.
│ 
│   with module.agentless-scanning.azurerm_lighthouse_assignment.lighthouse_assignment_for_tenant["65574bab-1b53-4fa5-a082-e4d158aad670"],
│   on .terraform/modules/agentless-scanning/modules/agentless-scanning/organizational.tf line 33, in resource "azurerm_lighthouse_assignment" "lighthouse_assignment_for_tenant":
│   33: resource "azurerm_lighthouse_assignment" "lighthouse_assignment_for_tenant" {

Solution:

Use this Bash script to enable Microsoft Managed Services (Lighthouse) in each Azure subscriptions your account has access to:

for sub in $(az account list --query "[].id" -o tsv); do
  echo "Registering MMS in $sub"
  az provider register --namespace Microsoft.ManagedServices --subscription "$sub"
done

Lighthouse requires Microsoft.ManagedServices provider to access the subscriptions.

You can register a Resource Provider by following the Microsoft Documentation.

Missing Cloud Logs

If validation is successful, but events are not flowing after setting up log ingestion:

In the Secure UI, open Integrations > Azure and select the Subscription of your interest. On the panel on the right hand side, you can find the Event Hub name in the details of the Identity and Access Management or the Cloud Detection and Response sections.
Using the Azure portal or the azurerm CLI, confirm the Event Hub is in place and check its metrics. If they are healthy, there should be no errors (Server Errors/User Errors), and there should be messages flowing, unless the subscription is silent.
If the subscription is silent, check the presence of Diagnostic settings on Azure. Each connected subscription should have Diagnostic Settings pointing to the target EventHub, as well as Entra ID, in case of Tenant setups.

Offboard Azure Subscriptions, Groups, and Tenants Using Terraform

Problem: Cannot Use Terraform Destroy to Offboard

Azure Service Principals are created at the Tenant level. Therefore, onboarded subscriptions share and use an existing service principal that is linked to the Sysdig application in the same tenant.

Once created, this service principal cannot be deleted via the Terraform module. This safeguards against unintended deletes if the service principal is in use.

As a result, trying to offboard using Terraform destroy results in the following: Error: Instance cannot be destroyed.

Solution

To resolve this problem, remove the service_principal resource from your Terraform state, so that Terraform will no longer control it.

terraform state list
terraform state rm module.<module-name>.azuread_service_principal.<sysdig-sp-resource-name>
terraform destroy

Problem: Terraform Fails to Destroy Organization Deployment with Enabled Security Features

Terraform fails to destroy an organization deployment when Host Scanning, Workload Scanning, or CDR is enabled, likely due to dependencies on active security configurations.

Solution

To resolve this, first manually offboard Azure. If the problem still persists, run the following terraform destroy command:

terraform destroy -target module.onboarding.sysdig_secure_organization.azure_organization

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.