After configuring a custom url and adding the redirect url to the correct application we receive below error:

Hello ,

This popped during initial set up last setup step while executing Install-AzSKTenantSecuritySolution

Code : InvalidTemplate
Message : Deployment template validation failed: 'The template reference '98d01f3f-4a45-4eb8-99ba-29637d9f7f27' is not valid: could not find template resource or resource copy with this
name. Please see https://aka.ms/arm-function-reference for usage details.'.

I have following all the several steps in order to create the app, give permissions an son on, finally i use postman to onboard the sub, which gave me a 200 Ok, but after waiting 72h, i cannot see anything in the UI app. What's going wrong? Is it possible to have a log or something like that to dig deeper?

Hello ,

while using "Method-B" i am getting the following error message

VERBOSE: 12:26:58 PM - Resource Microsoft.Web/sites/Extensions 'AzSK-AzTS-MetadataAggregator-31af7/MSDeploy' provisioning status is succeeded
Template deployment returned following errors: [12:26:58 PM - The deployment 'AzTSenvironmentsetup-20242529T122537' failed with error(s). Showing 3 out of 9 error(s).
Status Message: The Resource 'Microsoft.Web/sites/AzSK-AzTS-UI-31af7/slots/Staging-31af7' under resource group 'AZTS' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix (Code:ResourceNotFound)

Status Message: The Resource 'Microsoft.Web/sites/AzSK-AzTS-UI-31af7/slots/Staging-31af7' under resource group 'AZTS' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix (Code:ResourceNotFound)

Status Message: The Resource 'Microsoft.Web/sites/AzSK-AzTS-UI-31af7' under resource group 'AZTS' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix (Code:ResourceNotFound)

CorrelationId: 68d7a0f8-cbff-4591-b773-9ee1d49034c6].

Log file content

================================================================================
Method Name: Install-AzSKTenantSecuritySolutionConsolidated
Input Parameters:
Key Value

ScanningIdentityHostSubId 00000000000
ScanningIdentityHostRGName AZTS
ScanningIdentityName AZTS
SubscriptionId 00000000000
ScanHostRGName AZTS
Location eastus2
TargetSubscriptionIds {00000000000
SendAlertNotificationToEmailIds {00000000000}

================================================================================
Starting Azure Tenant Security Solution installation. This may take 5 mins...
This command will perform following major steps. It will:

[0] Validate and install required Az modules (Optional)
[1] Setup central scanning managed identity
[2] Create Azure AD application for secure authentication (Optional)
[3] Setup infra resources and schedule daily security control scan on target subscriptions

================================================================================

Step 1.A: Set up scanning identity.

Setting up Azure Tenant Security scanner identity...

Resource id and principal Id generated for user identity:/resourcegroups/AZTS/providers/Microsoft.ManagedIdentity/userAssignedIdentities/AZTS

Step 1.B: Grant Graph permissions to scanning identity.

Skipped: Graph permissions not granted to scanner identity.
** Next steps **
Use Grant-AzSKGraphPermissionToUserAssignedIdentity command to grant graph permission to this scanner identity. This permission will be required to read data in your organization's directory such as Privileged Identity Management (PIM), users, groups and apps details.

================================================================================

Step 2: Setup AD application for AzTS UI and API.

Skipped: This step has been skipped as AzTS UI is not enabled for the setup.

================================================================================

Step 3.A: Install AzTS setup.

Started setting up Azure Tenant Security Solution...
Error occurred during deployment of AzTS components in subscription.

Command executed

$DeploymentResult = Install-AzSKTenantSecuritySolutionConsolidated -ScanningIdentityHostSubId ""
-ScanningIdentityHostRGName 'AZTS' -ScanningIdentityName 'AZTS'
-SubscriptionId '' -ScanHostRGName 'AZTS'
-Location 'eastus2' -SubscriptionsToScan @("3")
-SREEmailIds @( #Email Ids of Site Reliability Engineers or Users who should receive monitoring alerts -GrantGraphPermissionToScanIdentity:$true
-GrantGraphPermissionToInternalIdentity:$true -SetupAzModules
-AzureEnvironmentName AzureCloud -EnableAutoUpdates
-EnableAzTSUI `
-Verbose

Hi,
We have an issue with our implementation of AzTS in that when loading the UI we get the error “Compliance summary not available.”
Network logs show that there is a 404 when sending a POST to the webapi endpoint /subscription/SubscriptionComplianceSummary.

Additionally, in the AutoUpdater logs there is an exception saying that the secret for the UI has expired. I'm not sure if this is related.
I can see that the app registration secret has expired but not sure what needs to be done if it is manually renewed.

Lastly, the [email protected] address is bouncing :)

Thanks.

