How to Troubleshoot Azure Partner Solutions
Why Azure Partner Solutions Troubleshooting Is So Confusing
I've seen this exact situation on dozens of Azure tenants: you deploy a partner solution , Datadog, Elastic, New Relic, Palo Alto Cloud NGFW, or one of the other integrated ISV offerings in the Azure Marketplace , and something just doesn't work. Maybe the linked account never connects. Maybe logs stop flowing. Maybe the deployment itself fails with a cryptic ARM error like DeploymentFailed or ResourceOperationFailure and the portal gives you nothing useful to work with.
Here's the thing Microsoft doesn't advertise clearly: Azure Partner Solutions are a distinct product category. They sit in a strange middle ground, they're managed through the Azure portal, billed through Azure, but the underlying software and its API integrations belong to a third party. That split ownership is exactly why Azure Partner Solutions troubleshooting is harder than fixing a broken VM or a misconfigured App Service. When something breaks, it could be on Azure's side, the ISV's side, or in the handshake between them.
The most common issues I see break down into four buckets. First, resource provider registration failures, your subscription hasn't registered the namespace the partner solution needs (for example, Microsoft.Datadog or Microsoft.Elastic), and the portal error message gives you nothing except a red X. Second, identity and permissions gaps, the managed identity or service principal the partner resource uses doesn't have the right RBAC role assignments, so logs never reach the destination. Third, linked account or organization binding failures, the partner's SaaS backend can't match your Azure subscription to an existing account, especially common when your organization uses single sign-on or has strict conditional access policies. Fourth, billing and plan mismatch errors, you're trying to deploy a plan that isn't available in your subscription offer type (CSP, EA, or pay-as-you-go) or your Azure region.
What makes this worse is that Azure's own error messages for partner solution failures are genuinely unhelpful. You'll see things like "The resource operation completed with terminal provisioning state 'Failed'" with no inner error surfaced in the portal UI. The actual root cause is buried in the Activity Log, and even then it's sometimes encoded in a way that requires decoding the ARM operation response manually.
I know how frustrating this is, especially when your team's monitoring pipeline or security tooling depends on that integration actually working. Let's fix it. Browse all Microsoft fix guides →
The Quick Fix, Try This First
Before you go deep into logs and registry edits, run through this single checklist. In my experience, about 60% of Azure Partner Solutions not working cases are caused by one of these three things, and you can check all three in under five minutes.
Step 1: Verify resource provider registration. Open the Azure portal, navigate to your subscription, then go to Settings > Resource providers. Search for the partner's namespace. For Datadog it's Microsoft.Datadog, for Elastic it's Microsoft.Elastic, for Confluent it's Microsoft.Confluent, and so on. If the status shows NotRegistered, that's your problem right there. Click the provider and hit Register. It takes 2–5 minutes to propagate.
You can also do this faster in PowerShell:
# Replace with the correct namespace for your partner
Register-AzResourceProvider -ProviderNamespace "Microsoft.Datadog"
# Then check status
Get-AzResourceProvider -ProviderNamespace "Microsoft.Datadog" | Select-Object RegistrationStateStep 2: Check your Activity Log for the real error. Go to Monitor > Activity log, filter by Status: Failed and the relevant timeframe. Click the failed operation entry and expand the JSON tab. Look for the statusMessage field, inside it there's usually a nested error object with a real code and message that the portal UI deliberately hides from the main screen.
Step 3: Confirm your plan is available in your region and subscription type. Not every partner plan is available in every Azure region or offer type. Go to the partner solution's Marketplace listing, click Plans + Pricing, and verify your target region is listed. CSP subscriptions in particular have reduced Marketplace availability.
statusMessage JSON field inside the failed event almost always contains the real ISV error code that the portal swallows.
This is the root cause of more Azure partner solution deployment errors than anything else, and it's invisible unless you know where to look. When you create a partner resource for the first time, say a Datadog monitor or an Elastic deployment, Azure needs the corresponding resource provider namespace registered on that subscription. If it isn't, the deployment fails with an error code like MissingSubscriptionRegistration or, more confusingly, just DeploymentFailed.
