Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Defender for Cloud generates a deployment script that includes all of the resources necessary to onboard your Google Cloud Platform (GCP) account to Defender for Cloud. However, as of May 2024, GCP enforces a policy called Domain Restricted Sharing by default for all organizations created after May 2024. The policy prevents the assignment of Identity and Access Management (IAM) permissions to service accounts external to your GCP organization. This policy might cause the deployment script generated by Defender for Cloud to fail.
This page guides you through the steps to resolve the Domain Restricted Sharing policy and ensure your GCP account is connected to Defender for Cloud correctly.
Prerequisites
A Microsoft Azure subscription. If you don't have an Azure subscription, you can sign up for a free one.
Microsoft Defender for Cloud set up on your Azure subscription.
Contributor level permission for the relevant Azure subscription.
Modify the policy at the organization level.
Enable service accounts for Defender for Cloud
Defender for Cloud requires the following service accounts to be enabled in your GCP project.
Sign in to your GCP project.
Navigate to IAM & Admin > Organization Policies.
Select Domain Restricted Sharing.
Select Manage policy.
Add the Defender for Cloud organization ID
principalSet://iam.googleapis.com/organizations/517615557103to the list of allowed principals.Select Save.
The change might take several minutes to propagate. After the change is applied, run the deployment script generated by Defender for Cloud.
Related content
- Assign access to workload owners.
- Troubleshoot your multicloud connectors.
- Get answers to common questions about connecting your GCP project.