1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Connect Your Cloud Platform to Prisma Cloud
    6. Onboard Your Azure Account
    7. Troubleshoot Azure Account Onboarding

    Troubleshoot Azure Account Onboarding

    During the onboarding process and after you may encounter some issues that may lead to issues with retrieving logs, metadata, scanning network traffic or identifying vulnerabilities on your Azure resources.
    Use this troubleshooting guide to find tips to identify, detect, and remediate any issues that may arise.
    Issue
    Troubleshooting Tip
    Azure Onboarding Terraform Issues
    Error below when running the Azure onboarding Terraform template on your local system or Azure Cloud shell.
    Could not retrieve the list of available versions for provider hashicorp/random: ... must use terraform init -upgrade to allow selection of new version
    Your local system or Azure Cloud shell still has the old versions of Terraform libraries installed. To update to the new terraform library versions, execute
    terraform init -upgrade command
     in the directory where you want to execute terraform. Next, execute
    terraform apply
     to run Terraform.
    Following error during
    terraform apply
     step, while running Azure onboarding Terraform template on your local system or Azure Cloud Shell
    Access Denied error with 403 status code
    Ensure that the you have been assigned the Global Administrator role on Azure Active Directory (AD).
    Following error during
    terraform apply
     step, while running Azure onboarding Terraform template on your local system or Azure Cloud Shell
    Error: Could not create service principal

with azuread_service_principal.prisma_cloud_sp,
on terraform (1).tf line 124, in resource "azuread_service_principal" "prisma_cloud_sp":
124: resource "azuread_service_principal" "prisma_cloud_sp" {

ServicePrincipalsClient.BaseClient.Post(): unexpected status 403 with OData error: Authorization_RequestDenied: When using this permission, the backing application of the service principal being created must
in the local tenant

Error: Adding password for application with object ID "89d14baf-ab16-4a66-a2c8-1719b6085d28"
    Ensure that the you have been assigned the Global Administrator role on Azure Active Directory (AD).
    Azure Cloud Account Status related issues
    Cloud account status shows the following error / warning for under Config on the Cloud Account Status page.
    Prisma Cloud application is not assigned following role(s): User.Read.All, Application.Read.All, Reports.Read.All, Directory.Read.All, Domain.Read.All, Group.Read.All, GroupMember.Read.All, Policy.Read.All
    Ensure that you have granted
    Admin Consent
     to all the
    Microsoft Graph API Permissions
     on the Azure Portal and confirm that the Status column for all the API Permissions has a green checkmark.
    Cloud account status shows error for multiple components.
    Verify that you have created the required roles, added the role assignments and selected
    Grant Admin Consent
     for API permissions If the issue still persists after you have eliminated the items above as an issue, confirm that you have given Prisma Cloud the appropriate
    Enterprise Application Object ID
    :
    1. Navigate to Enterprise
      Applications > All Applications
      .
    2. Search for your application in the Search box and copy the
      Object ID
      .
    3. Copy and paste it in
      Enterprise Application Object ID
       in the Prisma Cloud Azure Onboarding workflow and ensure that all the statuses are green in the
      Review Status
       dialog.
    Following permissions are shown as missing under Agent Based Workload Protection component under the account onboarding status tab:
    Prisma Cloud is not assigned the following data actions:
"Microsoft.KeyVault/vaults/keys/unwrapaction"
"Microsoft.KeyVault/vaults/keys/wrapaction"
    Verify that
    Key Vault Crypto Service Encryption User
     built in role is assigned at
    Tenant/Subscription
     scope to the Prisma Cloud app registration.
    Cloud account status displays red and includes the following error message:
    Authentication failed. Azure Subscription not found.
    Login to the Azure Portal and check whether the Azure subscription is deleted or disabled. Prisma Cloud cannot monitor the subscription if it is deleted or disabled.
    A child account of an already added Tenant on Prisma Cloud is modified on the Azure Portal, but the change is not reflected in Prisma Cloud under
    Management Groups and Subscriptions
     of the already added Tenant.
    It can take up to six hours for new child account information to be added, updated, or deleted in Prisma Cloud.
    Azure Flow Logs configuration related issues
    Ingest and Monitor Network Security Group Flow Logs
     checkbox is checked during onboarding and you are still facing issues with Flow Logs Ingestion.
    Check whether Azure flow logs are being generated
     and written to the storage account:
    1. Log in to the Azure portal.
    2. Select Storage Accounts and select the storage account that you want to check.
    3. Select Blobs > Blob Service and navigate through the folders to find the .json files. These are the flow logs that Prisma Cloud ingests.
    Check that you have created storage accounts in the same regions as the Network Security Groups
    .
    Network Security Group (NSG) flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG. Azure flow logs must be stored within a storage account in the same region as the NSG.
    1. Log in to Prisma Cloud.
    2. Select
      Investigate
       and enter the following RQL query:
      network from vpc.flow_record where source.publicnetwork IN ( 'Internet IPs', 'Suspicious IPs') AND bytes > 0
      This query allows you to list all network traffic from the Internet or from Suspicious IP addresses with over 0 bytes of data transferred to a network interface on any resource on any cloud environment.
    Verify that you have enabled Network Watcher instance
    .
    The Network Watcher is required to generate flow logs on Azure.
    1. Log in to the Azure portal and select
      Network Watcher
      Overview
       and verify that the status is
      Enabled
      .
    2. Log in to Prisma Cloud.
    3. Select
      Investigate
       and enter the following RQL query:
      config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-nsg-list' addcolumn pr provisioningState
    Check that you have enabled flow logs on the NSGs
    .
    1. Log in to the Azure portal, and select
      Network Watcher
      NSG Flow Logs
       and verify that the status is
      Enabled
      .
    2. Log in to Prisma Cloud.
    3. Select
      Investigate
       and enter the following RQL query:
      network from vpc.flow_record where source.publicnetwork IN ('Internet IPs', 'Suspicious IPs') AND bytes > 0
      This query allows you to list all network traffic from the Internet or from Suspicious IP addresses with over 0 bytes of data transferred to a network interface on any resource on any cloud environment.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo