Issue with Azure Agent Info test

Wessley · December 21, 2021, 1:49pm

**CMK version:2.0.0p11 (CEE)
**OS version: RHEL7

With services being monitored in Azure, with the service “Azure Agent Info” I am getting the error message Graph client: Insufficient privileges to complete the operation.CRIT . One of the people here who looks after the Azure setup has had a look at it and if he gives the Azure user configured for the tests the permissions to read the info it will try and get each user one at a time. The issue is that the Azure AD that it is looking at has over 340000 users in, since it is hold student accounts. The Azure expert says there is a call to return the number of users and wonder if this could be used instead of getting users one at a time.
Is this an issue anybody else has come across, and found a way around it ?

Cheers

Wessley

robin.gierse · January 3, 2022, 11:43am

This sounds like something for which you would need to open a ticket with the tribe.
Especially as no one seems to have input on this.

andreas-doehler · January 4, 2022, 7:22am

I had a short look at the special agent and it is really so that it pulls the complete user list only to count the users. This makes no sense

@Wessley - you can modify the special agent a little bit to avoid this.
Inside the “write_section_ad” you find two lines.

    users = graph_client.users()
    section.add(["users_count", len(users)])

If you comment the first one and set a static “users” value, you can avoid the fetching of all users.
The fetching itself is defined in the “GraphApiClient” inside the “def users”

Wessley · January 5, 2022, 2:12pm

Thanks for the response. Do I have to restart CMK for the change to take affect or will it work the next time the special agent is called ?

Cheers

Wessley

DavideDG · July 1, 2022, 1:50pm

Hi, regarding the “Insufficient privileges”, please check: Azure Host issues - #7 by DavideDG
I was not (yet) able to find a lower permissions settings, though… anyone can help with that ?

@andreas-doehler nice workaround … since I do not need a check on Azure users, I might actually end up disabling it altogether… would be nice if the special agent had an option to choose which sections to retrieve from Azure (smth like the VMWare agent…).

HTH. Bye.