Forum Discussion
PrashTechTalk
May 11, 2021Brass Contributor
Azure Sentinel Automation (Preview) - Issue with Permission assignment
Hi @AzureSentinel Team,
I believe this is a bug unless there is any reason to do so.
At Azure Sentinel Automation (Preview) when tried to assign permission for logic app I am getting the error below.
Pls Note: Although i am the owner of subscription i am not able to assign the permission whereas only global admin with subscription ownership can do this role assignment.
Saving automation rule 'TEST 1' failed. Error: Caller is missing required playbook triggering permissions on playbook resource '/subscriptions/xxx/resourceGroups/yyy/providers/Microsoft.Logic/workflows/logicapp1', or Azure Sentinel is missing required permissions to verify the caller has permissions
Thanks.
- Javier-Soriano
Microsoft
are you working in a Lighthouse setup?- PrashTechTalkBrass Contributor
Javier-Soriano Hi Javier, Yes it is though Azure Lighthouse setup.
- Javier-Soriano
Microsoft
Ok, that requires additional permissions. You need to grant Azure Sentinel Automation Contributor permissions to the Azure Security Insights app in the service provider tenant, to the RG where the playbooks are in the customer tenant. So basically you need to include this additional authorization in your Azure Lighthouse delegation.
Regards
- Hi, PrashTechTalk and denismello
As mentioned here, even if you're the owner, you must have the Logic App Contributor role on any resource group containing playbooks you want to run.
I use this to fix the issue.
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook#respond-to-incidents - GaryBusheyBronze Contributor
PrashTechTalk I think this is related to there being a requirement to allow Automation to kick off the playbook in the resource group that the playbook resides in. Got to the Azure Sentinel Settings menu option, then select Settings in header, and expand Playbook permissions. Click on the "Configure permissions" button and assign the correct permissions to your resource group if it does not already have the permissions needed.
- PrashTechTalkBrass ContributorMy query is that as a Owner of the subscription one cannot assign these permission instead it expected elevated role like Global admin which is not correct
- denismello
Microsoft
Hi all.
I'm facing the same issue here. Query is pretty simple and the automation is to run a Logic App to send emails with the incident's details.
Guess this is a bug, as I'm the owner and can't assign permissions as instructed before by GaryBushey.
Looking forward to get more inputs.