Hi, during initial set up, I got this error. I used method A. When I gave the last command: $DeploymentResult = Install-AzSKTenantSecuritySolution ........ it gave this error: VERBOSE: 10:41:13 PM - Checking deployment status in 5 seconds Template deployment returned following errors: [10:41:19 PM - The deployment 'AzTSenvironmentsetup-20243914T103937' failed with error(s). Showing 1 out of 1 error(s). Status Message: Package deployment failed ARM-MSDeploy Deploy Failed: 'Microsoft.Web.Deployment.DeploymentClientServerException: An error was encountered when processing operation 'Create File' on 'C:\home\site\wwwroot\appsettings.json'. ---> Microsoft.Web.Deployment.DeploymentException: The error code was 0x80070002. ---> System.IO.FileNotFoundException: Could not find file 'C:\home\site\wwwroot\appsettings.json'. at Microsoft.Web.Deployment.NativeMethods.RaiseIOExceptionFromErrorCode(Win32ErrorCode errorCode, String maybeFullPath) at Microsoft.Web.Deployment.FileStreamEx.CreateInstance(String path, FileMode fileMode, FileAccess fileAccess, FileShare fileShare, Nullable1 fileLength)
at Microsoft.Web.Deployment.FilePathProviderBase.Add(DeploymentObject source, Boolean whatIf)
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
at Microsoft.Web.Deployment.FilePathProviderBase.HandleKnownRetryableExceptions(DeploymentBaseContext baseContext, Int32[] errorsToIgnore, Exception e, String path, String operation)
at Microsoft.Web.Deployment.FilePathProviderBase.Add(DeploymentObject source, Boolean whatIf)
at Microsoft.Web.Deployment.DeploymentObject.AddChild(DeploymentObject source, Int32 position, DeploymentSyncContext syncContext)
at Microsoft.Web.Deployment.DeploymentSyncContext.HandleAddChild(DeploymentObject destParent, DeploymentObject sourceObject, Int32 position)
at Microsoft.Web.Deployment.DeploymentSyncContext.SyncDirPathChildren(DeploymentObject destRoot, DeploymentObject sourceRoot)
at Microsoft.Web.Deployment.DeploymentSyncContext.SyncChildren(DeploymentObject dest, DeploymentObject source)
at Microsoft.Web.Deployment.DeploymentSyncContext.SyncChildrenNoOrder(DeploymentObject dest, DeploymentObject source)
at Microsoft.Web.Deployment.DeploymentSyncContext.SyncChildren(DeploymentObject dest, DeploymentObject source)
at Microsoft.Web.Deployment.DeploymentSyncContext.SyncChildrenOrder(DeploymentObject dest, DeploymentObject source)
at Microsoft.Web.Deployment.DeploymentSyncContext.SyncChildren(DeploymentObject dest, DeploymentObject source)
at Microsoft.Web.Deployment.DeploymentSyncContext.ProcessSync(DeploymentObject destinationObject, DeploymentObject sourceObject)
at Microsoft.Web.Deployment.DeploymentObject.SyncToInternal(DeploymentObject destObject, DeploymentSyncOptions syncOptions, PayloadTable payloadTable, ContentRootTable contentRootTable, Nullable1 syncPassId, String syncSessionId) at Microsoft.Web.Deployment.DeploymentObject.SyncTo(DeploymentProviderOptions providerOptions, DeploymentBaseOptions baseOptions, DeploymentSyncOptions syncOptions) at Microsoft.Web.Deployment.DeploymentObject.SyncTo(String provider, String path, DeploymentBaseOptions baseOptions, DeploymentSyncOptions syncOptions) at Microsoft.Web.Deployment.DeploymentObject.SyncTo(DeploymentWellKnownProvider provider, String path, DeploymentBaseOptions baseOptions, DeploymentSyncOptions syncOptions) at Microsoft.Web.Deployment.WebApi.AppGalleryPackage.Deploy(String deploymentSite, String siteSlotId, Boolean doNotDelete) in C:\__w\1\s\src\hosting\wdeploy\Microsoft.Web.Deployment.WebApi\AppGalleryPackage.cs:line 343 at Microsoft.Web.Deployment.WebApi.DeploymentController.<DownloadAndDeployPackage>d__25.MoveNext() in C:\__w\1\s\src\hosting\wdeploy\Microsoft.Web.Deployment.WebApi\Controllers\DeploymentController.cs:line 492' Package deployment failed ARM-MSDeploy Deploy Failed: 'Microsoft.Web.Deployment.DeploymentClientServerException: An error was encountered when processing operation 'Create File' on 'C:\home\site\wwwroot\appsettings.json'. ---> Microsoft.Web.Deployment.DeploymentException: The error code was 0x80070002. ---> System.IO.FileNotFoundException: Could not find file 'C:\home\site\wwwroot\appsettings.json'. at Microsoft.Web.Deployment.NativeMethods.RaiseIOExceptionFromErrorCode(Win32ErrorCode errorCode, String maybeFullPath) at Microsoft.Web.Deployment.FileStreamEx.CreateInstance(String path, FileMode fileMode, FileAccess fileAccess, FileShare fileShare, Nullable1 fileLength)
at Microsoft.Web.Deployment.FilePathProviderBase.Add(DeploymentObject source, Boolean whatIf)
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
at Microsoft.Web.Deployment.FilePathProviderBase.HandleKnownRetryableExceptions(DeploymentBaseContext baseContext, Int32[] errorsToIgnore, Exception e, String path, String operation)
at Microsoft.Web.Deployment.FilePathProviderBase.Add(DeploymentObject source, Boolean whatIf)
at Microsoft.Web.Deployment.DeploymentObject.AddChild(DeploymentObject source, Int32 position, DeploymentSyncContext syncContext)
at Microsoft.Web.Deployment.DeploymentSyncContext.HandleAddChild(DeploymentObject destParent, DeploymentObject sourceObject, Int32 position)
at Microsoft.Web.Deployment.DeploymentSyncContext.SyncDirPathChildren(DeploymentObject destRoot, DeploymentObject sourceRoot)
at Microsoft.Web.Deployment.DeploymentSyncContext.SyncChildren(DeploymentObject dest, DeploymentObject source)
at Microsoft.Web.Deployment.DeploymentSyncContext.SyncChildrenNoOrder(DeploymentObject dest, DeploymentObject source)
