Cannot enable UEBA feature on Microsoft Sentinel

Martin Grihangne 20

I can't enable the UEBA feature on Microsoft Sentinel. When going through the form to enable it, on step 2 it shows the error message "Updating the Entity Providers failed."

I have the Security Administrator admin role in AAD/Entra and the Contributor RBAC role on the subscription.

User's image

jay vk 0 Reputation points

2024-01-23T08:33:24.4066667+00:00

The Error is due to deployment of "Create new OMS solution" which is blocked by some default policy. You need global contributor access or User Access Administrator which provides permission to write policy. With global contributor you can resolve this error.

2 answers

JamesTran-MSFT 36,596 Reputation points Microsoft Employee

2023-11-01T22:18:16.82+00:00
@Martin Grihangne

Thank you for your post and I apologize for the delayed response!

I wasn't able to reproduce your issue, but it does look like you have the necessary permissions to enable UEBA in Microsoft Sentinel. However, the error message that you're receiving Updating the Entity Providers failed indicates that there might be an issue with the configuration of your entity providers.

To help you troubleshoot this issue, can you try the following steps:

Confirm you met all the pre-requisites to enable User and Entity Behavior Analytics

Set up Data sources / connectors as needed per the Deployment guide for Microsoft Sentinel. From your screenshot, it looks like you don't have any Data sources / connectors set up, which could be causing your issue. For more info.

I hope this helps!

If you're still having issues, please let me know. Thank you for your time and patience throughout this issue.
Please sign in to rate this answer.
JamesTran-MSFT 36,596 Reputation points Microsoft Employee

2023-11-06T19:42:23.98+00:00

@Martin Grihangne

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Stephen Crooks 0 Reputation points

2023-11-07T13:59:19.3733333+00:00

Hey @JamesTran-MSFT , hoping to piggy back off this question with a similar issue. We are also getting that error message when trying to enable UEBA. All of the pre-requisites have been followed as per the Microsoft docs. In the screenshot below you can see we do have data sources available, the interesting thing is that the 'Microsoft Entra ID' connector (which we are trying to enable UEBA for) is not showing as 'green' to the right of the check box - even though we are receiving regular logs for this connector, and is showing as 'green' on the connector page. Is there extra configuration steps needed to allow this connector to be used by the UEBA feature. Many thanks
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
jay vk 0 Reputation points

2024-01-23T08:34:03.94+00:00

The Error is due to deployment of "Create new OMS solution" which is blocked by some default policy. You need global contributor access or User Access Administrator which provides permission to write policy. With global contributor you can resolve this error.
Please sign in to rate this answer.
Nathan French 0 Reputation points

2024-09-11T16:21:16.33+00:00

I am having the same issue, is there any more information surrounding this and or a fix or workaround? Do those permissions need to be granted in the subscription? or at the tenant level? And what specific policy is preventing it? Any help would be appreciated
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Cannot enable UEBA feature on Microsoft Sentinel

2 answers

Your answer