Navigate to Home > Subscriptions > [your subscription] > Settings > Resource providers. In the search box, type the partner name. Each ISV has its own namespace:
Datadog: Microsoft.Datadog
Elastic: Microsoft.Elastic
Confluent: Microsoft.Confluent
NewRelic: NewRelic.Observability
Palo Alto: PaloAltoNetworks.Cloudngfw
NGINX: NGINX.NginxPlus
Dynatrace: Dynatrace.ObservabilityIf status says NotRegistered, select it and click Register at the top of the blade. The status will cycle through Registering before settling on Registered, this takes between 90 seconds and 5 minutes depending on the provider. Don't try to redeploy before it's fully registered.
If you're managing multiple subscriptions or doing this in a pipeline, PowerShell is more reliable:
$providers = @("Microsoft.Datadog","Microsoft.Elastic","Microsoft.Confluent")
foreach ($p in $providers) {
Register-AzResourceProvider -ProviderNamespace $p
Write-Host "Registering $p..."
}
# Poll until all registered
do {
Start-Sleep -Seconds 15
$states = $providers | ForEach-Object {
(Get-AzResourceProvider -ProviderNamespace $_).RegistrationState
}
Write-Host $states
} until ($states -notcontains "Registering")Once registration completes, retry your partner solution deployment. If it succeeds, you're done. If it still fails, move to Step 2.
Here's a subtle issue that kills Azure partner solution integration silently: the partner resource deploys successfully, but logs and metrics never flow because the managed identity it uses doesn't have adequate permissions. You won't get an error, the integration just sits there looking healthy while delivering nothing.
Every Azure Partner Solution that ingests diagnostic data (logs, metrics, traces) uses a system-assigned or user-assigned managed identity under the hood. That identity needs specific role assignments on the resources it monitors. For most observability partners like Datadog or Elastic, the minimum required role is Monitoring Reader at the subscription scope. For partners that also write data back (like some security partners), Contributor at the resource group scope may be needed.
Check the current assignments in the portal: go to Subscriptions > [subscription] > Access control (IAM) > Role assignments. Filter by the partner resource's name. If you see nothing, that's your problem.
To fix it via PowerShell:
# Get the managed identity principal ID from the partner resource
$partnerResource = Get-AzResource -ResourceType "Microsoft.Datadog/monitors" -Name "your-datadog-resource"
$principalId = $partnerResource.Identity.PrincipalId
# Assign Monitoring Reader at subscription scope
New-AzRoleAssignment `
-ObjectId $principalId `
-RoleDefinitionName "Monitoring Reader" `
-Scope "/subscriptions/$($(Get-AzContext).Subscription.Id)"After assigning the role, give it 5–10 minutes to propagate across Azure's authorization caches. Then go into your partner solution's resource blade, click Monitored resources (or equivalent for your partner), and verify resources are now appearing with a Sending logs status. If you still see Not sending, check whether the specific resource types are enabled in the partner solution's Logs or Metrics configuration blade.
When you create an Azure partner solution linked to an existing ISV account, for example, connecting your Datadog organization or your Elastic Cloud deployment, Azure needs to perform an OAuth handshake between your Azure AD tenant and the partner's SaaS backend. This is the most common source of Azure partner solution integration issues in enterprise environments, because conditional access policies, SAML-based SSO, and tenant restrictions all love to silently block this handshake.
The symptoms are specific: you get to the partner solution creation wizard, fill in your existing account credentials, and hit either a blank white screen, an error saying "Unable to link account," or a redirect loop. In Event Viewer on a Windows client, you may see Event ID 1003 from source Microsoft-Windows-AAD indicating a token acquisition failure.
First, check your tenant's conditional access policies. Go to Azure Active Directory > Security > Conditional Access > Policies and look for any policy that blocks access to external applications or that enforces device compliance for all cloud apps. The partner's application ID needs to be either explicitly allowed or exempted from the blocking policy.
Second, check if your organization uses tenant restrictions (the Restrict-Access-To-Tenants HTTP header injected by a proxy). If so, the partner's tenant ID needs to be added to the allowed list on your proxy configuration.
