Known Issues
The error can be presented with one of the two following messages:
failed to resolve table or column expression named
{ "code": "BadRequest", "message": { "error": { "code": "DraftClientException", "message": "The request had some invalid properties Activity D: 3332f9c0-b4d4-464b-8ec4-44a670ba745b." } } }
The underlying data is not present in the Log Analytics table or there’s no virtual machine associated to any VM Insights data collection rule.
For VM Alerts, enable VM Insights. After VM Insights is enabled, run the remediation again.
Deployment of AMBA-ALZ fails when there are orphaned role assignments.
{ "code": "RoleAssignmentUpdateNotPermitted", "message": "Tenant ID, application ID, principal ID, and scope are not allowed to be updated." }
When a role or a role assignment is removed, some orphaned object can still appear, preventing a successful deployment.
- Navigate to Management Groups
- Select the management group (corresponding to the value entered for the enterpriseScaleCompanyPrefix during the deployment) were AMBA deployment was targeted to
- Select Access control (IAM)
- Under the Contributor role, select all records named Identity not found entry and click Remove
- Run the deployment
Error: Code=InvalidDeploymentLocation; Message=Invalid deployment location 'westeurope'. The deployment 'ALZARM' already exists in location 'uksouth'.
A deployment has been performed using one region, for example “uksouth”, and when you try to deploy again to the same scope but to a different region you will receive an error. This happens even when a cleanup has been performed (see Cleaning up a Deployment for more details). This is because deployment entries still exist from the previous operation, so a region conflict is detected blocking you to run another deployment using a different region.
Situation 1: You are trying to deploy to a region different from the one used in previous deployment. Deploying to the same scope in a different region is not necessary. The definitions and assignments are scoped to a management group and are not region-specific. No action is required.
Situation 2: You cleaned up a previous implementation and want to deploy again to a different region. To resolve this issue, follow the steps below:
- Navigate to Management Groups
- Select the management group (corresponding to the value entered for the enterpriseScaleCompanyPrefix during the deployment) were AMBA deployment was targeted to
- Click Deployment
- Select all the deployment instances related to AMBA and click Delete.
To recognize the deployment names belonging to AMBA, select those deployments whose names start with:
- amba-
- pid-
- alzArm
- ambaPreparingToLaunch
If you deployed AMBA just one time, you have 14 deployment instances
Error: Code=MultipleErrorsOccurred; Message=Multiple errors occurred: Conflict,Conflict,Conflict,Conflict,Conflict,Conflict.
The limit of 800 deployment for the given management group scope has been reached. More information can be found at Management group limits
To resolve this issue, follow the steps below:
- Navigate to Management Groups
- Select the management group (corresponding to the value entered for the enterpriseScaleCompanyPrefix during the deployment) were AMBA deployment was targeted to
- Click Deployment
- Select all the deployments that could be deleted (example: instances of previous deployment related to AMBA) and click Delete
- Run the deployment
To recognize the deployment names belonging to AMBA, select those deployments whose names start with:
- amba-
- pid-
- alzArm
- ambaPreparingToLaunch
If you deployed AMBA-ALZ just one time, you have 14 deployment instances
The error can be presented with one of the two following messages:
{ "code": "InvalidDeployment", "message": "The 'location' property must be specified for 'amba-id-amba-prod-001'. Please see https://aka.ms/arm-deployment-subscription for usage details." }
InvalidDeployment - Long running operation failed with status 'Failed'. Additional Info:'The 'location' property must be specified for 'amba-id-amba-prod-001'. Please see https://aka.ms/arm-deployment-subscription for usage details.'
The new Bring Your Own User Assigned Managed Identity (BYO UAMI) allows you to either use an existing User Assigned Managed Identity (UAMI) or to create a new one in the management subscription automatically assigning the Monitoring reader role to it at the parent pseudo root Management Group. If you opted for creating a new UAMI, the management subscription id is needed.
Set the parameter for the management subscription id correctly in the parameter file:
The following remediation tasks are failing for one or more resource when the subscription name is used as part of the resource name and contains invalid characters:
- Deploy AMBA Notification Assets
- Deploy AMBA Notification Suppression Asset
At least one resource name segment is invalid according to the Resource Provider specification. (Code: InvalidResourceNameFormat)
When action group(s) and alert processing rule(s) are deployed, they get the subscription name as part of their display name. If the subscription in which they are about to be deployed contains invalid characters in the name, this will make the remediation task failing with a the misleading error reported above.
Rename the subscription to avoid invalid characters. A list of supported characters for any resource can be found on the Naming rules and restrictions for Azure resources public documentation page. As an example that you can find in the referenced documentation, the alert suppression rules only allow alphanumerics, underscores, and hyphens as valid characters and at the beginning of the same page, alphanumeric is referring to:
- a through z (lowercase letters)
- A through Z (uppercase letters)
- 0 through 9 (numbers)
After the subscription is renamed correctly, run the remediation
Editing a previously deployed action group is returning a misleading error in the Azure portal page.
The error message appearing in the Azure portal includes the following message:
The api-version query parameter (?api-version=) is required for all requests. (Code: MissingApiVersionParameter)
Action group are deployed using a name which contain the subscription name. If the subscription name contains characters which are not considered valid for the resource, editing the action group will fail.
Rename the subscription to avoid invalid characters. A list of supported characters for any resource can be found on the Naming rules and restrictions for Azure resources public documentation page. As an example that you can find in the referenced documentation, the alert suppression rules only allow alphanumerics, underscores, and hyphens as valid characters and at the beginning of the same page, alphanumeric is referring to:
- a through z (lowercase letters)
- A through Z (uppercase letters)
- 0 through 9 (numbers)
After the subscription is renamed correctly, remove the existing action groups (those whose name starts with either ag-AMBA- or ag-AMBA-SH-) and run the remediation.