Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This guide is for IT professionals, information security analysts, and cloud administrators whose organizations need to troubleshoot problems related to Microsoft Defender for Cloud.
Tip
When you're facing a problem or need advice from our support team, the Diagnose and solve problems section of the Azure portal is a good place to look for solutions.
Use the audit log to investigate problems
The first place to look for troubleshooting information is the audit log for the failed component. In the audit log, you can see details like:
- Which operations were performed.
- Who initiated the operation.
- When the operation occurred.
- The status of the operation.
The audit log contains all write operations (PUT, POST, DELETE) performed on your resources, but not read operations (GET).
Troubleshoot improperly working antimalware protection
The guest agent is the parent process of everything that the Microsoft Antimalware extension does. When the guest agent process fails, the Microsoft Antimalware protection that runs as a child process of the guest agent might also fail.
Here are some troubleshooting tips:
- If the target VM was created from a custom image, make sure that the creator of the VM installed a guest agent.
- If the target is a Linux VM, installing the Windows version of the antimalware extension will fail. The Linux guest agent has specific OS and package requirements.
- If the VM was created with an old version of the guest agent, the old agent might not have the ability to automatically update to the newer version. Always use the latest version of the guest agent when you create your own images.
- Some third-party administration software might disable the guest agent or block access to certain file locations. If third-party administration software is installed on your VM, make sure that the antimalware agent is on the exclusion list.
- Make sure that firewall settings and a network security group aren't blocking network traffic to and from the guest agent.
- Make sure that no access control lists are preventing disk access.
- The guest agent needs sufficient disk space to function properly.
By default, the Microsoft Antimalware user interface is disabled. But you can enable the Microsoft Antimalware user interface on Azure Resource Manager VMs.
Troubleshoot problems with loading the dashboard
If you experience problems with loading the workload protection dashboard, make sure that the user who first enabled Defender for Cloud on the subscription and the user who wants to turn on data collection have the Owner or Contributor role on the subscription. If so, users with the Reader role on the subscription can see the dashboard, alerts, recommendations, and policy.
Troubleshoot connector problems for the Azure DevOps organization
If you can't onboard your Azure DevOps organization, try the following troubleshooting tips:
Make sure you're using a non-preview version of the Azure portal; the authorize step doesn't work in the Azure preview portal.
It's important to know which account you're signed in to when you authorize the access, because that will be the account that the system uses for onboarding. Your account can be associated with the same email address but also associated with different tenants. Make sure that you select the right account/tenant combination. If you need to change the combination:
On your Azure DevOps profile page, use the dropdown menu to select another account.
After you select the correct account/tenant combination, go to Environment settings in Defender for Cloud and edit your Azure DevOps connector. Reauthorize the connector to update it with the correct account/tenant combination. You should then see the correct list of organizations on the dropdown menu.
Ensure that you have the Project Collection Administrator role on the Azure DevOps organization that you want to onboard.
Ensure that the Third-party application access via OAuth toggle is On for the Azure DevOps organization. Learn more about enabling OAuth access.
Contact Microsoft support
You can also find troubleshooting information for Defender for Cloud at the Defender for Cloud Q&A page.
If you need more assistance, you can open a new support request on the Azure portal. On the Help + support page, select Create a support request.
See also
- Learn how to manage and respond to security alerts in Defender for Cloud.
- Learn about alert validation in Defender for Cloud.
- Review common questions about using Defender for Cloud.