Use this guide to resolve common issues when running the Data Agent Governance and Security Accelerator.
| Symptom | Quick Fix |
|---|---|
| "Connect-AzAccount" prompts for login during azd up | Run az login, azd auth login, Connect-AzAccount, and Set-AzContext in same terminal before azd up |
| "spec.local.json not found" | Run Copy-Item ./spec.dspm.template.json ./spec.local.json and populate values |
| "Cannot find property 'tenantId'" | Your spec.local.json has invalid JSON syntax - validate with `Get-Content ./spec.local.json |
| Scripts skip with "No X configured" | The corresponding spec section is empty/missing - this is OK if you don't need that feature |
| "Authorization denied" on audit exports | You need Audit Reader or Compliance Administrator role in Purview |
| Exchange Online commands fail | Connect-ExchangeOnline now uses device-code flow (-Device) so it works in containers/Codespaces. Open the URL printed in the terminal on a local browser and enter the code to authenticate |
- Symptoms:
Connect-AzAccountopens a browser duringazd upor fails withInteractiveBrowserCredentialerrors. - Fix: Ensure you ran
az login,azd auth login,Connect-AzAccount -Tenant ... -Subscription ..., andSet-AzContextin the same terminal before invokingazd up. The hook only reuses existing contexts.
- Symptoms:
20-Subscribe-ManagementActivity.ps1or21-Export-Audit.ps1fails withAuthorization has been denied for this request. - Fix:
- Assign the operator to the Audit Reader or Compliance Administrator role under Microsoft Purview permissions.
- Confirm the user has an Exchange Online / Microsoft 365 E5 license and that auditing is enabled (
Get-AdminAuditLogConfig). - Run
Disconnect-AzAccount,az logout, and sign in again so new tokens include theActivityFeed.Readrole.
- Symptoms: Scripts complain that
contentTypesorazurePoliciescannot be found. - Fix:
- Update to the latest main branch (scripts now skip gracefully when those blocks are missing), or
- Reintroduce the section into
spec.local.jsonusingspec.dspm.template.jsonas a reference.
- Symptoms:
31-Foundry-ConfigureContentSafety.ps1logsfoundry.contentSafety.endpoint not provided. - Fix: Provide the Content Safety endpoint and either a Key Vault secret reference or confirm Entra ID access works for the AI subscription. This message is informational; populate the block only when you are ready to configure Content Safety.
- Symptoms:
postprovision.ps1fails with backtick or markdown tokens in the error message. - Fix: Ensure PowerShell scripts do not contain stray Markdown fences (````` ```). Run
git statusto confirm only README/docs changed.
- Symptoms: No logs appear in Log Analytics after running
07-Enable-Diagnostics.ps1. - Fix:
- Verify the
defenderForAI.logAnalyticsWorkspaceIdvalue in the spec points to an existing workspace with the correct permissions. - Confirm the Defender plan (
enableDefenderForCloudPlans) includesCognitiveServicesand that Defender for Cloud is enabled in the subscription.
- Verify the
If your issue is not listed here, open a new issue in the repository with the failing script name, the exact error text, and the relevant snippet from spec.local.json (redacting secrets).
- Symptoms:
ConvertFrom-Json: Invalid JSON primitiveor scripts fail immediately with parsing errors. - Fix:
- Validate your spec:
Get-Content ./spec.local.json | ConvertFrom-Json - Common issues: trailing commas, missing quotes around values, unescaped characters in paths
- Use VS Code with JSON extension for syntax highlighting and error detection
- Validate your spec:
- Symptoms:
The term 'Get-AzContext' is not recognizedor similar module errors. - Fix:
# Install required modules Install-Module Az -Scope CurrentUser -Force -AllowClobber Install-Module Az.Security -Scope CurrentUser -Force Install-Module ExchangeOnlineManagement -Scope CurrentUser -Force # for m365 tag # Verify installation Get-Module Az -ListAvailable
- Symptoms: Scripts create resources in wrong subscription or fail with "resource not found".
