SCOM Managed Instance Deployment Failure

Here are a few potential causes and troubleshooting steps:

Network Security Groups (NSGs):

• Ensure that the NSGs associated with the subnet allow traffic between the Managed Identity and the Key Vault. Check inbound and outbound rules to verify that they permit the necessary traffic.

Service Endpoints or Private Endpoints:

• Verify that the Key Vault has the appropriate service endpoints or private endpoints configured to allow access from the subnet where the Managed Identity resides.

Firewall Settings:

• Check the firewall settings of the Key Vault to ensure that it allows access from the subnet or the specific IP range of the Managed Identity.

Managed Identity Permissions:

• Double-check the permissions assigned to the Managed Identity. Ensure that it has the necessary roles (e.g., Key Vault Reader) to access the secrets in the Key Vault.

DNS Resolution:

• Ensure that DNS resolution is working correctly within the subnet. Sometimes, DNS issues can prevent the Managed Identity from reaching the Key Vault.

Azure Policy:

• Check if there are any Azure Policies that might restrict access or causing compliance issues.

Resource Configuration:

• Verify that the Managed Identity and Key Vault are correctly configured and associated with the right resources.

To further diagnose the issue, you can use tools like Azure Network Watcher to check connectivity and trace routes between the Managed Identity and the Key Vault.

Microsoft acknowledged the following:

Received confirmation from the Microsoft product team that using a private link on the KeyVault is NOT supported for SCOM Managed Instance and there are no plans at this time to add the functionality. They will be updating the documentation to reflect this since it wasn’t documented previously.