This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 24%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
I am trying to Integrate microsoft sentinel and defender XDR.
So here are the steps I have done so far.
All these activities were done by a user who has GA and Security adminstrator rights.
Now, when i log into security.microsoft.com and connect the workspace to Microsoft defender. I get this error .
A screenshot has also been attached . its the image called S1 .
I then navigated to settings in Microsoft defender -> Sentinel -> Found the workspace then tried to connect. A different error message here.
Failed to assign roles to subscription: The content of your request was not valid, and the original object could not be deserialized. Exception message: 'Required property 'principalId' expects a value but got null. Path 'properties', line 1, position 240.'
A screenshot with image name S2 is attached.
Any ideas will be really helpful.
Thank you
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi @Anand Rao Nednur ,
I understand that you are receiving the error, "Couldn't connect the workspace" and "Failed to assign roles to subscription."
In order to assign RBAC roles to a subscription, you need to be logged in with an account that has Microsoft.Authorization/roleAssignments/write permissions, such as Role Based Access Control Administrator or User Access Administrator. Note also that to enable Sentinel, the account needs to have Contributor permissions on the subscription where the workspace resides.
If the permissions are set correctly and you are still seeing issues with the workspace connector, I would recommend disconnecting and reconnecting the Defender XDR connector and trying again.
I've also looped in a colleague from the Sentinel team to look into your request since I was unable to find documentation for those specific errors. I'll update this thread as I have more information.
If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.
Thanks for your quick response.
The permissions granted to the logged in user are at the root level. Being a Owner and also Microsoft Sentinel contributor , i assumed this should be sufficient. I also added in the security administrator role and tried.
I have however noticed that an app called Microsoft Threat protection automatically gets aded to the Role assignment section at the subscription level and Microsoft Sentinel Contributor role gets assigned to it . This seems to be the behaviour of the integration setup . ( i have removed the role (to test this ) and reran the integration procedure, the role gets added again ) .
I then navigate to Activity logs at the subscription level and noticed a ton of errors .
Here is the Message from the error :
The content of your request was not valid, and the original object could not be deserialized. Exception message: 'Required property 'principalId' expects a value but got null. Path 'properties', line 1, position 240.'
I then created another log analytics , onboarded Sentinel . loaded the XDR connector . and tried connecting to the workspace via security.microsoft.com . I could replicate the issue.
Thank you for any possible hints / direction.
Anand
Hi @Anand Rao Nednur , thanks for following up. The Contributor permissions on the subscription and the "write" permissions for the roleassignments should be sufficient. I have reached out again to a colleague on the Sentinel team to check on this error.
Thank you
Hello team, I logged into the security portal this evening and retried to check my luck . surprisingly, it worked well. no troubleshooting done. Probably some changes were done in the backend ( MS Side ) , but integration was seamless.
Another point to note is that 2 NEW ROLES ARE ADDED at the subscription level.
They are 1) Microsoft Threat Protection and WindowsDefenderATP - Both of them have Microsoft Sentinel Contributor role.
Thanks team .