Malware Enable Permission Errors

When creating a new storage account through the Zapper Edge portal you may see a “Creation Failed” alert. The error usually looks like this:

The message indicates that the deployed App Service does not have permission to create the storage account. The following guide explains the cause of the error and provides step‑by‑step instructions to resolve it.

Error Summary

The portal displays an error stating that the client does not have authorization to perform Microsoft.Resources/subscriptions/resourcegroups/read over the specified scope. This means the managed identity used by the App Service is missing the necessary roles assignment. To fix the problem, you need to grant the App Service appropriate role‑based access control (RBAC) permissions at the subscription level.

Root Cause

This issue typically arises because:

  • The managed identity associated with the App Service does not have the Defender for Storage Scanner Operator roles on the subscription.

  • Permissions were added after the app was deployed but the app’s credentials were not refreshed.

  • The scope of the role assignment (subscription or resource group) was misconfigured or inaccessible.

Step-by-Step Resolution

Follow these steps in the Azure portal to assign the required roles to your App Service’s managed identity. Use the Zapper Edge Subscription → Access control (IAM) page under the subscription where you have created the storage account:

Creation Failed error screenshot

  • Select Add role assignment.

  • Search for Defender for Storage Scanner Operator. This built‑in role lets your app enable and configure Azure Defender for Storage’s malware and sensitive data scanning on storage accounts.

  • Select the Defender for Storage Scanner Operator role and click Next.

  • Under Members, pick Managed identity and select the same managed identity. Click Select then Next.

  • Review and assign the role.

The following screenshots illustrate selecting the Defender role and completing the assignment:

Enable the “Defender for Storage Scanner Operator” Role

Reviewing and assigning the Defender for Storage Scanner Operator role

Refreshing Credentials

After granting the roles, wait a few minutes for the role assignments to propagate. Then restart your App Service or redeploy it to refresh its credentials. This forces the managed identity to obtain a new token with the updated permissions.

Validation Checklist

Before retrying to create a storage account, ensure that:

  • The Contributor role is assigned to the managed identity at the subscription level.

  • The Storage Blob Data Contributor role is assigned to the managed identity.

  • The Defender for Storage Scanner Operator role is assigned to the managed identity.

  • The App Service has been restarted or redeployed to refresh its credentials.

Need Help?

If the error persists after completing these steps, contact Zapper Edge Support at support@zapperedge.com.

Searching for the Defender for Storage Scanner Operator role

Secure file transfers made simple.

Support@zapperedge.com

© 2025. All rights reserved.

Privacy Poicy

Terms & Conditions

Terms of Use