Skip to content

Solution: TacitRed Defender Threat Intelligence v3.0.1 - Fix Content Hub Deployment#13604

Merged
v-atulyadav merged 7 commits intoAzure:masterfrom
Data443:feature/tacitred-defender-v3.0.1
Feb 12, 2026
Merged

Solution: TacitRed Defender Threat Intelligence v3.0.1 - Fix Content Hub Deployment#13604
v-atulyadav merged 7 commits intoAzure:masterfrom
Data443:feature/tacitred-defender-v3.0.1

Conversation

@mazamizo21
Copy link
Contributor

@mazamizo21 mazamizo21 commented Feb 10, 2026

Summary

Fixes two deployment failures when installing the TacitRed Defender Threat Intelligence solution from Content Hub.

Problem 1: Missing Function App Code

The functionCode.zip was accidentally removed from the Package folder during a folder restructure (commit 4c731dd). The Function App template references this zip via WEBSITE_RUN_FROM_PACKAGE, so the deployed Function App had no code.

Problem 2: Template Validation Error

The Function App template included workspace-scoped Microsoft.Authorization/roleAssignments resources. When deployed through Content Hub's template spec mechanism, these cause an ARM InvalidTemplate error:

The language expression resourceId('Microsoft.OperationalInsights/Workspaces', '...') 
is not valid: the string character '@' at position '4' is not expected.

No other Function App solution in this repo uses workspace-scoped roleAssignments (verified against Fortinet, Zscaler, AWS, DomainTools). Role assignments are now documented as post-deployment steps.

Fix

  • Restored functionCode.zip to Package/ folder
  • Removed both Microsoft.Authorization/roleAssignments from Function App template
  • Added post-deployment instructions for manual role assignment (Reader + Sentinel Contributor)
  • Version bump to 3.0.1

Files Changed

File Change
azuredeploy.json (FunctionApp) Removed roleAssignments, updated post-deployment docs
mainTemplate.json Removed roleAssignments from embedded template, version bump
Solution_*.json Version bump to 3.0.1
functionCode.zip Restored (was accidentally deleted)
3.0.1.zip New package (replaces 3.0.0)

References

@mazamizo21
fix(TacitRed-Defender-TI): v3.0.1 - Fix Content Hub deployment failures
70aed1a 
- Restore functionCode.zip that was accidentally deleted during folder restructure
  The Function App template references this zip via WEBSITE_RUN_FROM_PACKAGE but
  the file was removed in commit 4c731dd per reviewer request without relocation
- Remove workspace-scoped roleAssignment resources from Function App template
  These cause InvalidTemplate errors when deployed through Content Hub template specs
  (@ character parsing failure). No other Azure-Sentinel solution uses workspace-scoped
  roleAssignments in Function App templates. Role assignments are now documented as
  post-deployment steps matching the standard pattern (Fortinet, Zscaler, etc.)
- Version bump to 3.0.1
@mazamizo21 mazamizo21 requested review from a team as code owners February 10, 2026 18:37
@v-shukore v-shukore added the Solution Solution specialty review needed label Feb 11, 2026
@v-maheshbh
Copy link
Contributor

v-maheshbh commented Feb 11, 2026

Hi @mazamizo21

Kindly schedule a call to discuss the PR changes in more detail. The email is included below for your reference.
v-maheshbh@microsoft.com

Thanks!

mazamizo21 and others added 6 commits February 11, 2026 08:30
@mazamizo21
Restore previous package version (3.0.0.zip) per reviewer request
64eff3b
@mazamizo21
Add v3.0.1 release notes for deployment fix
dab20d3
@mazamizo21
Move functionCode.zip from Package/ to Playbooks/ per reviewer request
d28aae0
@mazamizo21
Update 3.0.1.zip: Fix functionCode.zip URL to point to Playbooks/ ins…
a0b4f7f 
…tead of Package/

The mainTemplate.json inside 3.0.1.zip still referenced the old
Package/functionCode.zip path. Updated to match the new location at
Playbooks/TacitRedDefenderTI_FunctionApp/functionCode.zip.
@v-maheshbh
Bump templates to 3.0.1; add post-deploy roles
11c76c7 
Update TacitRed-Defender-ThreatIntelligence package to template version 3.0.1. mainTemplate.json: bump playbook descriptions and solution version to 3.0.1, add post-deployment steps to assign Reader and Microsoft Sentinel Contributor roles to the Function App managed identity, and normalize description HTML bullets. Also update packaged zip (3.0.1.zip).
@v-maheshbh
Update 3.0.1.zip
33b9e65
@v-maheshbh
Copy link
Contributor

v-maheshbh commented Feb 12, 2026
edited
Loading

Hi @mazamizo21

We are encountering a deployment error during the Azure Function custom deployment.
will it be resolved after the merge using the correct functionCode ZIP file?

image

Thanks!

@mazamizo21
Copy link
Contributor Author

mazamizo21 commented Feb 12, 2026

The error is exactly what our PR #13604 fixes.* The ⁠ InvalidTemplate ⁠ error comes from the ⁠ roleAssignments ⁠ resources that had workspace-scoped ⁠ resourceId() ⁠ calls:

"scope": "[[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]"

When Content Hub deploys this through its template spec mechanism, the ARM expression parser chokes on certain characters in the workspace name (the ⁠ @ ⁠ or other special chars). The reviewer "v-amol" likely entered a workspace name that triggered the same class of parsing failure.

Our PR already removes both ⁠ roleAssignments ⁠ blocks and moves them to post-deployment manual steps — which is the standard pattern used by Fortinet, Zscaler, and every other Function App solution in the repo.

@v-atulyadav v-atulyadav merged commit a37eee1 into Azure:master Feb 12, 2026
33 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@v-atulyadav v-atulyadav v-atulyadav approved these changes

@v-maheshbh v-maheshbh v-maheshbh approved these changes

Assignees

@v-maheshbh v-maheshbh

Labels

Solution Solution specialty review needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mazamizo21 @v-maheshbh @v-atulyadav @v-shukore