Resolve Domain Restricted Sharing policy

Microsoft Defender for Cloud generates a deployment script that includes all of the resources necessary to onboard your Google Cloud Platform (GCP) account to Defender for Cloud. However, as of May 2024, GCP enforces a policy called Domain Restricted Sharing by default for all organizations created after May 2024. The policy prevents the assignment of Identity and Access Management (IAM) permissions to service accounts external to your GCP organization. This policy might cause the deployment script generated by Defender for Cloud to fail.

This page guides you through the steps to resolve the Domain Restricted Sharing policy and ensure your GCP account is connected to Defender for Cloud correctly.

Prerequisites

Before you update the policy, make sure you have the following prerequisites:

• A Microsoft Azure subscription. If you don't have one, you can sign up for a free Azure subscription.

• Microsoft Defender for Cloud set up on your Azure subscription.

• A connected GCP project.

• Contributor level permission for the relevant Azure subscription.

• Modify the policy at the organization level.

Configure Domain Restricted Sharing for Defender for Cloud

To resolve Domain Restricted Sharing issues, allow the Defender for Cloud principal in your GCP policy.

1. Sign in to your GCP project.

2. Navigate to IAM & Admin > Organization Policies.

3. Select Domain Restricted Sharing.

4. Select Manage policy.

5. Add one of the following values:

   • Defender for Cloud organization ID principalSet://iam.googleapis.com/organizations/517615557103 to the list of allowed principals.
   • Defender organization customer ID C03um0klj.

6. Select Save.

The change might take several minutes to propagate. After the change is applied, run the deployment script generated by Defender for Cloud.

Next steps

• Assign access to workload owners.
• Troubleshoot your multicloud connectors.
• Get answers in common questions about connecting your GCP project.