Many organizations run workloads across multiple cloud providers and need to maintain a strong security posture while ensuring interoperability. Microsoft Defender for Cloud is a cloud-native application protection platform (CNAPP) solution that helps secure these environments by providing unified visibility and protection for resources in AWS and GCP alongside Azure.
Planning for multicloud security with Microsoft Defender for Cloud
As customers adopt Microsoft Defender for Cloud in multicloud environments, Microsoft provides several resources to support planning, deployment, and scalable onboarding:
- Planning Guides: Multicloud Protection Planning Guide that walks through key design considerations for securing multicloud with Microsoft Defender for Cloud.
- Deployment Guides: Connect your Azure subscriptions - Microsoft Defender for Cloud.
With the right planning and adoption strategy, onboarding to Microsoft Defender for Cloud can be smooth and predictable. However, support cases show that some common challenges can still arise during or after onboarding AWS or GCP environments. Below, we walk through frequent multicloud scenarios, their symptoms, and recommended troubleshooting steps.
Common multicloud connector problems and how to resolve them
1. Problem: Removed cloud account still appears in Microsoft Defender for Cloud
The AWS/GCP account is deleted or removed from your organization, but in Microsoft Defender for Cloud it still appears under connected environments. Additionally, security recommendations for resources in the deleted account may still show up in recommendations page.
Cause
Microsoft Defender for Cloud does not automatically delete a cloud connector when the external account is removed. The security connector in Azure is a separate object that remains unless explicitly removed. Microsoft Defender for Cloud isn’t aware that the AWS/GCP side was decommissioned as there’s no automatic callback to Azure when an AWS account is closed. Therefore, the connector and its last known data linger until manually removed.
Solution
Delete the connector to clean up the stale entry. Use one of the following methods.
Option 1: Use the Azure portal
- Sign in to the Azure portal.
- Go to Microsoft Defender for Cloud > Environment settings.
- Select the AWS account or GCP project that no longer exists.
- Select Delete to remove the connector.
Option 2: REST API
- Delete the connector by using the REST API: Security Connectors - Delete - REST API (Azure Defender for Cloud).
Note: If a multicloud organization connector was set up and the organization was later decommissioned or some accounts were removed, there would be several connectors to clean up. Start by deleting the organization’s management account connector, then remove any remaining child connectors. Removing connectors in this order helps prevent leftover dependencies.
Additional guidance see: What you need to know when deleting and re-creating the security connector(s) in Defender for Cloud.
2. Problem: Identity provider is missing or partially configured
After running the AWS CloudFormation template, the connector setup fails. Microsoft Defender for Cloud shows the AWS environment in an error state because the identity link between Azure and AWS is not established.
On the AWS side, the CloudFormation stack exists, but the required OIDC identity provider or the IAM role trust policy that allows Microsoft Defender for Cloud to assume the role via web identity federation is missing or misconfigured.
Cause
The AWS CloudFormation template doesn’t match the correct Azure subscription or tenant. This can happen if:
- You were signed in to the wrong Azure directory when generating the template.
- You deployed the template to a different AWS account than intended.
In both cases, the Azure and AWS IDs won’t align, and the connector setup will fail.
Solution
- Verify your Azure directory and subscription.
- In the Azure portal, go to Directories + subscriptions and make sure the correct directory and subscription are selected before you set up the connector.
- Clean up the incorrect configuration
- In AWS, delete the CloudFormation stack and any IAM roles or identity providers it created.
- In Microsoft Defender for Cloud, remove the failed connector from Environment settings.
- Re-create the connector.
- Follow the steps in Connect your Azure subscriptions - Microsoft Defender for Cloud to generate and deploy a new CloudFormation template using the correct Azure and AWS accounts.
- Verify the connection.
- After the connection succeeds, the AWS environment shows Healthy in Microsoft Defender for Cloud. Resources and recommendations begin appearing within about an hour.
3. Problem: Duplicate security connector prevents onboarding
When an AWS or GCP connector is added in Microsoft Defender for Cloud, onboarding fails with an error that indicates another connector with the same hierarchyId already exists. In the Azure portal, the environment shows Failed, and no resources appear in Microsoft Defender for Cloud.
Cause
Microsoft Defender for Cloud allows only one connector per cloud account within the same Microsoft Entra ID tenant. The hierarchyId uniquely identifies the cloud account (for example, an AWS account ID or a GCP project ID). If the account was previously onboarded in another Azure subscription within the same tenant, you can’t onboard it again until the existing connector is removed.
Solution
Find and remove the existing connector and then retry onboarding.
Step 1: Identify the existing connector
- Sign in to the Azure portal.
- Go to Microsoft Defender for Cloud > Environment settings.
- Check each subscription in the same tenant for a pre-existing AWS account or GCP project connector.
If you have access, you can also query Azure Resource Graph to locate existing connectors:
| resources
| where type == "microsoft.security/securityconnectors"
| project name, location, properties.hierarchyIdentifier, tenantId, subscriptionId
Step 2: Remove the duplicate connector
Delete the connector that uses the same hierarchyId. Follow the steps outlined in the previous troubleshooting scenario for deleting security connectors.
Step 3: Retry onboarding After the connector is removed, add the AWS or GCP connector again in the target subscription. If the error persists, verify that all duplicate connectors were deleted and allow a short time for changes to propagate.
Conclusion
Microsoft Defender for Cloud supports a strong multicloud security strategy, but cloud security is an ongoing effort. Onboarding multicloud environments is only the first step. After onboarding, regularly review security recommendations, alerts, and compliance posture across all connected clouds. With the right configuration, Microsoft Defender for Cloud provides a single source of truth to maintain visibility and control as threats continue to evolve.
Further Resources:
- Microsoft Defender for Cloud – Multicloud Security Planning Guide – Start here to design your strategy for AWS/GCP integration, with guidance on prerequisites and best practices.
- Connect your AWS account - Microsoft Defender for Cloud.
- Connect your GCP project - Microsoft Defender for Cloud.
- Troubleshoot connectors guide - Microsoft Defender for Cloud.
We hope this guide helps you successfully implement end-to-end ingestion of Microsoft Intune logs into Microsoft Sentinel. If you have any questions, feel free to leave a comment below or reach out to us on X @MSFTSecSuppTeam.
Microsoft