Third, and this one surprises people, make sure the user performing the link has a valid email address that matches an account in the partner's system. If your Azure AD UPN is an internal format like jsmith@corp.local rather than a routable address, the partner's SSO system can't find the matching account. The fix is to set the user's Mail attribute in Azure AD to a routable address:
# Via MS Graph (requires User.ReadWrite.All)
Update-MgUser -UserId "jsmith@corp.local" -Mail "jsmith@yourdomain.com"After making any of these changes, try the linking flow again in a fresh InPrivate/Incognito browser window to avoid cached credential state.
One of the most reported Azure partner solution diagnostic logs missing scenarios: you've got the integration working, resources are showing up, but the logs just aren't arriving in the partner's platform. This is infuriating because everything looks green on the Azure side.
The issue is almost always in the diagnostic settings pipeline. Azure partner solutions that receive logs use Azure Monitor's diagnostic settings mechanism, the same one that sends logs to Log Analytics or Event Hub. Each individual resource (VM, App Service, SQL Database, etc.) needs its own diagnostic setting pointing at the partner, or you need to use Azure Policy to deploy them at scale.
Check an individual resource first. Pick a resource that should be sending logs. Go to that resource's blade, then Monitoring > Diagnostic settings. You should see a diagnostic setting with a destination pointing to your partner solution. If none exists, that resource is not sending anything regardless of what the partner's portal says.
To create diagnostic settings at scale using Azure Policy, you can use the built-in initiative Configure Azure Monitor diagnostic settings for resources to send to a partner solution, find it in Policy > Definitions, search for your partner name. Assign it at the subscription or management group scope.
For a quick manual check via PowerShell on a specific resource:
# Check if diagnostic settings exist for a specific resource
$resourceId = "/subscriptions/{sub-id}/resourceGroups/{rg}/providers/Microsoft.Compute/virtualMachines/{vm-name}"
Get-AzDiagnosticSetting -ResourceId $resourceId
# If empty, create one pointing to your Datadog resource
$datadogResourceId = "/subscriptions/{sub-id}/resourceGroups/{rg}/providers/Microsoft.Datadog/monitors/{monitor-name}"
# Use the partner-specific cmdlets or ARM template for this stepIf diagnostic settings exist but logs still aren't arriving, check the partner solution's own ingestion pipeline. In the Datadog Azure integration blade, look under Metrics and Logs, there are toggle switches per resource type and per log category. Make sure the categories you need (audit logs, performance counters, activity logs) are actually enabled on the partner's side.
Azure partner solution billing issues catch people off guard because the error messages during deployment are completely non-obvious. You'll see something like OfferNotAvailable, PlanNotFound, or InvalidOfferCode, and the portal won't tell you whether it's a region issue, a subscription type issue, or a plan configuration problem.
Here's the breakdown. Partner solutions on the Azure Marketplace come in different plan types: some are PAYG (pay-as-you-go) billed through Azure, some require a pre-existing SaaS subscription (BYOL, bring your own license), and some require your subscription to be on a specific Azure offer (like an Enterprise Agreement). Cloud Solution Provider (CSP) subscriptions have the most restrictions, many ISV Marketplace offers are simply not available to CSP customers without the partner explicitly enabling them.
To diagnose a plan availability error, run this PowerShell to check what plans are actually available for a given offer in your subscription:
# Check available Datadog plans (example)
Get-AzMarketplaceTerms -Publisher "datadog1414965929833" -Product "datadog_agent" -Name "datadog_agent"
# List available offers for a publisher
Get-AzVMImageOffer -Location "eastus" -PublisherName "datadog1414965929833"If your region isn't returning results, the plan genuinely isn't available there. Your options are to deploy the partner solution resource in a supported region (most ISV partner solutions have a Home region concept, the resource lives in one region but can monitor resources globally) or to contact the ISV directly to request region enablement.
For CSP subscription issues, your CSP partner (the Microsoft partner who sold you the subscription) needs to enable the specific Marketplace offer for your tenant through Partner Center. This is a configuration change on their end, not something you can self-serve. Give them the publisher ID and offer ID from the Marketplace listing and ask them to enable it in Partner Center under Marketplace > Customer offers.
Once the plan is available, go back to the Marketplace listing, click Get It Now, and walk through the creation wizard again. Make sure you select the exact plan you confirmed is available, switching plans mid-wizard can silently revert to a plan that doesn't match.
