Azure Private Offer ARM template failure - azure

I'm getting the below error during validation when trying to deploy an ARM template via private offer (cleansed):
{"code":"MarketplacePurchaseEligibilityFailed","details":[{"code":"BadRequest","message":"Offer with PublisherId: 'PUBLISHER', OfferId: 'OFFER' cannot be purchased due to validation errors. For more information see details. Correlation Id: 'ID' Sku 'SKU' of offer 'OFFER' by publisher 'PUBLISHER' is not available to you for deployment per the policy set by your IT Admin.
I went through powershell and accepted the terms but still having the issue. Microsoft's responses so far are based on the browser. I've tried in Firefox, Chrome, and Edge to no avail. The Azure environment is pretty basic with no specific policies for anything so I'm not sure why it's saying this. Any help would be greatly appreciated.
Thanks!

There could be multiple reasons why you are getting this validation failure.
These are:
Programmatic deployment for the Marketplace is not configured.
Undefined task failed while creating or updating the template deployment.
Offer with PublisherId, and OfferId is not found. Doesn't exist anymore. As example, publisher revoked it.
Marketplace purchase is not enabled.
Unknown payment instrument(s) is unsupported for offer with OfferId, PlanId.
Organization is in deleted state.
etc.
Based on your failure details "is not available to you for deployment per the policy set by your IT Admin.", it seems your subscription is not registered and approved to deploy this specific image.
I'd recommend to do the next steps to resolve the issue:
Go to https://learn.microsoft.com/he-il/marketplace/manage-private-azure-marketplace-powershell#add-an-offer-to-a-private-marketplace
Click on try me button next to Add an Offer the private marketplace.
Login to the relevant tenant.
Use PowerShell and run the commands:
(a) Install-Module -Name Az.Marketplace
(b) Get-AzMarketplacePrivateStore - to get the privateStore Id
(c) use the private store id from step b
`$Params = #{
privateStoreId = 'PrivateStoreId'
offerId = 'paloaltonetworks.vmseries-flex'
SpecificPlanIdsLimitation = #('byol')
}
Set-AzMarketplacePrivateStoreOffer #Params`
I look forward to your response. Please let me know if you have any questions.

Related

How to properly add health check for azure service bus when using managed identity (and rebus)

I have recently added managed identity support to Azure Service Bus and struggling how to properly add the health check. Prior to using managed identity, the health check was working fine, but now I am facing issues. The code to add the health check is the following:
builder.AddAzureServiceBusQueue(
"myservicebus.servicebus.windows.net",
"myqueue",
new DefaultAzureCredential(),
name: $"Azure Service Bus Health Check");
With this code, I am receiving the following error:
Put token failed. status-code: 404, status-description: The messaging entity 'sb://myservicebus.servicebus.windows.net/myqueue/$management' could not be found. To know more visit https://aka.ms/sbResourceMgrExceptions. TrackingId:6bd6fac5-3fbd-4889-a89b-a4854b8299f9_G13, SystemTracker:myservicegus.servicebus.windows.net:myqueue/$management, Timestamp:2022-12-23T02:21:08. (MessagingEntityNotFound). For troubleshooting information, see https://aka.ms/azsdk/net/servicebus/exceptions/troubleshoot.
I am not sure what the $management is all about or why it is needed. I thought perhaps the role associated with managed identity was missing a capability. To test that, I granted the role "Azure Service Bus Data Owner" and "Owner" to the resource, but still receiving the above error.
Also, not sure if it matters, but I am using Rebus to handle the publishing and subscribing of events (with managed identity) and that is working fine.
Any help is appreciated.
Thanks,
Eric
This is not really an answer, but here's some hopefully helpful information for anyone running into a similar issue.
The main mistake I had made was specifiying an incorrect queue name. It seems that when trying to perform the operation that health check is performing, something like:
var receiver = client.CreateReceiver("the_invalid_queue");
_ = await receiver.PeekMessageAsync().ConfigureAwait(false);
And when the queue name specified does not exist, we get the error as described in the question, mentioning the missing entity.
So just need to make sure to specify an existing queue name and all should work OK.
Eric

Microsoft Graph error processing a storage extension white getting subscription by ID

