WithSecure Integration to Azure Sentinel

Question

WithSecure Integration to Azure Sentinel

Phumlani Zwane 60

Hi kindly assist in resolving an error i get when i try to integrate withsecure and sentinel, the error i get on the deployment is "Tenant ID, application ID, principal ID, and scope are not allowed to be updated. (Code: RoleAssignmentUpdateNotPermitted)", The role assigned is "Select Monitoring Metrics Publisher > Next. You could instead create a custom action with the Microsoft.Insights/Telemetry/Write data action." from the guide "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#assign-permissions-to-the-dcr" but still am getting an error, i even created a custom role but same error.

VEMULA SRISAI 13,315 Reputation points Microsoft External Staff Moderator

2026-05-04T09:49:36.52+00:00
Hello Phumlani Zwane,

The error RoleAssignmentUpdateNotPermitted is not related to the role itself (Monitoring Metrics Publisher or your custom role). This error occurs because the deployment is attempting to update an existing role assignment where the Tenant ID, Application/Service Principal ID, or Scope has changed, which Azure RBAC does not allow.

Why this happens:

Azure role assignments are immutable once created. If a role assignment already exists at the same scope and the deployment tries to reuse it with a different principal ID or scope, Azure blocks it with this error.

What you should do:

Identify the failed resource in the deployment → it will be of type Microsoft.Authorization/roleAssignments.

Go to the exact scope used (typically the Data Collection Rule).

Remove any existing role assignment for the WithSecure service principal at that scope.

Ensure the deployment is using the Service Principal Object ID (not the Application/Client ID).

Re-run the integration deployment so Azure creates a new role assignment. Using Monitoring Metrics Publisher or a custom role with Microsoft.Insights/Telemetry/Write is correct, as per the documentation—the issue is strictly with a stale or conflicting role assignment.

This should resolve the deployment failure.
Phumlani Zwane 60 Reputation points

2026-05-04T11:00:15.36+00:00

@VEMULA SRISAI Can we kindly get on the call if possible. Teams or google meet.
VEMULA SRISAI 13,315 Reputation points Microsoft External Staff Moderator

2026-05-05T19:15:33.69+00:00

Phumlani Zwane okay sure, could you please check the private message for further assistance on this.
Harshitha Eligeti 10 Reputation points Microsoft External Staff Moderator

2026-06-03T16:52:17.8533333+00:00
Hello @Phumlani Zwane
Thank you for sharing the issue details.

I hope you have reviewed the steps provided by SriSai. If not, here is a detailed approach to follow based on the error:

RoleAssignmentUpdateNotPermitted

The issue is not caused by the Monitoring Metrics Publisher role itself. The documentation confirms that this role is the correct permission required on the DCR and grants the Microsoft.Insights/Telemetry/Write action needed for Logs Ingestion API access. https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal

The actual issue occurs because Azure RBAC does not allow modifying certain properties of an existing role assignment once it has been created.

Why this error occurs

Azure role assignments are immutable for the following fields:

Tenant ID

Application ID

Principal ID

Scope

If the deployment or integration process attempts to reuse an existing role assignment while changing one of the above values, Azure blocks the update and returns:

RoleAssignmentUpdateNotPermitted

This commonly happens when:

the integration was previously configured using a different service principal,

the Application (Client) ID was used instead of the Service Principal Object ID,

or an old/stale role assignment already exists on the Data Collection Rule (DCR).

Recommended Resolution

Please perform the following steps:

Go to the failed deployment and identify the resource of type:

Microsoft.Authorization/roleAssignments

Navigate to the exact scope where the role assignment is being applied:

typically, the Data Collection Rule (DCR) IAM scope.

Under:

DCR → Access Control (IAM) → Role assignments

Verify that the deployment is using:

the Service Principal Object ID

and NOT the Application/Client ID.

Re-run the integration deployment so Azure can create a completely new role assignment.

As referenced in the Microsoft Learn documentation, assigning:

Monitoring Metrics Publisher or

a custom role containing:

Microsoft.Insights/Telemetry/Writeis correct for Logs Ingestion API integrations.