at Microsoft.Web.Deployment.DeploymentSyncContext.SyncChildren(DeploymentObject dest, DeploymentObject source)
at Microsoft.Web.Deployment.DeploymentSyncContext.SyncChildrenOrder(DeploymentObject dest, DeploymentObject source)
at Microsoft.Web.Deployment.DeploymentSyncContext.SyncChildren(DeploymentObject dest, DeploymentObject source)
at Microsoft.Web.Deployment.DeploymentSyncContext.ProcessSync(DeploymentObject destinationObject, DeploymentObject sourceObject)
at Microsoft.Web.Deployment.DeploymentObject.SyncToInternal(DeploymentObject destObject, DeploymentSyncOptions syncOptions, PayloadTable payloadTable, ContentRootTable contentRootTable, Nullable1 syncPassId, String syncSessionId) at Microsoft.Web.Deployment.DeploymentObject.SyncTo(DeploymentProviderOptions providerOptions, DeploymentBaseOptions baseOptions, DeploymentSyncOptions syncOptions) at Microsoft.Web.Deployment.DeploymentObject.SyncTo(String provider, String path, DeploymentBaseOptions baseOptions, DeploymentSyncOptions syncOptions) at Microsoft.Web.Deployment.DeploymentObject.SyncTo(DeploymentWellKnownProvider provider, String path, DeploymentBaseOptions baseOptions, DeploymentSyncOptions syncOptions) at Microsoft.Web.Deployment.WebApi.AppGalleryPackage.Deploy(String deploymentSite, String siteSlotId, Boolean doNotDelete) in C:\__w\1\s\src\hosting\wdeploy\Microsoft.Web.Deployment.WebApi\AppGalleryPackage.cs:line 343 at Microsoft.Web.Deployment.WebApi.DeploymentController.<DownloadAndDeployPackage>d__25.MoveNext() in C:\__w\1\s\src\hosting\wdeploy\Microsoft.Web.Deployment.WebApi\Controllers\DeploymentController.cs:line 492' Package deployment failed ARM-MSDeploy Deploy Failed: 'Microsoft.Web.Deployment.DeploymentClientServerException: An error was encountered when processing operation 'Create File' on 'C:\home\site\wwwroot\appsettings.json'. ---> Microsoft.Web.Deployment.DeploymentException: The error code was 0x80070002. ---> System.IO.FileNotFoundException: Could not find file 'C:\home\site\wwwroot\appsettings.json'. at Microsoft.Web.Deployment.NativeMethods.RaiseIOExceptionFromErrorCode(Win32ErrorCode errorCode, String maybeFullPath) at Microsoft.Web.Deployment.FileStreamEx.CreateInstance(String path, FileMode fileMode, FileAccess fileAccess, FileShare fileShare, Nullable1 fileLength)
at Microsoft.Web.Deployment.FilePathProviderBase.Add(DeploymentObject source, Boolean whatIf)
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
at Microsoft.Web.Deployment.FilePathProviderBase.HandleKnownRetryableExceptions(DeploymentBaseContext baseContext, Int32[] errorsToIgnore, Exception e, String path, String operation)
at Microsoft.Web.Deployment.FilePathProviderBase.Add(DeploymentObject source, Boolean whatIf)
at Microsoft.Web.Deployment.DeploymentObject.AddChild(DeploymentObject source, Int32 position, DeploymentSyncContext syncContext)
at Microsoft.Web.Deployment.DeploymentSyncContext.HandleAddChild(DeploymentObject destParent, DeploymentObject sourceObject, Int32 position)
at Microsoft.Web.Deployment.DeploymentSyncContext.SyncDirPathChildren(DeploymentObject destRoot, DeploymentObject sourceRoot)
at Microsoft.Web.Deployment.DeploymentSyncContext.SyncChildren(DeploymentObject dest, DeploymentObject source)
at Microsoft.Web.Deployment.DeploymentSyncContext.SyncChildrenNoOrder(DeploymentObject dest, DeploymentObject source)
at Microsoft.Web.Deployment.DeploymentSyncContext.SyncChildren(DeploymentObject dest, DeploymentObject source)
at Microsoft.Web.Deployment.DeploymentSyncContext.SyncChildrenOrder(DeploymentObject dest, DeploymentObject source)
at Microsoft.Web.Deployment.DeploymentSyncContext.SyncChildren(DeploymentObject dest, DeploymentObject source)
at Microsoft.Web.Deployment.DeploymentSyncContext.ProcessSync(DeploymentObject destinationObject, DeploymentObject sourceObject)
at Microsoft.Web.Deployment.DeploymentObject.SyncToInternal(DeploymentObject destObject, DeploymentSyncOptions syncOptions, PayloadTable payloadTable, ContentRootTable contentRootTable, Nullable`1 syncPassId, String syncSessionId)
at Microsoft.Web.Deployment.DeploymentObject.SyncTo(DeploymentProviderOptions providerOptions, DeploymentBaseOptions baseOptions, DeploymentSyncOptions syncOptions)
at Microsoft.Web.Deployment.DeploymentObject.SyncTo(String provider, String path, DeploymentBaseOptions baseOptions, DeploymentSyncOptions syncOptions)
at Microsoft.Web.Deployment.DeploymentObject.SyncTo(DeploymentWellKnownProvider provider, String path, DeploymentBaseOptions baseOptions, DeploymentSyncOptions syncOptions)
at Microsoft.Web.Deployment.WebApi.AppGalleryPackage.Deploy(String deploymentSite, String siteSlotId, Boolean doNotDelete) in C:__w\1\s\src\hosting\wdeploy\Microsoft.Web.Deployment.WebApi\AppGalleryPackage.cs:line 343 at Microsoft.Web.Deployment.WebApi.DeploymentController.<DownloadAndDeployPackage>d__25.MoveNext() in C:__w\1\s\src\hosting\wdeploy\Microsoft.Web.Deployment.WebApi\Controllers\DeploymentController.cs:line 492' (Code:Failed)
CorrelationId: 4f760e3f-095a-4c56-bd8c-e26c037bb030].
VERBOSE: 22:41:19 - Starting function app(s)...
VERBOSE: 22:41:28 - Started function app(s): AzSK-AzTS-WorkItemProcessor-f89f3,
AzSK-AzTS-AutoUpdater-f89f3, AzSK-AzTS-MetadataAggregator-f89f3
VERBOSE: 22:41:28 - Stopping app service slot after updating the slot. This is
required as an inactive slot cannot be updated.
VERBOSE: 22:41:31 - Stopped app service slot(s): AzSK-AzTS-UI-f89f3/Staging-f89f3
how do I fix this?

