Forum Discussion
Azure Sentinel - Run Antivirus Scan using Logic App
Hey @HA01329.
So your managed identity will have Scan permissions now. There's an issue with the PowerShell and the $PermissionName variable (line 3) is what needs to be changed to fix the other two perm assignments.
My PowerShell isn't that good so we are going to take the noob way out. Run the code two more times and change line 3 from $PermissionName = 'Machine.Scan' to $PermissionName = 'Machine.Read.All' on run 1 and $PermissionName = 'Machine.ReadWrite.All' on run 2.
This will flag errors but when you view the managed identity it will then have all permissions required. I will probably get giggled at for the above but its a workaround until I look into PowerShell more!
(I had a quick look into the perms, and Machine.Scan should include the read perms anyway and Machine.ReadWrite.All shouldn't be needed as I don't believe the logic app includes tagging etc? So this logic app/playbook should now work without you running the code 2 more times for the extra perms, but to leave out any doubts and link with the prereqs I've included the work around anyway)
Have a good weekend 🙂
First, thanks a lot for your help.
A little bit better but another error message now...
PS /home/system> Connect-AzureAD
PS /home/system> $MIGuid = '0fff8f4e-xxxx-xxxx-xxxx-xxxxxxxxxxx'
PS /home/system> $MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
PS /home/system> $MDEAppId = 'fc780465-2017-40d4-a0c5-307022471b92'
PS /home/system> $PermissionName = 'Machine.Scan'
PS /home/system> $MDEServicePrincipal = Get-AzureADServicePrincipal -Filter 'appId eq '$MDEAppId''
Get-AzureADServicePrincipal: A positional parameter cannot be found that accepts argument 'fc780465-2017-40d4-a0c5-307022471b92'.
Regards,
HA
Looks like '$MDEAppId'' in $MDEServicePrincipal should just be '$MDEAppId' delete one of the ' and try running it once more?
- Hello,
Thanks for your help.
I don't think it's the issue....
If I run the command 'Get-AzureADServicePrincipal', I got a list of AppId but none of them match the ID fc780465-2017-40d4-a0c5-307022471b92...
Regard,
HAHi,
I meant run all the code again from the prerequisites.
$MIGuid = 'Enter your managed identity guid here'
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
$MDEAppId = 'fc780465-2017-40d4-a0c5-307022471b92'
$PermissionName = 'Machine.Scan'
$MDEServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$MDEAppId'"
$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id $PermissionName = 'Machine.Read.All'
$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id $PermissionName = 'Machine.ReadWrite.All'
$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id
I've made the fix I believe will resove your issue in the above code, before running that please do connect-azuread first, and make sure to enter your managed identity on the first line. To do that click into the playbook, select identity under settings, and copy and paste the Object ID. Make sure to keep the ' ' and enter the object ID in between.- Hi,
PS /home/system> Connect-AzureAD
PS /home/system> $MIGuid = '0fff8f4e-xxxx-xxxxx-xxxx-xxxxxxxxxxxx'
PS /home/system> $MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
PS /home/system> $MDEAppId = 'fc780465-2017-40d4-a0c5-307022471b92'
PS /home/system> $PermissionName = 'Machine.Scan'
PS /home/system> $MDEServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$MDEAppId'"
PS /home/system> $AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'}
PS /home/system> New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id $PermissionName = 'Machine.Read.All'
New-AzureADServiceAppRoleAssignment: A positional parameter cannot be found that accepts argument 'Machine.Scan'.
PS /home/system> $AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'}
PS /home/system> New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id $PermissionName = 'Machine.ReadWrite.All'
New-AzureADServiceAppRoleAssignment: A positional parameter cannot be found that accepts argument 'Machine.Scan'.
PS /home/system> $AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'}
PS /home/system> New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id
New-AzureADServiceAppRoleAssignment: Error occurred while executing NewServicePrincipalAppRoleAssignment
Code: Request_BadRequest
Message: Permission being assigned already exists on the object
RequestId: 0870e06a-e213-4266-9988-9cca542bf5e3
DateTimeStamp: Sat, 03 Feb 2024 16:11:01 GMT
Details: PropertyName - None, PropertyErrorCode - InvalidUpdate
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
PS: I run the code twice...
Regards,
HA
