Forum Discussion

just-a-myth's avatar
just-a-myth
Copper Contributor
Apr 03, 2025

"Authorization failed" error for Logic app writing a comment to Sentinel Incident

I have created a managed identity named id-sentinel-playbook that is used in 2 logic apps. Both the logic apps retrieve information from different external apis and writes the results as comments int...
Automation & Control
azure
Kidd_Ip's avatar
Kidd_Ip
MVP
Apr 04, 2025

Please try at the following:

 

  1. Verify Role Assignments

Even though the managed identity has the Microsoft Sentinel Responder and Microsoft Sentinel Automation Contributor roles, double-check the scope of these assignments:

  • Ensure the roles are assigned at the correct level (e.g., subscription, resource group, or workspace).
  • Confirm that the roles cover the specific Sentinel workspace where the logic app is trying to write comments.
  1. Check Permissions for Specific Actions

The error message suggests that the managed identity might lack permission for the specific action Microsoft.SecurityInsights/incidents/comments/write. Verify that the roles assigned to the managed identity include this action. If not, you may need to create a custom role with the required permissions.

  1. Refresh Credentials

Sometimes, newly assigned roles take time to propagate. Try refreshing the credentials for the managed identity:

  • Reauthenticate the connection in the logic app.
  • Restart the logic app to ensure it picks up the updated permissions.
  1. Compare Logic App Configurations

Since the other logic app works fine with the same managed identity, compare the configurations of both logic apps:

  • Check for differences in the API connections or triggers.
  • Ensure that the failing logic app is using the correct connection tied to the managed identity.
  1. Debugging the Logic App

Enable diagnostics and logging for the failing logic app to gather more details about the error:

  • Use the Run History in the Azure portal to inspect the failed action and view the detailed error message.
  • Check the Workflow Definition to ensure the logic app is correctly configured to use the managed identity.
  1. Test with Elevated Permissions

As a temporary measure, assign the Contributor role to the managed identity to test if the issue is related to insufficient permissions. If this resolves the error, you can narrow down the missing permissions and create a custom role.

Resources