I have updated LA workspace with OrgMapping.csv and all data is visible in LA.
But when I provided LA workspace ID to PowerBI dashboard, it doesn't pull data.

Error 01 :
Loading blocked by failures with other queries.

Error 02 :
Web.Contents failed to get contents from 'https://api.loganalytics.io/v1/workspaces/00000000000000000000000000000000/query?query=AzSK_ControlResults_CLxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' (400): Bad Request

The following control is missing an excluded item:
https://github.com/azsk/AzTS-docs/blob/main/Control%20coverage/Feature/VirtualNetwork.md#azure_vnet_netsec_configure_nsg

According to the MS docs, the AzureFirewallManagementSubnet includes an intrinsic NSG that is not directly manageable or visible. Therefore, that subnet and can not be associated to an NSG.
https://github.com/Azure/PSRule.Rules.Azure/blob/main/docs/en/rules/Azure.VNET.UseNSGs.md#description

The subnets to exclude should also include this NSG like this:
"SubnetsToExcludeFromEvaluation": [
"azurefirewallsubnet",
"azurefirewallmanagementsubnet",
"gatewaysubnet",
"routeserversubnet"
]

Hi All,

We have submitted scan for our subscription but it is taking more time to complete. Also, we are unable to find number of controls passed or failed.

Kindly look into the issue. Thanks.

During the last few weeks I've had the opportunity to dive deeper into AzTS and how we can use it to assess Azure platforms.
Therefore I've been installing the solution on quite a few tenants by now (first one dating back to 10th of April 2024).

At first everything went pretty smooth (thanks to the extensive documentation), but starting approximately 17th of April I suddenly started having trouble when trying to deploy a new AzTS solution including the UI. Every required resource was being deployed correctly, up to the App Service for the WebAPI. When looking at the console output and deployment logs in Azure the issue was a failing 'MSDeploy' of the Microsoft.Web/sites/extensions resource.

