Cannot enable UEBA feature on Sentinel

Question

Cannot enable UEBA feature on Sentinel

Alberto Barrado Jiménez 5

Hi,

I'm having some issues while trying to enable the UEBA feature in a Sentinel instance. When I try to turn the switch ON, I get the following error message: "Updating the Entity Providers failed". I've seen 2 questions related to this issue but unfortunately there were no successful solutions. Here's a screenshot:
{EFDAE067-FA89-458D-82E5-A754A25E8206}

I have the following setup:

Guest account implemented through B2B architecture.
Global Admin role
User access admin role in the subscription
Owner role in the resource group where Sentinel is hosted

Do you know any solution for this or the cause?

Thanks in advance for your help.

Hain Joseph 0 Reputation points

2024-11-11T11:54:19.7233333+00:00

Hi @Alberto Barrado Jiménez did you resolve the issue? if you, can you please tell me what is the solution?

2 answers

Your answer

Hain Joseph 0 Reputation points

2024-11-11T11:54:19.7233333+00:00

Hi @Alberto Barrado Jiménez did you resolve the issue? if you, can you please tell me what is the solution?

Answer 1

Andrew Blumhardt 10,071 Microsoft Employee

Can I assume you are trying to enable UEBA while using a guest account? GA and RG owner would certainly be adequate credentials. Though there are some actions that cannot be delegated to an external account like guest account or Lighthouse. Are you able to try this from a tenant local account? I don't have a specific list of limitations, possibly in the Lighthouse documentations.

https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions#member-and-guest-users

Answer 2

Givary-MSFT 35,771 Microsoft Employee Moderator

@Alberto Barrado Jiménez Thank you for reaching out to us, As I understand you are trying to enable UEBA feature on Sentinel. As per this documentation to enable or disable this feature below are the requirements

user must be assigned to the Microsoft Entra ID Security Administrator role in your tenant or the equivalent permissions, Global admin privilege might not help, add the security administrator role and verify the outcome.
user must be assigned at least one of the following Azure roles - Microsoft Sentinel Contributor at the workspace or resource group levels or Log Analytics Contributor at the resource group or subscription levels.

Would recommend checking the above mentioned prereqs and let me know if this helps or not.

Alberto Barrado Jiménez 5 Reputation points

2024-11-07T11:28:00.9166667+00:00
Hi Givary,

Thanks for the reply. Sorry, I didn't include that I have all these roles already in the tenant and resource group level, including the following:

Security Admin

Security Operator

Logic App Contributor

Logic App Operator

Sentinel Responder

Sentinel Contributor

Sentinel Automation Contributor

Sentinel Playbook Operator

As the Global Admin role was more privileged than those, I thought those roles were relevant, sorry.

With all these roles assigned, it's still not working.
Givary-MSFT 35,771 Reputation points Microsoft Employee Moderator

2024-11-07T12:48:32.74+00:00

@Alberto Barrado Jiménez lets connect offline to discuss on this,

Link to this thread/post

We can connect offline and discuss further on this.
Givary-MSFT 35,771 Reputation points Microsoft Employee Moderator

2024-11-07T14:21:03.9766667+00:00

@Alberto Barrado Jiménez Came across this QnA post - https://learn.microsoft.com/en-us/answers/questions/1410207/cannot-enable-ueba-feature-on-microsoft-sentinel which might help,
Givary-MSFT 35,771 Reputation points Microsoft Employee Moderator

2024-11-10T12:00:50.52+00:00

@Alberto Barrado Jiménez If the issue still persists, lets connect offline to troubleshoot further on the same.

Share via

Cannot enable UEBA feature on Sentinel

2 answers

Your answer