Advanced Troubleshooting for Azure Partner Solutions
If you've worked through the five steps above and things still aren't working, you're likely dealing with one of the less common but harder-to-diagnose scenarios. Here's where enterprise environments and domain-joined machines add extra complexity.
Reading the ARM Deployment Operation Details
When Azure Partner Solutions deployment fails at the ARM layer, the portal shows you only the top-level error. The real detail is in the deployment operation logs. Go to Resource Groups > [your RG] > Settings > Deployments, find the failed deployment, click it, and then click Operation details. Look for the operation with status Failed. Click the three-dot menu and choose View details. The statusMessage field in the JSON response body is where the ISV's own error code lives, things like DATADOG_ORG_NOT_FOUND, ELASTIC_PLAN_ALREADY_EXISTS, or CONFLUENT_QUOTA_EXCEEDED.
Event Viewer Analysis for Client-Side Issues
For partner solutions that involve agent software deployed on VMs (Datadog Agent, Elastic Agent, etc.), Windows Event Viewer is your friend. On the monitored VM, check these locations:
- Applications and Services Logs > Microsoft > Windows > AAD > Operational, Event ID 1098 (token acquisition failure) or 1003 (auth error)
- Windows Logs > Application, filter by Source matching your partner agent name
- Windows Logs > System, Event ID 7000 or 7009 if the agent service failed to start
Network-Level Fixes for Restricted Environments
Partner solutions communicate outbound from your Azure resources to the ISV's SaaS backend. If you have Network Security Groups, Azure Firewall, or on-premises proxy rules that restrict outbound traffic, those connections will fail silently. Each partner publishes a list of required endpoints, for Datadog it's documented under their Azure integration prerequisites, typically requiring outbound HTTPS (port 443) to *.datadoghq.com or *.datadoghq.eu depending on your Datadog region.
Check for blocked outbound connections using NSG flow logs. Go to Monitor > Network > NSG flow logs, enable them on the NSG protecting your resources, and filter for denied outbound flows on port 443. If you see denies to the partner's IP ranges, add an outbound allow rule for those ranges.
Group Policy and Enterprise Proxy Interference
In domain-joined environments, Group Policy Objects can block Azure Marketplace interactions. Specifically, the GPO setting Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Zones may block the OAuth redirect URLs used during partner account linking. If you're seeing the linking flow fail only for domain-joined machines, test from a non-domain machine to confirm. The fix is to add the partner's OAuth redirect domain to the Trusted Sites zone via GPO.
If you've confirmed resource provider registration is correct, RBAC assignments are in place, diagnostic settings exist, and the partner backend confirms they're not receiving data, that's a platform-level issue that needs Microsoft engineering involvement. Open a support ticket at Microsoft Support under Azure > Monitoring > Partner Solutions and include: your subscription ID, the partner resource ARM resource ID, the deployment correlation ID from the Activity Log, and the exact timestamp of the failure. Without those four pieces, support can't pull the internal platform logs that show where the handshake broke.
Prevention & Best Practices for Azure Partner Solutions
Once you've fixed the immediate issue, the goal is making sure you never have to go through this diagnosis process again. Azure partner solution integration issues are almost always preventable with the right setup hygiene.
Automate resource provider registration as part of subscription vending. If your organization uses a subscription vending process (Landing Zone accelerator, Terraform, or Bicep), bake partner resource provider registrations into the base subscription template. Waiting until a developer tries to deploy a partner solution to discover the provider isn't registered costs unnecessary time. Register the providers you know you'll use across the board, registration is free and instant to roll back.
Use Azure Policy to enforce diagnostic settings at scale. Rather than relying on individual teams to configure per-resource diagnostic settings for your partner solutions, deploy an Azure Policy assignment that automatically creates the right diagnostic setting on all matching resource types. This prevents the silent "logs not flowing" scenario because new resources get configured automatically at creation time.
Document your partner solution service principal and managed identity. Keep a simple record, even a spreadsheet, of which managed identities each partner solution uses, what roles they have, and at what scope. When you rotate subscriptions, move resource groups, or restructure management group hierarchies, those role assignments don't always follow. Having the record means you can re-apply them in minutes rather than diagnosing from scratch.