I am trying to get a subscription by ID from Microsoft Graph REST. If I list the subscriptions using GET /subscriptions, things are working fine and I am able to list all subscriptions. But if I take a subscription id from the list and try to get the details using GET /subscriptions/{id}, I am getting the following error:
{
"error":
{
"code":"ExtensionError",
"message":"There was an error processing a storage extension.",
"innerError":
{
"date":"2021-10-12T06:59:47",
"request-id":"ffa4f181-148d-49ed-8c9d-f551f6ddd6f0",
"client-request-id":"ffa4f181-148d-49ed-8c9d-f551f6ddd6f0"
}
}
}
Any ideas on where I might be going wrong?
PS: I am trying to get an individual subscription because the /subscriptions route does not provide the clientState property which is required for me.
When I route to the same /subscription got the #odata.context link.
I open the same link and search for clientState and got its type but not its value.
Note: the clientState property value is not returned for security purposes.
refer this github
Note : Client State is not set for the List Subscription on purpose by design, because subscription collections could be listed by say some other user (example tenant admin using Subscription.Read.All). It is not desirable to share this Client state information through the Listing API for that user who is not the creator of the subscription.
Reference : https://github.com/microsoftgraph/microsoft-graph-docs/issues/5248

Azure API throwing Missing Subscription error

I am facing an issue with following Azure API.
GET https://management.azure.com/{resourceUri}/providers/microsoft.insights/metricDefinitions?api-version=2018-01-01
I am trying to access the above API using my Subscription ID in place of resourceUri. But it is throwing the below error:
{
"error": {
"code": "MissingSubscription",
"message": "The request did not have a provided subscription. All requests must have an associated subscription Id."
}
}
I have checked in Azure Portal, everything seems fine. The Subscription ID is correct one. The user account have owner permissions. Still getting the error. Not sure of the reason.
Can someone help me out with the most common and basic reasons of this error and steps to resolve this one. Already I have spent couple of hours debugging this one, but no luck.
I have reproduced your issue, the resourceUri should be the Resource ID instead of the Subscription ID.
Use Subscription ID :
Use Resource ID(in my sample, I use a web app resource id, you could find it in the portal-> your web app -> Properties):

Connection of StorageExplorer to AzureStack still not working

I am now using the current Azure Dev Pack (18.03). When following the tutorial for connection there is now the following error when trying to connect:
The problem is, that the tutorial is only mentioning the following dialog for connecting a storage:
where the ARM endpoint has to be set to "https://adminmanagement.local.azurestack.external".
But after this dialog another dialog is shown which is not mentioned in the documenation at all:
Here it is not clear what is meant by the "Sign in ressource id" or the "ARM resource id".
I found something, which might be at least the "ARM resource id":
So finally: What to insert for "Sign in resource id" and "ARM resource id"?
EDIT:
So after the answers below I requested these IDs manually:
But I still don't know exactly how to insert it. Doing it the following way:
still ends up in another error message:
EDIT 2:
So what I corrected was, that I again checked to use a base64 encoded Certificate. Further it appeared to be an issue that in above screenshot I had ARM Endpoint for "adminmanagement..." and the resource ids I requested were for "management...". So I altered the Rest call for the ID to (Invoke-RestMethod -Uri https://adminmanagement.local.azurestack.external/metadata/endpoints?api-version=1.0).authentication.audiences[0].
IT appears to be an improvement, because it ends up in a brand new error message:
Additional hint: If I now use a nonesense login not available at the stack, I get the Unable to sign in: access_denied: AADSTS65005: Invalid resource error message in the popup at the top border of the Azure explorer.
From an internal program manager, This seems to be caused by some known regression issue in Storage Explorer 0.9.6 version that Sign in resource id and ARM resource id aren’t fetched properly during sign-in.
As a workaround, user can execute the sample cmdlet for ASDK below and then input the returned value for these two resource ids.
For multi-node integrated system, the Azure Stack endpoint needs to be changed according to the environment configuration.
PowerShell:
Invoke-RestMethod -Uri (https://management.local.azurestack.external/metadata/endpoints?api-version=1.0 -Method Get).authentication.audiences[0]
There is also a new release of Storage Explorer to fix this bug soon.
Second Fix:
This issue could also happen when the incorrect certificate type is exported. The certificate must be exported in Base-64 x.509 format:
Try entering the invoke command like this:
(Invoke-RestMethod -Uri https://Adminmanagement.3171r06a.azcatcpec.com/metadata/endpoints?api-version=1.0).authentication.audiences[0]
or
(Invoke-RestMethod -Uri https://Adminmanagement.3171r06a.azcatcpec.com/metadata/endpoints?api-version=1.0).authentication
Returned results for me. Replace you region and dns with what you have deployed.
The problems have been solved together with Azure Storage Explorer v1.0.

