StratoLens LogoStratoLens

403 AuthorizationFailed on Metrics Collection

Symptom

On the Scan History page, a completed scan's Warnings column shows an entry for one or more subscriptions. Expanding the warning reveals an error similar to:

403 Forbidden - AuthorizationFailed: does not have authorization to perform action 'Microsoft.Authorization/checkAccess/read'

Cause

The Microsoft.Insights resource provider is not registered on the affected subscription. Azure does not auto-register this provider on every subscription, so it can be missing even when the scanner managed identity has the correct RBAC role. This most commonly shows up on subscriptions that recently had their first VM added.

Why the error mentions checkAccess

The misleading Microsoft.Authorization/checkAccess/read message is what Azure returns when the metrics API is called against a subscription whose Microsoft.Insights provider is unregistered. Granting more RBAC permissions will not fix it — the provider itself has to be registered.

Resolution: Azure Portal

This is the recommended path for most users.

  1. Sign in to the Azure Portal.
  2. In the top search bar, search for Subscriptions and open it.
  3. Select the subscription that produced the 403 error.
  4. In the subscription's left navigation, under Settings, select Resource providers.
  5. In the filter box, type Microsoft.Insights.
  6. Select the Microsoft.Insights row. If Status shows NotRegistered or Unregistered, click Register in the toolbar.
  7. Wait until Status changes to Registered. This typically takes 1–2 minutes; you may need to click Refresh.
Subscription Settings → Resource providers, filtered to Microsoft.Insights. Select the row, then use Register in the top toolbar. (When already registered, the toolbar shows Re-register and Unregister instead.)

Repeat per affected subscription

Resource provider registration is per subscription. If multiple subscriptions reported the same 403, repeat the steps above for each one.

Resolution: Azure CLI

If you prefer the command line, the same registration can be performed with the Azure CLI. Replace <subscription-id> with the subscription GUID.

Register the provider:

az provider register --namespace Microsoft.Insights --subscription <subscription-id>

Wait 1–2 minutes, then verify the registration state:

az provider show --namespace Microsoft.Insights --subscription <subscription-id> --query "registrationState"

The command should return "Registered". If it still returns "Registering", wait another minute and try again.

Verify in StratoLens

Once the provider is registered, the next scan collects performance metrics for that subscription normally. Either wait for the next scheduled scan, or kick off a manual scan from Scans → Overview. Confirm the 403 no longer appears in the scan log and that performance data populates on the Performance Metrics page.

One-time fix

Resource provider registration persists. Once Microsoft.Insights is registered on a subscription, you do not need to register it again.

Further reading

Microsoft's official documentation covers Azure resource providers in depth, including portal, CLI, and PowerShell registration: Azure resource providers and types.

← Back to Troubleshooting