Onboarding of subscription fails and you get an error message as shown below in the logs:

Error in connection service

Aug 14 08:06:55 uazuq-uEcs-ip-10-63-140-190 uazuq/uconnsvc/use1: ts=1692000414236718910 service=ConnectionSvc QWERTYTS=14-08-2023#08:06:54 type=debug correlationid=1799eaf10eb559f3545d8c8420645ec0:545d8c8420645ec0:2f0ffe190a3d2836 tokenType=ProductToken identityType=admin identityID=hp2@druva.org globalID=67ca049b-1977-4fd2-ad08-c369253a6d63 MicrosoftTenantID=74e1ac8c-ac5f-4233-967d-9f4fd3d56629 org=68 message=" Error in creating key vault " error="Codes:[MissingSubscriptionRegistration], Msg: The subscription is not registered to use namespace 'Microsoft.KeyVault'. Seehttps://aka.ms/rps-not-foundfor how to register subscriptions." microsoftSubscriptionID=2c52c669-66ad-4361-9931-3dcf0c30253b

A resource provider or Key Vault service is not registered for the subscription.

Register the Azure Key Vault service for the subscription and then onboard the subscription.

Onboarding of subscription fails with the following error message:

Selected user account does not exist in tenant 'Druva Operations' and cannot access the application 'e655ec9b-bddd-47a3-8e1c-07b99587d873' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.

The Entra ID user account does not meet the requirements of Druva’s onboarding mechanism.

To resolve this issue, you could onboard using another user account with the assigned Global Administrator role.

Alternatively, you will need to create a dedicated User Account within the Azure Entra ID directory, and assign the Global Administrator role.

📝 Note

To onboard new subscriptions, you will need a Global Administrator role or the Tenant Owner role. For more information, see Prerequisites to onboarding Azure subscriptions.

Steps to assign Role

To know more about troubleshooting user account related issues and application access, refer to the Microsoft documentation.

Onboarding of subscription fails with the DisallowedByPolicy error.

Policy restrictions for the Region selected during onboarding, indicating a deny policy definition for the specific Region.

Verify that all the prerequisites for onboarding your Azure subscriptions are met.

Ensure that the Region where you want to create the resource group and key vault are selected as Allowed locations under Policy assignments.

For more information, see Onboarding failure with policy restrictions.

Onboarding of subscription fails because Resource group creation is disallowed by the Azure policy.
​

Update policy definition and allow Resource group creation without tags.

Onboarding of subscription fails because key vault creation is disallowed by the Azure policy.
​

Update the Azure policy to allow key vault creation.

Onboarding of subscription fails because Managed Identity creation is disallowed by the Azure policy.
​

Update the Azure policy to allow Managed Identity creation.

Onboarding of subscription fails because the selected subscription has a read-only lock.

Remove the read-only lock from the subscription.

Go to "Subscriptions".

Select your target subscription.

In the left menu, click "Locks" under Settings.

Onboarding of subscription fails because of conditional access.

Ensure that you have the appropriate permissions to perform this task. The required permissions are listed here.

Related keywords: key vault, keyvault, azurevault, vault, azure vault, azure vault key, azurevaultkey