Skip to main content

Illumio Segmentation for the Cloud User Guide

Azure Onboarding Troubleshooting Tips

Having onboarding issues? Use these troubleshooting tips to resolve your onboarding errors.

Onboarding Status

The Onboarding page summarizes onboarding statuses as one of the following:

Status

Description

Action

Complete

Accounts have both resource access and flow log access fully enabled. These accounts are fully onboarded and ready for monitoring and insights.

No action required

Partially Complete

Accounts have resource access enabled, but flow logs are missing, disabled, or only partially enabled.

Click the Issues column for details and how to troubleshoot.

Incomplete

Accounts are missing either resource access, flow log access, or both.

Click the Issues column for details and how to troubleshoot.

To filter the Onboarding Status table, click a status cards at the top of the page.

Onboarding Setup Errors

Onboarding Wizard Did Not Complete

PowerShell Script Execution Pending

Watch video

App Registration Creation Failed

Watch video

Onboarding Wizard Did Not Complete

Onboarding Wizard Did Not Complete: Continue your onboarding tasks.

PowerShell Script Execution Pending

  1. If the script is stuck, check for the following:

    • Azure authentication prompts in the browser

    • MFA challenges that need completion

    • Insufficient permissions to create App Registrations

  2. Contact your Azure administrator to resolve permission errors and rerun the script in Azure PowerShell.

App Registration Creation Failed

  1. Make sure that the user has the Application Administrator or Global Administrator role in Azure AD. 

  2. Request the necessary role from your Azure AD administrator. 

  3. Make sure that the user has Owner or User Access Administrator permissions on the subscription or tenant.

Inventory Onboarding Errors

Credential Error Status Code 401

Watch the video

Rotate the Client Secret

Watch the video

Service Principal Missing Role Assignment

Watch the video

Credential Error (Status Code 401): Authentication Failed

  1. See the Illumio documentation for Secret Rotation.

  2. Open a PowerShell terminal.

  3. Copy the script from the documentation and modify it to include your:

    • service_account_key

    • subscription_id

    • cloudsecure_tenant_id

    • service_account_key

  4. Run the script.

  5. Copy the Send Secrets Back to the Cloud script from the documentation and modify its values to include:

    • <YourServiceAccountKeyId>: Cloud's service account key id. You can create a Service Account in Settings

    • <YourServiceAccountToken>: Token of the service account being used

    • <Your ClientSecret>: New Service Principals secret

    • <CloudSecureTenantId>: Your Illumio Segmentation for the Cloud TenantId

    • <ClientId>: New Service Principal's Client Id

    • <SubscriptionId>: Azure subscription Id. This is required only for subscription onboarding. If the onboarding type is an Azure tenant, remove the entire line.

    • <AzureTenantId>: Azure Tenant Id of the customer

  6. Run the script.

Rotate the Client Secret

  1. In the Illumio documentation, view Update Service Principals for Onboarded Azure Subscriptions and Tenants.

  2. Copy the Azure onboarding script that matches the access mode you need.

  3. Replace the values in the script with the following from your Service Account credential:

    • <azure_subscription_id>

    • <service_account_key>

    • <service_account_token>

    • <cs_tenant_id>

  4. In Azure, open a PowerShell Terminal and run the script.

  5. Verify that the script completes.

Service Principal Missing Role Assignment

  1. In the Azure portal, go to Subscriptions, and select the target subscription.

  2. Select Access control (IAM).

  3. Select Add > Add role assignment.

  4. On the Role tab, choose Reader or a custom role that includes the required permissions.

  5. On the Members tab, click + Select members and choose the Illumio service principal.

  6. Click Select.

  7. On the Review + assign tab, click Review + assign.

Flow Errors

Insufficient Permissions

Watch the video

VNET Flow Logs Not Enabled

Watch the video

VNET Version Incorrect

Watch the video

Network Security Groups Not Supported

Watch the video

Storage Account Firewall Blocking Access

Watch the video

Private Endpoint Required

Watch the video

Insufficient Permissions

  1. In the Azure portal, go to Storage accounts, and then select your storage account.

  2. In the left pane, select Access control (IAM).

  3. Select Add > Add role assignment.

  4. On the Role tab, select Storage Blob Data Reader.

  5. On the Members tab, click + Select members and choose the Illumio service principal.

  6. Click Select.

  7. In the Review + assign tab, click Review + assign.

If public network access to this storage is restricted:

  1. In the Azure portal, go to Storage accounts and select your storage account.

  2. In the left pane, select Security + networking.

  3. Select Networking.

  4. On the Public access tab, select Manage.

  5. Under Public network access scope, select Enable from selected networks.

  6. In the IPv4 Addresses section, add Illumio's IP addresses.

  7. Click Save.

VNET Flow Logs Not Enabled

  1. In Illumio Console, verify that VNET flow logs are expected but not being received. 

  2. Navigate to Azure Portal > Network Watcher > Flow logs.

  3. Check if flow logs are enabled for the required VNETs. 

  4. Verify the flow log configuration points to a storage account accessible by Illumio.

VNET Version Incorrect

  1. Navigate to Azure Portal > Network Watcher >  Flow logs

  2. Select the VNET flow log configuration. 

  3. Click Edit or Settings.

  4. Change the version to Version 2. 

  5. Save the configuration.

Network Security Groups Not Supported

  1. In the Azure portal, go to Network Watcher, and then select Flow logs.

  2. Select Create to add a new flow log.

  3. Configure the flow log:

    • Select the virtual network (VNET) that contains the target network security group (NSG).

    • Choose a storage account and ensure that Illumio has the required access.

    • Set the retention period as needed.

  4. Save the configuration.

Storage Account Firewall Blocking Access

  1. In the Azure portal, go to Storage accounts, and then select your storage account. 

  2. In the left pane, select Security + networking

  3. Select Networking.

  4. On the Public access tab, select Manage.

  5. Under Public network access scope, select Enable from selected virtual networks and IP addresses.

  6. In the IPv4 Addresses section, add Illumio's IP addresses.

  7. Select Save.

Private Endpoint Required

  1. Contact Illumio Support to discuss the private endpoint configuration.

  2. In the Azure portal, go to Storage accounts, and then select your storage account.

  3. In the left pane, select Security + networking.

  4. Select Networking.

  5. On the Private endpoints tab, select Create private endpoint.

  6. Select the private endpoint connection from Illumio, and then approve the connection.

  7. Click Yes.