Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error in initial setup #417

Closed
DevanshuSyk opened this issue Feb 29, 2024 · 11 comments
Closed

Error in initial setup #417

DevanshuSyk opened this issue Feb 29, 2024 · 11 comments

Comments

@DevanshuSyk
Copy link

Hello ,

while using "Method-B" i am getting the following error message

VERBOSE: 12:26:58 PM - Resource Microsoft.Web/sites/Extensions 'AzSK-AzTS-MetadataAggregator-31af7/MSDeploy' provisioning status is succeeded
Template deployment returned following errors: [12:26:58 PM - The deployment 'AzTSenvironmentsetup-20242529T122537' failed with error(s). Showing 3 out of 9 error(s).
Status Message: The Resource 'Microsoft.Web/sites/AzSK-AzTS-UI-31af7/slots/Staging-31af7' under resource group 'AZTS' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix (Code:ResourceNotFound)

Status Message: The Resource 'Microsoft.Web/sites/AzSK-AzTS-UI-31af7/slots/Staging-31af7' under resource group 'AZTS' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix (Code:ResourceNotFound)

Status Message: The Resource 'Microsoft.Web/sites/AzSK-AzTS-UI-31af7' under resource group 'AZTS' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix (Code:ResourceNotFound)

CorrelationId: 68d7a0f8-cbff-4591-b773-9ee1d49034c6].

Log file content

================================================================================
Method Name: Install-AzSKTenantSecuritySolutionConsolidated
Input Parameters:
Key Value

ScanningIdentityHostSubId 00000000000
ScanningIdentityHostRGName AZTS
ScanningIdentityName AZTS
SubscriptionId 00000000000
ScanHostRGName AZTS
Location eastus2
TargetSubscriptionIds {00000000000
SendAlertNotificationToEmailIds {00000000000}

================================================================================
Starting Azure Tenant Security Solution installation. This may take 5 mins...
This command will perform following major steps. It will:

[0] Validate and install required Az modules (Optional)
[1] Setup central scanning managed identity
[2] Create Azure AD application for secure authentication (Optional)
[3] Setup infra resources and schedule daily security control scan on target subscriptions

================================================================================

Step 1.A: Set up scanning identity.

Setting up Azure Tenant Security scanner identity...

Resource id and principal Id generated for user identity:/resourcegroups/AZTS/providers/Microsoft.ManagedIdentity/userAssignedIdentities/AZTS

Step 1.B: Grant Graph permissions to scanning identity.

Skipped: Graph permissions not granted to scanner identity.
** Next steps **
Use Grant-AzSKGraphPermissionToUserAssignedIdentity command to grant graph permission to this scanner identity. This permission will be required to read data in your organization's directory such as Privileged Identity Management (PIM), users, groups and apps details.

================================================================================

Step 2: Setup AD application for AzTS UI and API.

Skipped: This step has been skipped as AzTS UI is not enabled for the setup.

================================================================================

Step 3.A: Install AzTS setup.

Started setting up Azure Tenant Security Solution...
Error occurred during deployment of AzTS components in subscription.

Command executed

$DeploymentResult = Install-AzSKTenantSecuritySolutionConsolidated -ScanningIdentityHostSubId ""
-ScanningIdentityHostRGName 'AZTS' -ScanningIdentityName 'AZTS'
-SubscriptionId '' -ScanHostRGName 'AZTS'
-Location 'eastus2' -SubscriptionsToScan @("3")
-SREEmailIds @( #Email Ids of Site Reliability Engineers or Users who should receive monitoring alerts -GrantGraphPermissionToScanIdentity:$true
-GrantGraphPermissionToInternalIdentity:$true -SetupAzModules
-AzureEnvironmentName AzureCloud -EnableAutoUpdates
-EnableAzTSUI `
-Verbose
@Aboli-msft
Copy link
Contributor

Hi @DevanshuSyk , Can you please share exact parameters passed on for Install-AzSKTenantSecuritySolutionConsolidated? That will help us investigate further

@DevanshuSyk
Copy link
Author

Connect to AzureAD and AzAccount

Note: Tenant Id must be specified when connecting to Azure AD and AzAccount

$TenantId = ""
Connect-AzAccount -Tenant $TenantId
Connect-AzureAD -TenantId $TenantId

-----------------------------------------------------------------#

Step 2: Run installation command.

-----------------------------------------------------------------#

$DeploymentResult = Install-AzSKTenantSecuritySolutionConsolidated -ScanningIdentityHostSubId ""
-ScanningIdentityHostRGName 'AZTS' -ScanningIdentityName 'AZTS'
-SubscriptionId ' -ScanHostRGName 'AZTS'
-Location 'eastus2' -SubscriptionsToScan @("")
-SREEmailIds @('') #Email Ids of Site Reliability Engineers or Users who should receive monitoring alerts -GrantGraphPermissionToScanIdentity:$true
-GrantGraphPermissionToInternalIdentity:$true -SetupAzModules
-AzureEnvironmentName AzureCloud -EnableAutoUpdates
-EnableAzTSUI `
-Verbose

note:tennat and subid has been removed from the post

@Aboli-msft
Copy link
Contributor

Aboli-msft commented Mar 4, 2024
edited
Loading

Hi @DevanshuSyk , seems "`" at end of each of the parameters is missing. Could you please add these and try again as below?