Monitor partner solution health via Azure Resource Health. Go to Monitor > Service Health > Resource Health and add your partner solution resources to your regular health checks. Azure surfaces degraded partner solution integrations here before they cause noticeable data gaps.
- Register all partner resource provider namespaces during new subscription setup, not at first use
- Assign Monitoring Reader to the partner managed identity at subscription scope, not just resource group scope
- Test the partner account linking flow from a non-domain, non-proxied machine first to isolate network/policy issues
- Set up an Azure Monitor alert on the Activity Log for Partner Solutions deployment failures so you know immediately when something breaks rather than discovering it a week later during an incident
Frequently Asked Questions
Why does my Azure Partner Solution show "Healthy" but no logs are arriving in Datadog/Elastic?
The "Healthy" status in the Azure portal reflects the provisioning state of the partner resource itself, not whether data is actually flowing. The most common cause is missing or misconfigured diagnostic settings on the individual resources you want to monitor. Go to each resource blade, click Monitoring > Diagnostic settings, and verify a setting exists pointing at your partner solution. If it doesn't, create one or use Azure Policy to deploy them at scale. Also double-check that the specific log categories you need (like Activity Logs, AuditLogs, or AllMetrics) are checked in both the diagnostic setting and in the partner solution's own configuration blade.
I get "MissingSubscriptionRegistration" when deploying a partner solution, what does that mean?
This error means the resource provider namespace for that partner hasn't been registered on your subscription. It's a one-time setup step that Azure should handle automatically but sometimes doesn't, especially on older subscriptions or CSP-provisioned subscriptions with restricted permissions. Go to Subscriptions > [your sub] > Resource providers, find the partner's namespace (like Microsoft.Datadog), and click Register. Alternatively, run Register-AzResourceProvider -ProviderNamespace "Microsoft.Datadog" in PowerShell. Wait for the status to show Registered before retrying the deployment.
Can I deploy an Azure Partner Solution in one region but monitor resources in another region?
Yes, and this is actually the standard pattern. The partner solution resource itself (the management plane resource in Azure) is deployed to a specific Azure region, this is sometimes called the "home region" for billing and management purposes. But the monitoring scope is separate and can cover resources across any Azure region or even multiple subscriptions. You define the scope in the partner solution's Monitored resources or Resource configuration blade after deployment. The data still flows from the source resources to the ISV's SaaS backend via their own global network, not through the region where the ARM resource lives.
My Azure partner solution deployment failed with error code "LinkedAuthorizationFailed", how do I fix it?
LinkedAuthorizationFailed means the identity performing the deployment doesn't have sufficient permissions on a resource that the partner solution needs to access during provisioning, typically the resource group, subscription, or an existing Marketplace account. Check that the deploying identity has at minimum Contributor on the resource group and Owner or User Access Administrator at the subscription scope (needed to create role assignments). If you're deploying through a service principal in a pipeline, make sure it has both permissions. Also verify there's no Azure Policy deny assignment blocking role assignment creation in that scope.
How do I fix Azure Partner Solutions on a CSP subscription where the Marketplace offer isn't available?
CSP subscriptions have Marketplace restrictions that differ from direct EA or pay-as-you-go subscriptions. Your CSP partner (the Microsoft partner who manages your subscription) needs to explicitly enable the specific Marketplace offer for your tenant through Microsoft Partner Center. Contact them with the publisher name and offer ID from the Marketplace listing, they can find it in Partner Center under Marketplace > Customer offers > Manage offers. If your CSP partner has a hands-off arrangement, you can also ask Microsoft directly via a support ticket under Azure Marketplace > Offer availability. Once enabled, the offer should appear in your Marketplace search within a few hours.
After deleting and recreating a partner solution resource, the linked account shows as already connected but won't work, what happened?
When you delete an Azure partner solution resource, the ISV's SaaS backend doesn't always clean up the association with your Azure subscription immediately. So when you try to recreate it and link the same account, the ISV's system thinks the subscription is already connected to an organization and throws a conflict. The fix is to go into the ISV's own portal (Datadog's app, Elastic Cloud console, etc.) and manually remove or deauthorize the Azure integration from their side first. Then wait 10–15 minutes before re-creating the resource in Azure. Some ISVs have a specific "remove Azure native integration" option in their settings; if you can't find it, their support team can remove the association from the backend directly.