RBAC propagation may take up to 30 minutes after role assignment changes. Please Let me know if you are still facing the issue. we are happy to assist you further.
Phumlani Zwane 60 Reputation points

2026-06-04T11:00:04.0866667+00:00

Hi Harshitha Eligeti, I am kind of lost, can we by any chance get on a quick call so that you can take me through.

1 answer

Your answer

VEMULA SRISAI 13,315 Reputation points Microsoft External Staff Moderator

2026-05-04T09:49:36.52+00:00

Hello Phumlani Zwane,

The error RoleAssignmentUpdateNotPermitted is not related to the role itself (Monitoring Metrics Publisher or your custom role). This error occurs because the deployment is attempting to update an existing role assignment where the Tenant ID, Application/Service Principal ID, or Scope has changed, which Azure RBAC does not allow.

Why this happens:

Azure role assignments are immutable once created. If a role assignment already exists at the same scope and the deployment tries to reuse it with a different principal ID or scope, Azure blocks it with this error.

What you should do:

Identify the failed resource in the deployment → it will be of type Microsoft.Authorization/roleAssignments.

Go to the exact scope used (typically the Data Collection Rule).

Remove any existing role assignment for the WithSecure service principal at that scope.

Ensure the deployment is using the Service Principal Object ID (not the Application/Client ID).

Re-run the integration deployment so Azure creates a new role assignment. Using Monitoring Metrics Publisher or a custom role with Microsoft.Insights/Telemetry/Write is correct, as per the documentation—the issue is strictly with a stale or conflicting role assignment.

This should resolve the deployment failure.
Phumlani Zwane 60 Reputation points

2026-05-04T11:00:15.36+00:00

@VEMULA SRISAI Can we kindly get on the call if possible. Teams or google meet.
VEMULA SRISAI 13,315 Reputation points Microsoft External Staff Moderator

2026-05-05T19:15:33.69+00:00

Phumlani Zwane okay sure, could you please check the private message for further assistance on this.
Phumlani Zwane 60 Reputation points

2026-06-04T11:00:04.0866667+00:00

Hi Harshitha Eligeti, I am kind of lost, can we by any chance get on a quick call so that you can take me through.

Answer 1

The error Tenant ID, application ID, principal ID, and scope are not allowed to be updated. (code: RoleAssignmentUpdateNotPermitted) occurs when a deployment tries to update an existing role assignment instead of creating a new one. Role assignments are immutable and uniquely identified by their name (a GUID). If the same name is reused with a different principal, role, or scope, Azure treats it as an update and blocks it.

To resolve this in the WithSecure → Sentinel integration deployment, focus on the role assignment resource in the template/Bicep that grants Monitoring Metrics Publisher (or the custom role) and ensure:

Use a unique, deterministic name for the role assignment
- The name of the Microsoft.Authorization/roleAssignments resource must be unique for each combination of scope, principal ID, and role ID.
- If redeploying after changing the principal or role, generate a different GUID for the role assignment name so it is treated as a new assignment, not an update.
- In Bicep/ARM, use the guid() function with stable inputs (for example, scope, principalId, roleDefinitionId) to generate an idempotent but correct name:
  - Example pattern (conceptual): name: guid(subscription().id, principalId, roleDefinitionId).
Do not attempt to change an existing role assignment in-place
- If a role assignment already exists for that name, you cannot change its tenant, principal ID, application ID, or scope.
- Either:
  - Delete the existing role assignment (if appropriate and allowed) and then redeploy, or
  - Keep the existing assignment and adjust the template to match it, or
  - Create a new role assignment with a new name.
Check for previous deployments or manual assignments
- If the WithSecure integration or another deployment previously created a role assignment at the same scope for the same identity, the current deployment may be reusing the same name.
- Inspect existing role assignments on the target resource/subscription and compare their IDs with what the template is generating.
If using Azure Developer CLI or ARM/Bicep pipelines
- The same rule applies: ensure each Microsoft.Authorization/roleAssignments resource uses a proper, deterministic GUID for name so that redeployments are idempotent and do not try to “update” an assignment whose principal or scope has changed.

The error is not caused by the specific role (Monitoring Metrics Publisher vs custom role) but by how the role assignment resource is defined and named in the deployment.

References:

Share via

WithSecure Integration to Azure Sentinel

1 answer

Your answer