$DeploymentResult = Install-AzSKTenantSecuritySolutionConsolidated  -ScanningIdentityHostSubId "" `
-ScanningIdentityHostRGName 'AZTS' `
-ScanningIdentityName 'AZTS' `
-SubscriptionId ' ' `
-ScanHostRGName 'AZTS' `
-Location 'eastus2' `
-SubscriptionsToScan @("") `
-SREEmailIds @('')  `
 -GrantGraphPermissionToScanIdentity:$true `
-GrantGraphPermissionToInternalIdentity:$true `
-SetupAzModules `
-AzureEnvironmentName AzureCloud `
-EnableAutoUpdates `
-EnableAzTSUI `
-Verbose

@DevanshuSyk
Copy link
Author

Hello i am not sure what you mean by parameter missing ?
Are you referring to ScanningIdentityHostSubId or SubscriptionsToScan ? The sub id has been removed from post on purpose
Thankx for the help

@Aboli-msft
Copy link
Contributor

Hi @DevanshuSyk , please check updated previous comment

@DevanshuSyk
Copy link
Author

Ah tyvm .Let me try again

@DevanshuSyk
Copy link
Author

Same error
Template deployment returned following errors: [10:08:12 AM - The deployment 'AzTSenvironmentsetup-20240604T100650' failed with error(s). Showing 3 out of 9 error(s).
Status Message: The Resource 'Microsoft.Web/sites/AzSK-AzTS-WebApi-31af7' under resource group 'AZTS' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix (Code:ResourceNotFound)

Status Message: The Resource 'Microsoft.Web/sites/AzSK-AzTS-WebApi-31af7' under resource group 'AZTS' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix (Code:ResourceNotFound)

Status Message: The Resource 'Microsoft.Web/sites/AzSK-AzTS-AutoUpdater-31af7' under resource group 'AZTS' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix (Code:ResourceNotFound)

CorrelationId: 1b70944a-68a4-4a4e-831f-8ebf1a43312a].

@TarunKrShukla
Copy link
Contributor

Hi @DevanshuSyk ,

Thanks for sharing details, here it's showing only 3 errors out of 9. Can you please check apart from 'this resource not found' error is there any other error.
To see all errors, Go to Azure Portal --> Resource Group --> Deployments --> Check latest AzTS deployment details.

This information is needed to understand why required resource are not getting created.

@DevanshuSyk
Copy link
Author

hanxk for reply .Here you go .

{
"code": "DeploymentFailed",
"target": "/subscriptions//resourceGroups/AZTS/providers/Microsoft.Resources/deployments/AzTSenvironmentsetup-20240604T100650",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
"details": [
{
"code": "ResourceNotFound",
"message": "The Resource 'Microsoft.Web/sites/AzSK-AzTS-WebApi-31af7' under resource group 'AZTS' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix"
},
{
"code": "ResourceNotFound",
"message": "The Resource 'Microsoft.Web/sites/AzSK-AzTS-WebApi-31af7' under resource group 'AZTS' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix"
},
{
"code": "ResourceNotFound",
"message": "The Resource 'Microsoft.Web/sites/AzSK-AzTS-AutoUpdater-31af7' under resource group 'AZTS' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix"
},
{
"code": "ResourceNotFound",
"message": "The Resource 'Microsoft.Web/sites/AzSK-AzTS-AutoUpdater-31af7' under resource group 'AZTS' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix"
},
{
"code": "ResourceNotFound",
"message": "The Resource 'Microsoft.Web/sites/AzSK-AzTS-UI-31af7' under resource group 'AZTS' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix"
},
{
"code": "ResourceNotFound",
"message": "The Resource 'Microsoft.Web/sites/AzSK-AzTS-UI-31af7' under resource group 'AZTS' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix"
},
{
"code": "ResourceNotFound",
"message": "The Resource 'Microsoft.Web/sites/AzSK-AzTS-UI-31af7/slots/Staging-31af7' under resource group 'AZTS' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix"
},
{
"code": "ResourceNotFound",
"message": "The Resource 'Microsoft.Web/sites/AzSK-AzTS-UI-31af7/slots/Staging-31af7' under resource group 'AZTS' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix"
},
{
"code": "RoleAssignmentUpdateNotPermitted",
"message": "Tenant ID, application ID, principal ID, and scope are not allowed to be updated."
}
]
}

@TarunKrShukla
Copy link
Contributor

This 'RoleAssignmentUpdateNotPermitted' error could occur, if try to run installation command multiple time in same RG, because conflicts occurs due to previous role assignments. If this is the case, please try following,

  1. If you can create new Resource group, then please try installation command with new Resource group name. And once setup is completed, clean up old Resource group.

  2. If you can't try with new Resource group, then we need to clean up old role assignments,

  • Navigate to access management of the resource group (AzTS) where you want to deploy the AzTS instance.
  • Find out previous role assignments for managed identity (name will follow this pattern "AzSK-AzTS-InternalMI-XXXXX").
  • Delete the identified role assignments and re-run installation command.

@pranchalsomani
Copy link
Contributor

Closing this issue as there has been no activity for couple of days. Please feel free to reopen if you have any further questions or comments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@TarunKrShukla @Aboli-msft @pranchalsomani @DevanshuSyk