Forum Discussion
Azure Sentinel Automation (Preview) - Issue with Permission assignment
Microsoft
Javier-Soriano - I noticed an intresting one here.
Scenario 1: Unable to see Manage Permission Link
Although being a owner of the azure subscription and adding logic app contributor role to my user id within the customer tenant. I am not able to see the Manage Permission link at the sentinel automation rule. Why cant one edit the permission in this case ??
Do you expect the user to have Azure Sentinel Contributor role other than owner and logic app contributor. ??
Scenario 2: Able to see Manage Permission Link but cannot modify.
With Azure lighthouse after including delegation of Azure Security Insights with Azure Sentinel Contributor role from the service provider tenant I am able to check its permission but not change it, this is acceptable as I am NOT in the service provider tenant and with Azure Lighthouse a user can max have a contributor role.
- Javier-SorianoFor scenario #1...how can you have owner on the subscription via Lighthouse? that role is not allowed in an Lighthouse delegation: https://docs.microsoft.com/en-us/azure/lighthouse/concepts/tenants-users-roles#role-support-for-azure-lighthouse
For scenario #2, azure security insights app must have Azure Sentinel Automation Contributor (not Azure Sentinel Contributor).- Adding more details to those scenarios.
Scenario #1
I never mentioned I am the owner through Azure Lighthouse instead I am the guest user existing in the primary tenant.
Scenario 2.
Already assigned the Azure Sentinel Automation Contributor through Azure Lighthouse template deployment as stated earlier in my message.In my scenario i am using analytical rule and runbook both in primary tenant. I have contributor level permissions on resource group containing sentinel and logic apps, rg containing runbook is already allowed permission to run runbook from Sentinel Setting runbook permissions.
When I try to run the runbook from incident alerts I am getting Missing Permissions to view playbook runs.
We are using Lighthouse but here we are not doing anything cross tenant in terms of Sentinel.I have Sentinel Contributor role on the Lighthouse level as well.
denismelloThanks all for your inputs.
To answer Javier's comments, I want to add that I'm using a Visual Studio subscription. Is this an issue?
It is really simple to reproduce the error: I go to "Automation" (on Azure Sentinel tab), then I click on "Create new automation rule".
After selecting the options and the Playbook I want to run, I got the error: "Failed to save automation rule. Save the automation rule 'XXX' failed. Error: Caller is missing required playbook triggering permissions on playbook resource '/subscriptions/a1040a9c-a6129-4918-b809-922ee8ccf811/resourceGroups/Azure_Sentinel_name/provide... or Azure Sentinel is missing required permissions to verify the caller has permissions.
If you want to set up a call to go through this, please let me know.
Regards.- Javier-SorianoAre you also working in a Lighthouse setup or in a single AAD tenant setup? if you're working in a single tenant, these instructions should work: https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook#respond-to-incidents
For the multi-tenant scenario, we have now added the proper instructions here: https://docs.microsoft.com/en-us/azure/sentinel/automate-incident-handling-with-automation-rules#permissions-in-a-multi-tenant-architecture
