Skip to main content
Go to Red Canary Documentation
Red Canary Support

Azure Integration Fails to Save With "Unable to Access Subscription" Error

  • Updated .

Issue

When attempting to click Save on Azure integration configuration, the changes are not saved and a banner at the top of the page shows an error similar to the following.

Log Analytics Workspace ID Unable to access Subscription associated with the Log Analytics Workspace
Unable to access Subscription error

Environment

Azure Integration

Resolution

Check for an in-progress remediation task for the Enforce Lighthouse on subscriptions policy definition on the subscription hosting your Log Analytics Workspace.

  1. From your Azure portal, navigate to the Policy service
  2. Navigate to the Remediation tab and select Remediation Tasks
  3. Search for a remediation task for the Enforce Lighthouse on subscriptions policy definition on the subscription named in the Log Analytics Resource ID in Step 3b. of your Azure integration config 
  4. If the remediation task is evaluating or in-progress, wait for it to complete before clicking Save on the integration config in Red Canary Portal
  5. If the remediation task failed or was not run, create a new remediation task for the subscription
How to Create a New Remediation Task

If needed, a user with permission to take the microsoft.policyinsights/remediations/write action at the management group scope can follow the steps below to issue a new remediation task.

  1. From your Azure portal, navigate to the Policy service
  2. Navigate to the Compliance tab and search for RC Log Ingest
  3. Click into the policy and select Create Remediation Task
  4. Set Scope to root management group
  5. Choose Select specific resources to remediate
  6. Check the Subscription from Step 3b. of your integration config
  7. Click the Remediate button

Once remediated, the subscription should be visible in the Lighthouse service in Azure under View Service Provider Offers > Delegations in association with the Red Canary - Azure Log Ingest service provider offering.

Whether remediated by policy or manually added in Lighthouse, the Red Canary - Azure Log Ingest service provider offering must be applied to the subscription hosting your Log Analytics Workspace before clicking Save in the Red Canary Portal, as this delegation is what grants Red Canary access to the resource.

Cause

The Subscription ID named in the Log Analytics Resource ID in Step 3b. of the integration config is non-compliant with the RC Log Ingest policy in your Azure tenant.  This policy enforces a Lighthouse delegation on the subscription that grants Red Canary access to the Log Analytics Workspace, among other permissions.