Unsuccessful Sentinel deployment with OnboardingStates and a new Subscription

Sándor Tőkési 181 Reputation points
2021-09-01T23:03:36.313+00:00

Hey there,

According to this blogpost: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-new-onboarding-offboarding-api/ba-p/2640471 MS is going to decomission the old way to enable Sentinel on a Log Analytics Workspace. I have scripts working with this older method so I started to change them to utilize the new OnboardingStates. The problem is, when I try to deploy it by using my ARM template I am not successful if the Subscription is a completely new one. The old methods works just fine no matter what.

But with onboardingstates I can only deploy a Sentinel if I already have another one in that subscription (don't know the exact condition I need to satisfy). My template creates a resource group, then creates a log analytics workspace in that RG and enables Sentinel on the log analytics workspace. With the old version everything is fine, with onboardingstates and a new yet untouched Subscription the RG creation works fine, the LAW creation is also successful but the Sentinel deployment runs indefinitely with an InternalServerError status.

Error code:
{
"status": "Failed",
"error": {
"code": "InternalServerError",
"message": "Internal server error"
}
}

My template if needed (a demo one to show the problem):

{
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.1",
    "parameters": {
        "workspaceName": {
            "type": "string"
        },
        "workspaceLocation": {
            "type": "string"
        },
      "rgName":{
        "type": "string",
        "defaultValue": "new_resourcegroup",
        "metadata":{
            "description": "Name of the resource group. If there is one with this name and location then it is going to be used for Sentinel deployment"
        }
      }
    },
    "resources": [
    {
    "type": "Microsoft.Resources/resourceGroups",
    "apiVersion": "2018-05-01",
    "location": "[parameters('workspaceLocation')]",
    "name": "[parameters('rgName')]",
    "properties": {}
    },
    {
      "type": "Microsoft.Resources/deployments",
      "apiVersion": "2020-10-01",
      "name": "sentinelDeployment",
      "resourceGroup": "[parameters('rgName')]",
      "dependsOn": [
        "[resourceId('Microsoft.Resources/resourceGroups', parameters('rgName'))]"
      ],
      "properties": {
        "mode": "Incremental",
        "expressionEvaluationOptions": {
            "scope": "inner"
          },
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "parameters": {
            "workspaceName": {
              "type": "string"
            }
          },
          "resources": [
                    {
                    "apiVersion": "2017-03-15-preview",
                    "name": "[parameters('workspaceName')]",
                    "location": "[resourceGroup().location]",
                    "tags": {},
                    "type": "Microsoft.OperationalInsights/workspaces",
                    "properties": {
                        "sku": {
                            "name": "pergb2018"
                        }
                    }
                },
                {
                    "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/default')]",
                    "type": "Microsoft.OperationalInsights/workspaces/providers/onboardingStates",
                    "apiVersion": "2021-03-01-preview",
                    "properties": {
                    },
                    "dependsOn": [
                        "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
                    ]
                }
          ]
        },
      "parameters": {
        "workspaceName": {
          "value": "[parameters('workspaceName')]"
        }
      }
    }
  }
    ]
}
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,026 questions
{count} votes

Accepted answer
  1. Sándor Tőkési 181 Reputation points
    2021-11-17T21:52:20.37+00:00

    After some talking with MS support we concluded that an ARM template won't register all of the resource providers that are needed by that ARM template.
    The issue with the code was that a resource provider needed to be registered. According to various MS sites all of the resource providers needed by an ARM template are registered automatically, but again, this is not the case. So, this was the issue and according to MS this is how ARM templates works. Sometimes you just can't use them to solve a specific problem.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Laith Hisham 1 Reputation point Microsoft Employee
    2022-03-22T18:17:45.37+00:00

    @Sándor Tőkési
    The exception you are getting is due to the missing registration of the required RP as it was mentioned. This is not a bug, certain Resource Providers do not have the auto register option set, which allows registration to the RP to be automatically done when deploying a resource of that type using an ARM template. Nested RPs are part of these RPs which are not automatically registered using ARM template (this can be also for many other reasons).
    In the specific case of Microsoft.SecurityInsights, this is the case. Microsoft.SecurityInsights is a nested RP under the Microsoft.OperationalInsights (which is Log Analytics).
    You can still perform the registration to the RP for the newly created subscription either using the portal or powershell, see https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider for more details. This operation needs to be done only once before being able to use the provider on that subscription.

    Creating Sentinel on a workspace of a newly created subscription without registering the RP would not work in any option (both the old and new way of onboarding to Sentinel).