Prisma Cloud fails to delete temporary Azure resources created during the agentless scanning process.

• Prisma Cloud fails to delete temporary Azure resources created during the agentless scanning process.
• missing permissions" error message is seen In the logs.

Account is missing permissions. target:"<Target_Name>" hub:"" region: <Region_Name>. <ID> is missing permissions: Microsoft.Resources/subscriptions/resourceGroups/write, Microsoft.Network/networkInterfaces/write, Microsoft.Network/networkInterfaces/delete, Microsoft.Network/networkInterfaces/join/action, Microsoft.Network/networkSecurityGroups/write, Microsoft.Network/networkSecurityGroups/delete, Microsoft.Network/networkSecurityGroups/join/action, Microsoft.Network/virtualNetworks/write, Microsoft.Network/virtualNetworks/delete, Microsoft.Network/virtualNetworks/subnets/join/action, Microsoft.Compute/disks/write, Microsoft.Compute/disks/delete, Microsoft.Compute/disks/beginGetAccess/action, Microsoft.Compute/snapshots/write, Microsoft.Compute/snapshots/delete, Microsoft.Compute/virtualMachines/write, Microsoft.Compute/virtualMachines/delete
DEBU  scanner.go:271 Skipping account "Azure CRI" due to missing permissions
DEBU  scanner.go:253 Failed to check account permissions. target:"<Target_Name>" hub:"" region: <Region_Name>. failed to check account permissions in credential "<Name>": googleapi: Error 403: Request had insufficient authentication scopes. 

• Azure
• Agentless scanning 
• Resources

• Missing Permissions. This causes the VMs not to be deleted after the scan is completed.
• Another reason is that during the onboarding via CSPM the agentless scan option was enabled. 

1. To use the agentless Prisma will  add the additional delete permissions.
2. This can be verified in the onboarding Template from Prisma Onboarding flow. Prisma console → Settings → Cloud Accounts → edit: Configure Account.
3. To disable the agentless scanning: CSPM → Settings → Cloud Account. 

• The Prisma Cloud Console scans a VM image by creating a VM instance which is running the VM image to be scanned.
• The VM instances created for scanning VM Images come with default tags as: Key - Name, Value - prismacloud-scan-*
• This detailed information can be found at VM Image Scanning.
• We have to start a VM with that image to scan it but ideally once scan completes prisma cloud will delete those VMs.
• VM created to run the agentless scan on the customer env has to communicate to the SAAS Console thus it needs access to the internet.