Cannot enable UEBA feature on Sentinel

Alberto Barrado Jiménez 5 Reputation points
2024-11-06T12:02:39.82+00:00

Hi,

I'm having some issues while trying to enable the UEBA feature in a Sentinel instance. When I try to turn the switch ON, I get the following error message: "Updating the Entity Providers failed". I've seen 2 questions related to this issue but unfortunately there were no successful solutions. Here's a screenshot:
{EFDAE067-FA89-458D-82E5-A754A25E8206}

I have the following setup:

  • Guest account implemented through B2B architecture.
  • Global Admin role
  • User access admin role in the subscription
  • Owner role in the resource group where Sentinel is hosted

Do you know any solution for this or the cause?

Thanks in advance for your help.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,176 questions
{count} vote

2 answers

Sort by: Most helpful
  1. Givary-MSFT 33,861 Reputation points Microsoft Employee
    2024-11-07T05:39:32.2633333+00:00

    @Alberto Barrado Jiménez Thank you for reaching out to us, As I understand you are trying to enable UEBA feature on Sentinel. As per this documentation to enable or disable this feature below are the requirements

    1. user must be assigned to the Microsoft Entra ID Security Administrator role in your tenant or the equivalent permissions, Global admin privilege might not help, add the security administrator role and verify the outcome.
    2. user must be assigned at least one of the following Azure roles - Microsoft Sentinel Contributor at the workspace or resource group levels or Log Analytics Contributor at the resource group or subscription levels.

    Would recommend checking the above mentioned prereqs and let me know if this helps or not.


  2. Andrew Blumhardt 9,866 Reputation points Microsoft Employee
    2024-11-11T19:41:57.87+00:00

    Can I assume you are trying to enable UEBA while using a guest account? GA and RG owner would certainly be adequate credentials. Though there are some actions that cannot be delegated to an external account like guest account or Lighthouse. Are you able to try this from a tenant local account? I don't have a specific list of limitations, possibly in the Lighthouse documentations.

    https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions#member-and-guest-users

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.