- Fix:
# Check current context Get-AzContext # Switch to correct subscription Set-AzContext -Subscription \"<subscription-id-from-spec>\" # Verify tenant matches (Get-AzContext).Tenant.Id # Should match tenantId in spec
- Symptoms:
02-Ensure-PurviewAccount.ps1fails with "resource not found". - Fix:
- Verify
purviewAccount,purviewResourceGroup, andpurviewSubscriptionIdin spec match exactly (case-sensitive) - Confirm the Purview account exists: Azure Portal → Microsoft Purview accounts
- Ensure you have at least Reader access to the Purview resource
- Verify
- Symptoms:
azd upfails with "Step '…26-Ensure-FabricWorkspaceSensitivity.ps1' requires Microsoft 365 connectivity. Re-run with -ConnectM365 plus either -M365UserPrincipalName or app-only parameters." - Fix:
- Ensure
dagaConnectM365 = trueininfra/main.bicepparam(this is the default). The post-provision hook automatically detects the M365 UPN from the Azure CLI login context (az account show), so you do not need to hardcodedagaM365UserPrincipalName. Just runaz loginandazd auth loginbeforeazd up. - If auto-detection does not work (e.g., service principal login), provide the UPN explicitly via one of these methods:
- Set
dagaM365UserPrincipalNameininfra/main.bicepparam - Set the environment variable
DAGA_POSTPROVISION_M365_UPN - Run directly:
pwsh ./run.ps1 -Tags foundation,dspm,defender,foundry -SpecPath ./spec.local.json -ConnectM365 -M365UserPrincipalName <upn>
- Set
- Ensure
-
Symptoms:
26-Ensure-FabricWorkspaceSensitivity.ps1logs "WARNING: Missing Fabric sensitivity labels" with label names that could not be resolved. -
Fix:
- Open the Microsoft Purview compliance portal → Information protection → Labels.
- Note the exact display name of the desired label (e.g.,
GeneralnotGeneral usage). Parent/child labels use backslash format:Confidential\All Employees. - Update
sensitivityLabelvalues inspec.local.jsonto match the exact display name, then rerun.
-
Symptoms:
26-Apply-FabricLakehouseSensitivity.ps1logs "Failed to apply label to lakehouse … 403 (Forbidden)". -
Fix:
- Ensure the operator account has Contributor or Member access on the Fabric workspace.
- Verify the account has an Information Protection P1 or P2 license (required to set sensitivity labels via API).
- In the Purview compliance portal, confirm the label's publish policy includes the operator account or a group it belongs to.
- Symptoms:
27-Register-FabricWorkspace.ps1logs "409 (Conflict)" errors and falls back to a shared PowerBI datasource. - Fix: This is expected when a workspace-scoped datasource already exists or conflicts with tenant-level registrations.
- The script falls back to a shared datasource automatically. No immediate action is required.
- After deployment, open the Purview portal, navigate to the shared datasource, and create a workspace-scoped scan definition manually to avoid unscoped tenant-wide scans.
- Set
fabric.scanAutomationModetorunOnlyinspec.local.jsonso subsequent runs trigger the scan without overwriting it.
After running the accelerator, validate that services are correctly configured:
- Sign in to Microsoft Purview portal
- Navigate to Data Security Posture Management for AI
- Verify Secure interactions for enterprise AI apps shows as Enabled
- Check Recommendations tab for any outstanding items
- Sign in to Azure Portal
- Navigate to Microsoft Defender for Cloud → Environment settings
- Select your subscription → Defender plans
- Verify AI Services shows as On
- Click Settings → Confirm Enable data security for AI interactions is On
- Navigate to Log Analytics workspace specified in spec
- Run query:
AzureDiagnostics | where ResourceProvider == "MICROSOFT.COGNITIVESERVICES" | take 10 - If results appear, diagnostics are configured correctly (may take 15-30 minutes after initial setup)
- Sign in to Microsoft Purview compliance portal
- Navigate to Data loss prevention → Policies
- Verify your DLP policy appears and shows On status
- Navigate to Information protection → Labels to verify sensitivity labels
If you're still stuck:
- Check existing issues: GitHub Issues
- Open a new issue with:
- Script name that failed
- Exact error message
- Relevant
spec.local.jsonsnippet (redact secrets!) - PowerShell version (
$PSVersionTable) - Az module version (
Get-Module Az -ListAvailable)
- Community discussions: Use GitHub Discussions for questions and best practices