Skip to content

Azure Cloud Pentest Troubleshooting

This page covers common errors you may encounter during Azure Cloud connection setup or at pentest launch.

Connection Setup Errors

Admin Consent Shows AADSTS700016

Symptom: After clicking Create Connection, you're redirected to Azure but see a Microsoft sign-in error instead of the admin consent prompt:

AADSTS700016: Application with identifier was not found in the directory

Microsoft sign-in error page showing AADSTS700016 with troubleshooting details.

Cause: The Horizon3 Cloud Connector multi-tenant application hasn't finished replicating to your tenant yet.

Fix: Refresh the page. The admin consent prompt should appear within 10–15 seconds.


Admin Consent Returns a Microsoft Error Page

Symptom: After clicking Accept on the admin consent screen, Microsoft redirects you to an error page instead of back to NodeZero.

Microsoft error page displayed after clicking Accept on the admin consent screen.

Fix: Clear your browser's cookies and cache, then return to NodeZero and click Create Connection again to restart the consent flow.


Pentest Launch Errors

Subnet Blocked by NSG

Symptom: After selecting a subnet, the Deployment section shows:

The selected subnet has a network security group that blocks outbound traffic. Please select a different subnet.

Deployment section of the pentest config form showing the NSG blocking error beneath the Subnet dropdown.

Fix: Select a different subnet that allows outbound traffic, or modify the NSG on the affected subnet to permit outbound connectivity. See Private subnet enabled if there's no NSG rule but the error still appears.


Private Subnet Enabled

Symptom: The subnet outbound error appears even though no NSG rule is blocking traffic.

Cause: The subnet has Enable private subnet (no default outbound access) checked in Azure, which removes default outbound connectivity regardless of NSG rules.

Azure Edit subnet panel showing the Enable private subnet checkbox checked.

Fix: In the Azure portal, open the subnet settings and uncheck Enable private subnet. Alternatively, attach a NAT gateway to the subnet to provide explicit outbound connectivity.

Azure virtual network subnet edit panel showing the Private subnet and NAT gateway settings.


Insufficient VM Quota

Symptom: After selecting a subnet, the form shows:

Your Azure account does not have enough VM quota space to launch the VM. Please reach out to your IT admin to increase the quota.

Deployment section showing the VM quota error beneath the Subnet dropdown.

Fix: Contact your Azure administrator to increase the Standard_D4s_v3 vCPU quota in the target region for the selected subscription, or select a different subscription that has sufficient quota.


Azure Policy Blocks Deployment

Symptom: A banner in the Deployment section reads:

Azure policy blocks this deployment:
Allowed virtual machine size SKUs: VM SKU Standard_D4s_v3 is not in the policy allowlist...

Deployment section showing the Azure policy block error listing the disallowed VM SKU.

Fix: Work with your Azure administrator to add Standard_D4s_v3 to the allowed VM SKU policy for the subscription, or temporarily exempt the NodeZero resource group from the policy assignment.


Missing Required Resource Tags

Symptom: A banner in the Tags section reads:

Add the following required tags before running:
• Key: [tag key], Value: [tag value]

Tags section showing a required tags banner listing a key/value pair that must be added.

Cause: Your Azure environment enforces required tags via policy. NodeZero surfaces these tags so you can add them before launch — without them, the deployed VM won't be visible to your in-scope resources.

Fix: Add each required key/value pair using + Add Tag in the Tags section before clicking Run Pentest. Both the tag error and any subnet NSG error must be resolved before the form will submit.

Deployment section showing both the NSG blocking error on the subnet and the required tags banner.