Troubleshooting Guide for ACAT

This article provides troubleshooting guidance for ACAT that customers might encounter.

Assign proper permission for your account within corresponding subscriptions

When initiating operations related to the ACAT service, ACAT executes a series of actions based on your account, necessitating specific permissions assigned to your account within corresponding subscriptions. Here are some steps you could follow to assign proper permission to your account within corresponding subscriptions.

• Search and launch the Subscriptions in Azure portal.
  • Go to the subscription that you want to use to create the compliance report.
  • Go to the Access control (IAM) on the left.
  • Select View my access to check your permission.
    • If your organization is using Azure built-in roles, your role assignments should include at least one of the following roles:
      • App Compliance Automation Administrator and Resource Policy Contributor for any administrator operations, like creating report, modifying settings, deleting reports, etc.
      • App Compliance Automation Reader for read only operations, like viewing assessments, downloading report, etc.
    • If your organization is using customized roles, your role assignments should include same actions as ACAT built-in roles.

Management of compliance reports

The compliance report serves as the foundational element for effectively overseeing compliance assessments for your application. Every compliance report uses cloud resources to delineate the compliance boundaries for your application. These cloud resources might span across multiple subscriptions.

• If you have App Compliance Automation Administrator and Resource Policy Contributor for all corresponding subscriptions, you could manage the compliance report as administrator.
• If you have App Compliance Automation Reader for all corresponding subscriptions, you could manage the compliance report as reader.
• If you don't have proper roles for any corresponding subscriptions, the compliance report isn't shown in your report list.

Use self-recovery for the failure when generating compliance assessments

ACAT routinely updates compliance assessments for your reports on a daily basis, as configured in the basic settings trigger time. If there's a failure during the update of compliance assessments, the runtime status of the compliance report is 'Failed.' While you can review the last successful compliance assessments, resolving the failure and updating new compliance assessments later requires following the provided self-recovery guidance.

Use self-recovery to resolve compliance assessments updating failures

Two primary self-recovery solutions are provided:

• One-click fix: ACAT has the capability to automatically resolve the failure on behalf your permissions.

  

  Use one-click capability to resolve the failure automatically

• Automatic validation: Follow the remediation steps to manually resolve the failure, and then request ACAT to validate again before generating compliance assessments in the next cycle.

  

  Use validation capability to verify your fix

If the aforementioned solutions don't resolve your issues, please reach out to us for further assistance by creating an Azure support ticket.