When using Enterprise Policy as Code (EPaC) in your Azure environment, you may encounter errors where automated remediation tasks fail to start. This issue can be frustrating, especially when pipeline logs provide little detail about the root cause.

Why EPaC Remediation Tasks Fail to Start

If your remediation tasks are not starting, check the Azure Activity Logs for more information. Focus on the deploymentRootScope of your specific Policy as Code (PAC) environment.

Image of error

A common error message is:

The management group %name% or any of its ancestors are not registered to
'Microsoft.PolicyInsights'. Creating remediation tasks for large number of resources in management group scopes requires that the management group is registered to the 'Microsoft.PolicyInsights' resource provider. Please register the management group and try again. See
https://aka.ms/ResourceProviderMGRegistration for more details.

This means the Microsoft.PolicyInsights resource provider is not registered at the management group scope. As of now, the Azure Portal does not support registering resource providers at this level. you must do it via a REST API call.

How to Register Microsoft.PolicyInsights at Management Group Scope

Follow these steps to resolve the issue and enable EPaC remediation tasks through PowerShell. In the end, you can use any tool you want to perform your API call like Postman, Bruno or in this example, PowerShell.

  • Connect to Azure

Make sure you have the latest Az PowerShell modules installed and connect to Azure:

Connect-AzAccount
  • Register the Resource Provider

Replace the $managementGroupId with your own management group ID and run the following script:

$managementGroupId = "45b162b1-d0c3-45b2-865e-d1e6a996f3e5" # Replace with your management group ID
$resourceProviderNamespace = "Microsoft.PolicyInsights"

$url = "https://management.azure.com/providers/Microsoft.Management/managementGroups/$managementGroupId/providers/$resourceProviderNamespace/register?api-version=2021-04-01"

$token = (Get-AzAccessToken -ResourceUrl "https://management.azure.com").Token
$headers = @{
    'Authorization' = "Bearer $token"
}

Invoke-WebRequest -Uri $url -Method POST -Headers $headers

A successful registration will return a StatusCode of 200.

Successfull registering of a provider

Once the resource provider is registered, EPaC will be able to start remediation tasks automatically.

Summary

If you encounter the “EPaC Failed to Start Remediation” error, ensure the Microsoft.PolicyInsights resource provider is registered at the management group scope using PowerShell. This will resolve the issue and allow your remediation tasks to run as expected.

For more details, refer to the official Microsoft documentation.