Raw operational error for the sake of completeness:

{"code":"Failed","message":"Failed to download package.\r\nARM-MSDeploy Deploy Failed: 'System.AggregateException: One or more errors occurred. ---> System.Net.WebException: The remote server returned an error: (404) Not Found.\r\n   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)\r\n   at System.Net.WebClient.GetWebResponse(WebRequest request, IAsyncResult result)\r\n   at System.Net.WebClient.DownloadBitsResponseCallback(IAsyncResult result)\r\n   --- End of inner exception stack trace ---\r\n   at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)\r\n   at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)\r\n   at System.Threading.Tasks.Task.Wait(TimeSpan timeout)\r\n   at Microsoft.Web.Deployment.WebApi.AppGalleryPackage.<Download>d__17.MoveNext() in C:\\__w\\1\\s\\src\\hosting\\wdeploy\\Microsoft.Web.Deployment.WebApi\\AppGalleryPackage.cs:line 196\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Microsoft.Web.Deployment.WebApi.AppGalleryPackage.<Download>d__15.MoveNext() in C:\\__w\\1\\s\\src\\hosting\\wdeploy\\Microsoft.Web.Deployment.WebApi\\AppGalleryPackage.cs:line 93\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Microsoft.Web.Deployment.WebApi.DeploymentController.<DownloadPackageAndSettings>d__27.MoveNext() in C:\\__w\\1\\s\\src\\hosting\\wdeploy\\Microsoft.Web.Deployment.WebApi\\Controllers\\DeploymentController.cs:line 622\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Microsoft.Web.Deployment.WebApi.DeploymentController.<DownloadAndDeployPackage>d__25.MoveNext() in C:\\__w\\1\\s\\src\\hosting\\wdeploy\\Microsoft.Web.Deployment.WebApi\\Controllers\\DeploymentController.cs:line 489\r\n---> (Inner Exception #0) System.Net.WebException: The remote server returned an error: (404) Not Found.\r\n   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)\r\n   at System.Net.WebClient.GetWebResponse(WebRequest request, IAsyncResult result)\r\n   at System.Net.WebClient.DownloadBitsResponseCallback(IAsyncResult result)<---\r\n'\r\nFailed to download package.\r\nARM-MSDeploy Deploy Failed: 'System.AggregateException: One or more errors occurred. ---> System.Net.WebException: The remote server returned an error: (404) Not Found.\r\n   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)\r\n   at System.Net.WebClient.GetWebResponse(WebRequest request, IAsyncResult result)\r\n   at System.Net.WebClient.DownloadBitsResponseCallback(IAsyncResult result)\r\n   --- End of inner exception stack trace ---\r\n   at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)\r\n   at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)\r\n   at System.Threading.Tasks.Task.Wait(TimeSpan timeout)\r\n   at Microsoft.Web.Deployment.WebApi.AppGalleryPackage.<Download>d__17.MoveNext() in C:\\__w\\1\\s\\src\\hosting\\wdeploy\\Microsoft.Web.Deployment.WebApi\\AppGalleryPackage.cs:line 196\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Microsoft.Web.Deployment.WebApi.AppGalleryPackage.<Download>d__15.MoveNext() in C:\\__w\\1\\s\\src\\hosting\\wdeploy\\Microsoft.Web.Deployment.WebApi\\AppGalleryPackage.cs:line 93\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Microsoft.Web.Deployment.WebApi.DeploymentController.<DownloadPackageAndSettings>d__27.MoveNext() in C:\\__w\\1\\s\\src\\hosting\\wdeploy\\Microsoft.Web.Deployment.WebApi\\Controllers\\DeploymentController.cs:line 622\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Microsoft.Web.Deployment.WebApi.DeploymentController.<DownloadAndDeployPackage>d__25.MoveNext() in C:\\__w\\1\\s\\src\\hosting\\wdeploy\\Microsoft.Web.Deployment.WebApi\\Controllers\\DeploymentController.cs:line 489\r\n---> (Inner Exception #0) System.Net.WebException: The remote server returned an error: (404) Not Found.\r\n   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)\r\n   at System.Net.WebClient.GetWebResponse(WebRequest request, IAsyncResult result)\r\n   at System.Net.WebClient.DownloadBitsResponseCallback(IAsyncResult result)<---\r\n'"}

After taking a (pretty deep) dive into the deployment templates and scripts in the provided DeploymentFiles I noticed there's a class 'CentralPackageInfo' in AzTSSetup.ps1 which constructs the package URLs used during the Function app and App Service deployment. This class uses the https://aka.ms/AzTS/CentralPackageURL (shortened version of https://azts.microsoft.com/azsk-ats-packages/AzTS.Package.Versions.json) to build the actual URLs. While the latest versions of the MetadataAggregator, WorkItemProcessor and UI zip packages are readily available, the blob of the latest version of the WebApi package seems to be unavailable (404) during the last few weeks. Previous versions however do seem to be available.

For clarity:

• Unavailable: https://azts.microsoft.com/azsk-ats-packages/WebApi/1.0.1131/WebApi.zip
• Available: https://azts.microsoft.com/azsk-ats-packages/WebApi/1.0.1130/WebApi.zip

For now I've been able to work around it by temporarily hardcoding the WebApiPackageURL of the deployment template parameters. However, I'm assuming everybody who's trying to deploy a new AzTS solution and wanting to enable the UI or REST API will stumble upon this.

AzTS VNet integrated setup architecture ensures that all critical resources like storage, function apps, log analytics workspace etc that are part of AzTS setup, are not accessible over public internet. Currently we are observing an issue for connectivity between Azure Function Apps (via authorized private networks) and Application Insights over Private link scope. AzTS VNet integrated setup is not working as expected due to this.

