Merge pull request #294594 from batamig/patch-859940

prmerger-automator[bot] · web-flow · commit e21b56855169 · 2025-02-16T08:57:29.000Z
Update deploy-sap-security-content.md
diff --git a/articles/sentinel/sap/deploy-sap-security-content.md b/articles/sentinel/sap/deploy-sap-security-content.md
@@ -92,6 +92,11 @@ Installing the Microsoft Sentinel **SAP Agentless** solution makes the agentless
 
 1. On the **SAP ABAP and S/4 via cloud connector (Preview)** page,  in the **Configuration** area, select **Deploy push connector resources** to deploy a data collection rule (DCR) and Microsoft Entra ID app registration to your subscription.
 
+    When Microsoft Sentinel and Microsoft Entra ID permissions are separated across different people, deployment must be done in two steps. In such cases, the DCR and DCE are deployed successfully in your Microsoft Sentinel resource group, and errors are shown to indicate the missing rights required to create an app registration in Microsoft Entra ID. For more information, see:
+	
+	- [Create Microsoft Entra application](/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-microsoft-entra-application)
+	- [Assign permissions to the DCR](/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#assign-permissions-to-the-dcr)
+
 1. <a name="deployment"></a>Once deployed, note the following values for later use:
 
     - **Immutable ID**
diff --git a/articles/sentinel/sap/prerequisites-for-deploying-sap-continuous-threat-monitoring.md b/articles/sentinel/sap/prerequisites-for-deploying-sap-continuous-threat-monitoring.md
@@ -49,7 +49,7 @@ Typically, Azure prerequisites are managed by your **security** teams.
 | Prerequisite | Description |Required/optional |
 | ---- | ----------- |----------- |
 | **Access to Microsoft Sentinel** | Make a note of your *workspace ID and *primary key* for your Log Analytics workspace enabled for Microsoft Sentinel.<br>You can find these details in Microsoft Sentinel: from the navigation menu, select **Settings** > **Workspace settings** > **Agents management**. Copy the *Workspace ID* and *Primary key* and paste them aside for use during the deployment process. |Required |
-| **Permissions to create Azure resources** | At a minimum, you must have the necessary permissions to deploy solutions from the Microsoft Sentinel content hub. For more information, see [Prerequisites for deploying Microsoft Sentinel solutions](../sentinel-solutions-deploy.md#prerequisites). |Required |
+| **Permissions to create Azure resources** | You must have the necessary permissions to deploy solutions from the Microsoft Sentinel content hub. <br><br>You must also have an **Owner** role on the Microsoft Sentinel resource group, which is required for:<br>- Creating the data collection rule and data collection endpoint.<br>- Assigning the **Monitoring Metrics Publisher** role on the data collection rule. <br><br>For more information, see [Prerequisites for deploying Microsoft Sentinel solutions](../sentinel-solutions-deploy.md#prerequisites) and [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference#application-administrator). |Required |
 | **Permissions to create an Azure key vault or access an existing one** | Use Azure Key Vault to store secrets required to connect to your SAP system. For more information, see [Assign key vault access permissions](deploy-data-connector-agent-container.md#assign-key-vault-access-permissions). |Required if you plan to store the SAP system credentials in Azure Key Vault. <br><br>Optional if you plan to store them in a configuration file. For more information, see [Create a virtual machine and configure access to your credentials](deploy-data-connector-agent-container.md#create-a-virtual-machine-and-configure-access-to-your-credentials).|
 | **Permissions to assign a privileged role to the SAP data connector agent** | Deploying the SAP data connector agent requires that you grant your agent's VM identity with specific permissions to the Microsoft Sentinel workspace, using the **Microsoft Sentinel Business Applications Agent Operator** role. To grant this role, you need **Owner** permissions on the resource group where your Microsoft Sentinel workspace resides. <br><br>For more information, see [Connect your SAP system by deploying your data connector agent container](deploy-data-connector-agent-container.md). | Required. <br> If you don't have **Owner** permissions on the resource group, the relevant step can also be performed by another user who does have the relevant permissions, separately after the agent is fully deployed.|
 
