Forum Discussion

just-a-myth's avatar
just-a-myth
Copper Contributor
Apr 03, 2025

"Authorization failed" error for Logic app writing a comment to Sentinel Incident

I have created a managed identity named id-sentinel-playbook that is used in 2 logic apps. Both the logic apps retrieve information from different external apis and writes the results as comments into the Sentinel incident. The managed identity id-sentinel-playbook has been assigned 2 roles -

Microsoft Sentinel Responder and Microsoft Sentinel Automation Contributor role (See screenshot).

However when one of the logic apps transacts with Sentinel such as checking the watchlist or writing comment into a Sentinel incident, there is the 403 forbidden error (See screenshot).

It works fine when I use my Azure account as connection for the logic app. The other logic app also works fine when the same managed identity id-sentinel-playbook is used as connection to Sentinel. I have compared the identity of both the logic apps and they are the same. I have also searched online for existing answers and all point to the managed identity having insufficient roles, however id-sentinel-playbook already has the Microsoft Sentinel Responder role and strangely the other logic app that writes comments into the Sentinel incident as well, works. Here is the screenshot of the logic app having the user managed identity. The other logic app has the same.

Please help. I spent 2 days investigating this and have no more ideas on how to further investigate this😓.

Automation & Control
azure

1 Reply

Sort By
  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Apr 04, 2025

    Please try at the following:

     

    1. Verify Role Assignments

    Even though the managed identity has the Microsoft Sentinel Responder and Microsoft Sentinel Automation Contributor roles, double-check the scope of these assignments:

    • Ensure the roles are assigned at the correct level (e.g., subscription, resource group, or workspace).
    • Confirm that the roles cover the specific Sentinel workspace where the logic app is trying to write comments.
    1. Check Permissions for Specific Actions

    The error message suggests that the managed identity might lack permission for the specific action Microsoft.SecurityInsights/incidents/comments/write. Verify that the roles assigned to the managed identity include this action. If not, you may need to create a custom role with the required permissions.

    1. Refresh Credentials

    Sometimes, newly assigned roles take time to propagate. Try refreshing the credentials for the managed identity:

    • Reauthenticate the connection in the logic app.
    • Restart the logic app to ensure it picks up the updated permissions.
    1. Compare Logic App Configurations

    Since the other logic app works fine with the same managed identity, compare the configurations of both logic apps:

    • Check for differences in the API connections or triggers.
    • Ensure that the failing logic app is using the correct connection tied to the managed identity.
    1. Debugging the Logic App

    Enable diagnostics and logging for the failing logic app to gather more details about the error:

    • Use the Run History in the Azure portal to inspect the failed action and view the detailed error message.
    • Check the Workflow Definition to ensure the logic app is correctly configured to use the managed identity.
    1. Test with Elevated Permissions

    As a temporary measure, assign the Contributor role to the managed identity to test if the issue is related to insufficient permissions. If this resolves the error, you can narrow down the missing permissions and create a custom role.

Resources