AzTS dashboard is not loading, getting error

I was just granted access to a subscription, but I'm not seeing it show up in the list in the tool. Is there a way to force my newly accessible subscription to be listed for scanning?

Cross posting here as AzTS has been stated as the AzSK replacement; however, I'm still struggling to figure out which command(s) I should switch to.

I have been using

Set-AzSKPIMConfiguration -ResourceGroupName $ResourceGroupName -RoleName $RoleName -DurationInHours $Duration -Justification $Reason -SubscriptionId $subscriptionId -ActivateMyRole -ErrorAction Stop

to activate my PIM roles via script as it has always been quicker than via the portal.

Now that I've discovered that AzSK was sunset last year, I am trying to figure out what module/command I need to migrate to. Unfortunately, there doesn't seem to be much in the way of migration documentation.

Can anyone point me in the right direction of what command(s) I should be using now in order to accomplish this task?

Hello,

I am interesting to use the “MMA Removal Utility” to finish with our MMA to AMA migration.

I have unfortunately few issues.

I am working in a lab, and use Azure DevOps with pipelines and a SP with ownership on a reduced scope.
So far, I succeeded to install and run the discovery (using method B, with ConsolidatedSetup).
But, the dashboard still has some “error retrieving data” tiles, and the “Inventory_CL” does not exist in the Log Analytic Workspace.
(only InventoryProcessingStatus_CL exists as a custom table)

The scope is made of 6 VMs, 5 shut down, 1 running.

If I check the logs of the function “AzTS_04_VMInventoryCollectionScheduler”, there are only succeed entries.

What do you recommend?

Thanks in advance for your help.

Hello,

I see the function apps of the MMA Removal tool rely on external packages stored at "https://aka.ms/AzTS/MMARemovalUtility/*".

Looking to the content, it's compiled code.

Is it possible to have access to the source code to evaluate what each function is doing?

(Main reason is to comply to my company Security policy).

Regards,

I would kindly like to suggest a modification to the file AzTSSetup.ps1 that is part of the AzTS solution. I’d submit a proper pull request, but the file AzTSSetup.ps1 is only visible to me within the zip file https://github.com/azsk/AzTS-docs/blob/main/TemplateFiles/DeploymentFiles.zip.

Currently on line 543 there is the following:
$AssemblyPath = Get-ChildItem -Path "$($env:USERPROFILE)\Documents\WindowsPowerShell\Modules\Az.Accounts" -Filter "Microsoft.ApplicationInsights.dll" -Recurse

I suggest that it should be changed to this:
$AssemblyPath = Get-ChildItem -Path (Get-Item (Get-Module Az.Accounts).Path).DirectoryName -Filter "Microsoft.ApplicationInsights.dll" -Recurse

This finds the path where the currently loaded module Az.Accounts was actually loaded from, instead of looking for the module only under $env:USERPROFILE in a hard-coded subdirectory.

AzTS-UI Issue

Issue

The AzTS-UI fails to load. On opening the Developer Tools (Ctrl + Shift + I) the Console gives the following error:

Uncaught TypeError: Cannot read properties of undefined (reading 'azureADAuthURL')

Validation

The issue can be validated by visiting the App Service Editor of the App Service associated with the AzTS-UI. This can be accessed using the link: https://azsk-azts-ui-xxxxx.scm.azurewebsites.net/dev (replace xxxxx with the actual code), provided you have the access.
In the WWWROOT folder, confirm that the file: runtime-configuration-initial.js is not present.

Remediation

The issue is caused due to a missing file runtime-configuration-initial.js in the app service:

1. Go to the App Service Editor, and create a New File named runtime-configuration-initial.js.

2. Add the following content and save the file:

   window.__UI_CONFIGURATION_INITIAL__ = {
       "tenantId": "<uuid-of-the-tenant-hosting-the-solution, Example: 12345678-1234-1234-1234-1234567890ab>",
       "webAPI": "<URL of the API, Example: https://<web-api-name>.azurewebsites.net>",
       "clientId": "<uuid-of-web-ui, Example: 12345678-1234-1234-1234-1234567890ab>",
       "apiClientId": "<uuid-of-web-api, Example: 12345678-1234-1234-1234-1234567890ab>",
       "azureADAuthURL": "<active-directory-authentication-url, Example: https://login.microsoftonline.com>"
   };
   
   window.__UI_CONFIGURATION_EXTENDED__ = {};
   

3. Reload the url of the AzTS-UI in the browser. The issue should now be resolved.

We are encountering an error when trying to access the AzTS dashboard. Please investigate the issue.

When I execute the Enable-ByDesignExceptionFeature, using the settings specified, I get the following error:

Enable-ByDesignExceptionFeature : The term 'Enable-ByDesignExceptionFeature' is not recognized as the name of a
cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify
that the path is correct and try again.
At line:1 char:1

• Enable-ByDesignExceptionFeature `

•   + CategoryInfo          : ObjectNotFound: (Enable-ByDesignExceptionFeature:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
  

When trying to load the data into PowerBI, everything works for the "TenantSecurityReport" template, but for the "TenantSecurityInventoryReport" I receive many errors like the ones below:

Loading blocked by failures with other queries.

