Blog Post

Microsoft Defender for Cloud Blog
10 MIN READ

Deploy Microsoft Defender for Cloud via Terraform

Liana_Anca_Tomescu's avatar
Liana_Anca_Tomescu
Former Employee
Jul 01, 2022
Terraform is an Infrastructure as a Code tool created by Hashicorp. It’s used to manage your infrastructure in Azure, as well as other clouds. In this article, we’ll be showing you how to deploy Micr...
Updated Jul 07, 2023
Version 3.0
microsoft defender for servers
microsoft defender for storage
Secure Score
vulnerabilities
billt007's avatar
billt007
Copper Contributor
Nov 15, 2023

In my subscription, I have the Contributor, Resource Policy Contributor, and Security Admin roles at the subscription.  When I ran the code:

 resource "azurerm_subscription_policy_assignment" "mcsb_assignment" {
  name                 = "mcsb"
  display_name         = "Microsoft Cloud Security Benchmark"
  policy_definition_id = "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8"
  subscription_id      = "/subscriptions/${var.subscription_id}"
}

It returned me an error below:

Error: creating Scoped Policy Assignment (Scope: "/subscriptions/xxxxxxx-xxxx-xxxx-xxxx-2bcc3b93e5db"
│ Policy Assignment Name: "mcsb"): unexpected status 403 with error: AuthorizationFailed: The client 'xxxxxxxx-xxxx-490f-xxxx-75417f195cee' with object id 'xxxxxxxx-xxxx-xxxx-xxxx-75417f195cee' does not have authorization to perform action 'Microsoft.Authorization/policyAssignments/write' over scope '/subscriptions/xxxxxxx-xxxx-xxxx-xxxx-2bcc3b93e5db/providers/Microsoft.Authorization/policyAssignments/mcsb' or the scope is invalid. If access was recently granted, please refresh your credentials.

Any suggestion what other permission I am missing?

Thanks,

Bill