I have set up the AMA firewall data connector in Azure and the associated DCR.
I've installed the agent on a test endpoint.
I've read the guidance on "Set Up the Azure Monitor Agent on Windows Client Devices - Azure Monitor | Microsoft Learn" - although the monitored object part is a little confusing, but I assume the Data connector has resolved this.
I then run the Powershell script from the same page in order to register the endpoint with Azure and start to feed stats into Azure.
I open powershell as a local admin. When the script executes, I authenticate using an account which is the Azure Owner, and pick our subscription but the script errors:
New-AzRoleAssignment : Operation returned an invalid status code 'Conflict' - line 16 char:1
Further down, I get:
Invoke-RestMethod : {"error":{"code":"InvalidAuthenticationToken","message":"The 'EvolvedSecurityTokenService' access token is invalid."}} - line :41 char:1
For line 16 I assume the conflict is because the user is an owner and already has the role. However, if I comment out that line, I still have the access token is invalid error.
It was suggested that this could be a permissions issue on the subscription or resource-group but the user is the owner on tenant.
Can anyone suggest what could be the issue or what steps I've missed?
For the conflict error, you can remove or comment out this line:
New-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $user.Id
If you're using the latest version of the Az Powershell modules, the property token of Get-AzAccessToken is now returned as a secure string. You need to update the script from Microsoft accordingly.
Replace:
$auth = Get-AzAccessToken
$AuthenticationHeader = @{
"Content-Type" = "application/json"
"Authorization" = "Bearer " + $auth.Token
}
With:
$auth = Get-AzAccessToken
$AuthenticationHeader = @{
"Content-Type" = "application/json"
"Authorization" = "Bearer " + $(ConvertFrom-SecureString $auth.token -AsPlainText)
}