Web.Contents failed to get contents from 'https://api.loganalytics.io/v1/workspaces/0000000000000000000000/query?query=let%20LatestJobId%20%3D%20toscalar%20%28%20AzSK_SecureScoreControls_CL%20%7C%20where%20TimeGenerated%20%3E%20ago%281d%29%20%7C%20summarize%20arg_max%28JobId_d%2C%2A%29%7C%20project%20%20JobId_d%29%3B%0AAzSK_SecureScoreControls_CL%0A%7C%20where%20JobId_d%20%3D%3D%20LatestJobId%0A%7C%20summarize%20arg_max%28TimeGenerated%2C%20%2A%29%20by%20Id_s%0A%7C%20summarize%20count%28%29%20by%20CollectionTime%20%3D%20bin%28TimeGenerated%2C15s%29&x-ms-app=OmsAnalyticsPBI&prefer=ai.response-thinning%3Dtrue' (400): Bad Request

There is already an issue opened (and closed ???, but with no resolution) about this problem: #122

Thanks!

When i try to "Onboarding tenants to multi-tenant AzTS Solution" using the /multitenantaction/onboardoffboardtenants?api-version=1.0 i receive an error 500.

After looking into Appinsight i got a "Sequence contains no matching element" error.

"Connection ID "{ConnectionId}", Request ID "{TraceIdentifier}": An unhandled exception was thrown by the application."

I have followed the steps described here "https://github.com/azsk/AzTS-docs/blob/main/05-Cross-tenant%20subscription%20scan/OnboardTenantToAzTS.md#onboarding"

What have i done incorrectly?

Hi Team,

Any video or tutorial or slide about AzTS ?

Hi there,

I'd like to thank the team in getting this scanner made available publicly and it has since helped me a lot.

I'm seeking feedback from the team as I'm getting a failed status for this control Azure_KeyVault_Audit_Enable_Diagnostics_Log in AzTs Tenant scanner despite I have the diagnostic setting enabled for my key vault.

Is there something else I have missed?

Regards,
Nick

Hello,

I sent an email to "[email protected]" but got a "Couldn't be delivered" message back:
"The group ssengteam only accepts messages from people in its organization or on its allowed senders list, and your email address isn't on the list."

Could you help?

Regards,

Service360 Notifications [email protected] is sending issues via email. However, the https://dst-azts.azurewebsites.net/ website that is supposed to host the remediation scripts doesn't allow me access (or the ability to switch to the directory that hosts the issues). I don't have any subscriptions in the @microsoft tenant so I get the error "
Access required.
Please verify that you have the required access [ Owner, Contributor, ServiceAdministrator, CoAdministrator, AccountAdministrator, Security Reader, Security Admin, CSEO DevOps Role, SCIM DevOps Role] over the subscriptions for which you want to view Compliance Summary."

I am running the Invoke-AzureScan commant and getting below error
Invoke-AzureScan: Could not load file or assembly 'Microsoft.Extensions.DependencyInjection.Abstractions, Version=6.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60'. Could not find or load a specific file. (0x80131621)

Hi, I have completed to build cross-tenant architecture and onboarding process.

'A' Tenant : Scan host subscription / monitoring target subscription
'B' Tenant : Monitoring target subscription.

In UI, I can find the 'A' tenant subsciprion list and each scanning result.
But 'B' tenant not showing in tenants dropdown list.

And I checked belows.

• Storage account\Container : azskatsscanresult created and there is 'B' tenant's result
• Storage account\Container : OnboardedTenantsConfigurations.json created.
• Log Analytics Workspace : Target subscription's scan result created.
• 'B' tenant permission : ADGraph/MSGraph Permission granted.

What should I check to solve this problem?

I have installed and configured AzTS as a multi-tenant scanner, using a central MI with Active Directory. I followed the instructions here: instructions

I then onboarded multiple tenant subscriptions for scanning. One of which is the subscription on which AzTS is installed. All the relevant data is being loaded into the storage bucket and log analytics, so the subscriptions of each tenant are being scanned correctly. However, when anyone logs in to the UI, they can not see any of the scan data or subscription data from any of the tenants except the one on which AzTS is installed. Only that subscription is listed in the dashboard with its scan data, none of the other onboarded tenants.
I followed the appropriate API steps for onboarding and when I do an API call to check the subscription statuses it returns as enabled.
I also made sure that whoever is logging in to the UI has the permissions in Azure AD on each tenant account to see the relevant tenant subscriptions listed.

One other thing that could be of help, is when I do an API call for onboarding or getting tenant details, the request goes through successfully. However, when I do an API call for getting compliance status or requesting a scan it returns this message, even on the subscription that AzTS is installed on and shows in the dashboard:

Could not find any subscription against your login. Please validate, you have [ Owner, Contributor, ServiceAdministrator, CoAdministrator, AccountAdministrator, Security Reader, Security Admin, CSEO DevOps Role, SCIM DevOps Role] access on subscriptions

I am a owner and contributor on the subscription and in Azure AD, I am a global admin and privileged admin.
What could the issue be, any help would be highly appreciated as I have been struggling with this for a while now.

