Troubleshooting Onboarding Errors for Azure Subscription

This article outlines the steps to troubleshoot errors encountered during the onboarding of an Azure subscription to Plerion using the automated CLI option.

CSPM Onboarding

The following errors might arise during CSPM onboarding:

(AuthorizationFailed) The client '' with object id '' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write'

AuthorizationFailed Error Cause: This error occurs when the user does not possess the necessary permissions to assign the required roles to the managed identity.

Solution: To address this error, grant the user the necessary permissions to assign roles to the managed identity. Plerion recommends assigning the user the Owner role in the subscription for smoother onboarding. For more details, refer to Assign Azure Roles via the Azure Portal (opens in a new tab).

CWPP Onboarding

The following errors might occur during CWPP onboarding:

(AuthorizationFailed) The client '' with object id '' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write'

AuthorizationFailed Error Cause: This error emerges when the user lacks the required permissions to create a resource group needed to enable CWPP in the subscription.

Solution: To resolve this issue, assign the user the necessary permissions to create a resource group within the subscription. Plerion recommends granting the user the Owner role in the subscription for smoother onboarding. For more information, consult Assign Azure Roles via the Azure Portal (opens in a new tab).

(RequestDisallowedByPolicy) Resource 'plerion-cwpp-appliance-<plerionTenantId>-rg' was disallowed by policy.

RequestDisallowedByPolicy Error Cause: This error occurs when a policy in the subscription restricts the creation of a resource group. Plerion mandates that the resource group and managed identity names exactly match those provided in the onboarding script. Refer to the Azure CWPP Architecture for more information.

Solution: To resolve this error, either remove the policy inhibiting the creation of a resource group in the subscription or add an exception to the policy permitting the creation of a resource group named plerion-cwpp-appliance-<plerionTenantId>-rg. For guidance on naming conventions for Azure resources and instructions on adjusting the policy to allow the creation of a resource group named plerion-cwpp-appliance-<plerionTenantId>-rg, refer to the Naming Overview (opens in a new tab).

Troubleshooting CWPP Scan ErrorsGoogle Cloud Platform (GCP) Integration