Access RateCard API from Government Cloud, Region usgovvirgia

In trying to access RateCard info in the Government Cloud, Region usgovvirgia, and working from example on github: https://github.com/Azure-Samples/billing-dotnet-usage-api.
GitHub Sample throws Unhandled exception: AADSTS65005 (see links below)
This error is mentioned there but in reworking the referenced sections of the procedure I haven't found a way to correct this and strongly suspect the problem is due to differences in US Gov Cloud. (See image below for App settings in the Portal).
My RegisteredApp:
RateCardHM, appId/clientID: XXXXXXXX-4ba0-47a3-811e-ca0b0b74118a ->
Required Permissions-> (Delegated -- NoApplicationPermissionsAvailable)
Access Azure Service Management as organization users (preview)
RequiresAdmin: No {"AADSTS65005: Invalid resource. The client has
requested access to a resource which is not listed in the requested
permissions in the client's application registration. Client app ID:
XXXXXXXX-XXXX-47a3-811e-ca0b0b74118a. Resource value from request:
https://management.usgovcloudapi.net/. Resource app ID:
40a69793-8fe6-4db1-9591-dbc5c57b17d8. List of valid resources from app
registration: 797f4846-ba00-4fd7-ba43-dac1f8f63013,
00000002-0000-0000-c000-000000000000. Trace ID:
6c1f3716-12ca-489e-b183-99cb6f730300 Correlation ID:
57dbf637-8e01-42f2-873c-4723f1814254 Timestamp: 2018-03-14 18:43:33Z"}
Since there probably isn't a "2-letter ISO code" for usgovvirginia, what should be used?
https://msdn.microsoft.com/en-us/library/azure/mt219004.aspx Indicates:
•Set {RegionInfo} to the 2 letter ISO code where the offer was purchased.
Reconcile with usgovvirginia Region.
<appSettings>
<add key="ADALServiceURL" value="https://login.microsoftonline.us"/>
<add key="ADALRedirectURL" value="http://localhost"/>
<add key="ARMBillingServiceURL" value="https://management.usgovcloudapi.net"/>
<add key="TenantDomain" value="XXXXX.onmicrosoft.com"/>
<add key="SubscriptionID" value="XXXXXXXX-1293-4060-a2ed-0da3db612bcc"/>
<add key="ClientId" value="XXXXXXXX-4ba0-47a3-811e-ca0b0b74118a"/>
<add key="RegionInfo" value="usgovvirginia"/> <!-- WHAT to use here? -->
</appSettings>
I would prefer to get access with PowerShell but getting the C# sample app to work would likely be sufficient and certainly a good start.
UPDATE FOLLOWS (more info):
After logging in with PowerShell AzureRM (as myself) "Locations" for Microsoft.Commerce and RateCard API are empty:
(Get-AzureRmResourceProvider -ListAvailable | ? ProviderNamespace -eq Microsoft.Commerce)
# Outputs with LOCATION 'empty':
ProviderNamespace : Microsoft.Commerce
RegistrationState : Registered
ResourceTypes : {UsageAggregates, RateCard, operations}
Locations : {}
(Get-AzureRmResourceProvider -ListAvailable | ? ProviderNamespace -eq Microsoft.Commerce).ResourceTypes | ? ResourceTypeName -eq RateCard
# Outputs with LOCATION 'empty' also:
ResourceTypeName : RateCard
Locations : {}
ApiVersions : {2016-08-31-preview, 2015-06-01-preview, 2015-05-15}
Possibly this means US Gov Cloud doesn't offer these APIs in any region?
This following image shows the alert where the App has been added as a Reader:
First, you need to make sure Billing API is actually supported on Government Subscription. I cannot seem to find an official reference over the Internet about the supportability. It'd be much better to ask about that here https://azure.microsoft.com/en-us/global-infrastructure/government/contact/
If it is supported, normally you need to add your client app you registered to the Government subscription.
Under Access Control (IAM) blade, click Add. Select Reader under Role (in case you just need to get information without any change). Under Select, you can look up your client app name (the one has client ID associated), you can also copy the client ID and paste to this field.
With out appropriate permission, your registered client app can't read to your Government resource to retrieve billing info over REST API.
P/S: There is also a role named Billing Reader if you would like to explicitly control access.
Microsoft Support has now attested that accessing the RateCard API is not available in an Enterprise Account (nor in a CSP account).
https://learn.microsoft.com/en-us/azure/billing/billing-usage-rate-card-overview#azure-resource-ratecard-api-preview
Azure Resource RateCard API (Preview)
Use the Azure Resource RateCard API to get the list of available
Azure resources and estimated pricing information for each. The API
includes: Azure Role-based Access Control - Configure your access
policies on the Azure portal or through Azure PowerShell cmdlets to
specify which users or applications can get access to the RateCard
data. Callers must use standard Azure Active Directory tokens for
authentication. Add the caller to either the Reader, Owner, or
Contributor role to get access to the usage data for a particular
Azure subscription.
Support for Pay-as-you-go, MSDN, Monetary commitment, and Monetary
credit offers (EA and CSP not supported) - This API provides Azure
offer-level rate information. The caller of this API must pass in the
offer information to get resource details and rates. We're currently
unable to provide EA rates because EA offers have customized rates
per enrollment.
Thanks to everyone who tried to help.

Resources