Service Principal issues on Panorama Plugin for Azure

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Service Principal issues on Panorama Plugin for Azure

L2 Linker

While setting up the Service Principal on Panorama Plugin for Azure, even though the IAM role of reader seems to be properly defined in Azure we get this error message during the validation phase:

ERROR: Validation of #######-####-####-############ failed with msg Failed to validate credentials with error - Failed to validated Azure Monitoring permissions and Deployment permissions. Error: Failed to validate monitoring permissions. Error: Missing permission for 'Microsoft.Compute/virtualMachines/read', please update service principal.

Any ideea what else might cause this? Most probably is something very simple we are missing but we run out of troubleshooting leads now and any suggestion will be highly appreciated.

 

 

4 REPLIES 4

L1 Bithead

Having the same issue, did you ever resolve this?

L2 Linker

Yes, I'm having this issue as well and have a TAC case open, but so far no luck - please post if you find a solution!

L4 Transporter
PLUG-7780 - When the monitoring definition service principle for VM monitoring in Azure is configured correctly on the Panorama plugin for Azure 3.0.x with PAN-OS 10.0.x, the service principal validation check displays as failed under 
Panorama > Azure > Setup > Service Principal
.

Please find the list of actions/permissions required to support monitoring for the Azure 3.0.1 plugin below:

 

The list of permissions required to enable monitoring are as below:

"actions": [
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/locations/serviceTags/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Resources/subscriptions/resourcegroups/read",
"Microsoft.Network/publicIPAddresses/read"
]

 

With these permissions assigned to a service principal, validation will fail but the monitoring functionality is not affected and the 3.0.1 plugin will continue to function as designed.

L0 Member

Panorama 
OS version 10.1.x  
Azure plugin 3.1

 

I can the below error, when trying to validate Service Principle 

 

Failed to validate credentials with error - Failed to validated Azure Monitoring permissions and Deployment permissions. Error: Failed to validate monitoring permissions. Error: Missing permission for 'Microsoft.Compute/virtualMachines/read', please update service principal.

 

Azure App is set with "reader" 

 

Can anyone explain more what to check or what the problem could be ?

  • 5240 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!