Skip to main content
Go to Red Canary Documentation
Red Canary Support

Azure Defender for Cloud Streaming Export Fails Due to "Allowed Locations" Policy

  • Updated .

Issue

Status checks for Azure Defender for Cloud streaming export is configured are failing with Allowed locations errors similar to the following.

Resource 'RedCanaryDefenderForCloudExport' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Allowed locations","id":"/providers/Microsoft.Management/managementGroups/<Name>/providers/Microsoft.Authorization/policyAssignments/<AssignmentID>"},"policyDefinition":{"name":"Allowed locations","id":"/providers/Microsoft.Authorization/policyDefinitions/<DefinitionID>","version":"1.1.0"}}]'.
Allowed Locations Policy

Environment

Microsoft Azure Integration
   Defender for Cloud (Optional Ingest Enabled)

Resolution

By default, enabling Defender for Cloud ingest within an Azure integration requires resource creation be allowed in the tenant's East US region.  When applied to subscriptions, the Allowed Locations policy must include eastus as a parameter, otherwise Red Canary's API calls to create the Defender for Cloud export will fail with disallowed by policy errors and administrative action needs to be taken in your tenant using one of the following methods.

If your Allowed Locations policy is preventing the RCAutomation group from being created, you must manually implement one of the following workarounds: A) update the Azure Policy responsible for creating the group or B) manually create the Resource Group.

How to Update the Azure Policy to Use an Allowed Region

A user with permission to take the microsoft.policyinsights/remediations/write action at the management group scope can follow the steps below.

  1. From your Azure Portal, navigate to the Policy service
  2. Navigate to Authoring > Assignments
  3. Find and select the RC Automation Resource Group policy
  4. Click Edit Assignment
  5. Under Parameters, set resourceGroupLocation to your preferred Azure region
    • Use the Programmatic Name (e.g. eastus2)
  6. (optional) If you have any required tagging policies, set them in the resourceGroupTags field
  7. Click Review + Save then Save changes
  8. Select Create Remediation Task and target the non-compliant subscriptions
  9. Click Remediate
  10. Once the remediation task completes, you should see a resource group called RCAutomation in each subscription
How to Manually Create the Resource Group in an Allowed Region

A user with permission to take the microsoft.resources/subscriptions/resourcegroups/write action in the failing subscription can follow the steps below.

  1. From your Azure portal, navigate to the Resource Groups service
  2. While on the Resource Groups tab, click Create
  3. Set Subscription based on the non-compliant subscriptions from the RC Automation Resource Group policy
  4. Set Resource group name to RCAutomation
  5. If eastus is disallowed by your Allowed Locations policy, set Region to an allowed region.  Otherwise, set region to eastus.
  6. (optional) If you have any required tagging policies, configure them on the Tags tab
  7. Click the Review + Create button
  8. Click Create to submit changes
  9. Repeat, as needed, for additional non-compliant subscriptions

Cause

The Allowed Locations policy of the integrated tenant defines which regions resources can be created in and is currently configured to regions not including East US.  By default, the RC Automation Resource Group policy parameters use eastus region to create the resource group.  Remediation tasks for this policy will fail on subscriptions where eastus is not an allowed region, and one of the provided workarounds must be performed by an Azure administrator.