Issue
Status checks for Azure Defender for Cloud streaming export is configured are failing with subscription is not registered to use namespace errors similar to the following.
The subscription is not registered to use namespace 'Microsoft.Security'. See https://aka.ms/rps-not-found for how to register subscriptions.
Environment
Microsoft Azure Integration
Defender for Cloud (Optional Ingest Enabled)
Resolution
To resolve this error message, follow the steps below for each failing subscription.
- From your Azure portal, navigate to the Subscriptions service
- Select the failing subscription
- Navigate to Settings > Resource Providers
- Find and select the Microsoft.Security provider
- Click Register to permit creation of Microsoft.Security resources
- The subscription should show as Registered once complete
- Repeat, as needed, for any additional subscriptions failing with this error
Cause
Each registered resource provider in Azure defines the types of resources that can be deployed within a given Azure subscription.
In order to ingest Defender for Cloud alerts, Red Canary uses the Azure API to programmatically attempt to create a hidden Microsoft.Security/automations resource within the RCAutomation resource group under each subscription in the integrated Azure tenant.
If the Microsoft.Security resource provider hasn't been registered for the failing subscription, the Azure API will return a MissingSubscriptionRegistration error and Red Canary will be unable to create the automation object to export alerts from that subscription.