In step 6, I am getting

response:

Template deployment validation returned following errors:

Started setting up Azure Tenant Security Solution. This may take 5 mins...
VERBOSE: 19:33:39 - Checking resource group for deployment...
VERBOSE: 19:33:39 - Resource group already exists.
VERBOSE: GET with 0-byte payload
VERBOSE: received 664-byte response of content type application/json
VERBOSE: 19:33:40 - Checking resource deployment template.
Code    : InvalidTemplateDeployment
Message : The template deployment '27c7aabe-90b3-4d84-ac5e-e8330e443215' is not valid according to the validation procedure. The   tracking id is '5e6d7cca-9e12-4969-ab88-aa6fca20a48b'. See inner errors for details.

My code is

$DeploymentResult = Install-AzSKTenantSecuritySolution `
              -SubscriptionId "my sub guid" `
              -ScanHostRGName "AzureTenantScanner" `
              -Location "eastus2" `
              -ScanIdentityId "/subscriptions/my sub guid/resourcegroups/AzureTenantScanner/providers/Microsoft.ManagedIdentity/userAssignedIdentities/AzTsManagedID" `
              -SendAlertNotificationToEmailIds @("the email we are using") `
              -EnableAutoUpdater `
              -Verbose

Any ideas?

Thx

Hello,

I sent an email to "[email protected]" but got a "Delivery has failed to these recipients or groups" message back:
"Your message couldn't be delivered because delivery to this group is restricted to authenticated senders. If the problem continues, please contact your email admin."

Could you help?

Regards,

I tried to remove it manually (by removing RG and MI), but when I started the new installation, the web UI component was not installed. However, there weren't any errors. I suppose there might be services that I didn't remove last time.

I wanted to use Remediate-SecureFTPDeploymentForAppServices.ps1 since my subscription has many app services that need the "FTP state" setting changed. However, my execution environment (SAW) does not allow for unsigned scripts.

Can all scripts be updated to be signed? Otherwise, they're not useful for many potential MSFT users constrained to SAW devices.

The group aztssup only accepts messages from people in its organization or on its allowed senders list, and your email address isn't on the list.

The issue is regarding https://github.com/azsk/DevOpsKit-docs/blob/master/01-Subscription-Security/Readme.md#use-set-azskpimconfiguration-alias-setpim-for-configuringchanging-pim-settings-at-management-group-level

I'm running this PowerShell command:

  Set-AzSKPIMConfiguration -AssignRole `
        -SubscriptionId <SubscriptionId> `
        -ResourceGroupName <ResourceGroupName>" `
        -DurationInDays 90 `
        -RoleName RoleName  `
        -PrincipalName <service-connection> `
        -AssignmentType Eligible `
        -DoNotOpenOutputFolder

On running this, I see the following error:

Running AzSK cmdlet using a generic (org-neutral) policy...
Exception calling "Authenticate" with "7" argument(s): "'authority' Uri should have at least one segment in the path (i.e. https://<host>/<path>/...) (Parameter 'authority')"
Exception calling "Authenticate" with "7" argument(s): "'authority' Uri should have at least one segment in the path (i.e. https://<host>/<path>/...) (Parameter 'authority')"
Exception calling "Authenticate" with "7" argument(s): "'authority' Uri should have at least one segment in the path (i.e. https://<host>/<path>/...) (Parameter 'authority')"
Unable to determine target data center for tenant
Unable to find resource on which assignment was requested. Either the resource does not exist or you may not have permissions for assigning a role on it.

Is it not possible to assign PIM role to service connection?

Hi Team,

Is there any way that we can AzTs for static code(ARM , Terraform files) analysis in Azure DevOps build pipeline? Currently we are using AzSk for this analysis.

So If yes then please share the steps we need to follow to configure in our Azure DevOps pipeline.

Regards,
Ashish

After setting up the solution and running the all the steps in the setup page, even after waiting over 2 hours, when accessing the UI app it returns a blank page. In Application insights I can see a 404 being returned.

AzTS setup scripts require PowerShell's FullLanguage mode to run and hence they are should be added as a preqrequisite for AzTS setup in the documentation.

I was working on mitigating a couple of issues for this control "Key Vault must have public access disabled", but in my most recent scan I can't find this rule anywhere. It is neither passing nor failing. Has it been removed? Where can I go to see announcements of such changes?

There is a typo and a mismatch with the provided documentation in the name of the passed parameters in the Update-AzTSMMARemovalUtilityDiscoveryTrigger function located within the MMARemovalUtilitySetup.ps1 script which is part of the MMA Removal Utility.

The typo is in StartScopeResolverImmediatley and StartExtensionDiscoveryImmediatley , which should be StartScopeResolverImmediately and StartExtensionDiscoveryImmediately respectively.