-4

I have set up the AMA firewall data connector in Azure and the associated DCR.

I've installed the agent on a test endpoint.

I've read the guidance on "Set Up the Azure Monitor Agent on Windows Client Devices - Azure Monitor | Microsoft Learn" - although the monitored object part is a little confusing, but I assume the Data connector has resolved this.

I then run the Powershell script from the same page in order to register the endpoint with Azure and start to feed stats into Azure.

I open powershell as a local admin. When the script executes, I authenticate using an account which is the Azure Owner, and pick our subscription but the script errors:

New-AzRoleAssignment : Operation returned an invalid status code 'Conflict' - line 16 char:1

Further down, I get:

Invoke-RestMethod : {"error":{"code":"InvalidAuthenticationToken","message":"The 'EvolvedSecurityTokenService' access token is invalid."}} - line :41 char:1

For line 16 I assume the conflict is because the user is an owner and already has the role. However, if I comment out that line, I still have the access token is invalid error.

It was suggested that this could be a permissions issue on the subscription or resource-group but the user is the owner on tenant.

Can anyone suggest what could be the issue or what steps I've missed?

Improve this question
5
  • The token may have expired and you need to get a new token. Commented Jul 18 at 20:39
  • When requesting a token from Azure AD, the resource or scope parameter must match the API you're calling. If you're using Microsoft Graph, for example, the scope should be graph.microsoft.com/.default. Also, If the token was issued for a different audience (aud claim), it won’t work with the EvolvedSecurityTokenService. Commented Jul 21 at 13:49
  • The token shouldn't have expired as I get it just before I use it Commented Jul 22 at 19:23
  • The script can be found towards the bottom of "Set Up the Azure Monitor Agent on Windows Client Devices - Azure Monitor | Microsoft Learn". I assume the Scope and the audience are correct. Commented Jul 23 at 19:04
  • 1
    Can you please share your PowerShell code instead of just the error message? See minimal reproducible example. Commented Jul 27 at 14:53

1 Answer 1

Reset to default
1

For the conflict error, you can remove or comment out this line:

New-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $user.Id

If you're using the latest version of the Az Powershell modules, the property token of Get-AzAccessToken is now returned as a secure string. You need to update the script from Microsoft accordingly.

Replace:

$auth = Get-AzAccessToken $AuthenticationHeader = @{ "Content-Type" = "application/json" "Authorization" = "Bearer " + $auth.Token }

With:

 $auth = Get-AzAccessToken $AuthenticationHeader = @{ "Content-Type" = "application/json" "Authorization" = "Bearer " + $(ConvertFrom-SecureString $auth.token -AsPlainText) }

EDIT - my contribution to the documentation was accepted, so the official docs now include this logic, as well as a check for the already granted permissions:

Set Up the Azure Monitor Agent on Windows Client Devices - Azure Monitor | Microsoft Learn

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.