Forum Discussion

andrew_bryant's avatar
andrew_bryant
Brass Contributor
Apr 25, 2019

AzureAD group membership as a condition

I am trying to create a playbook that checks a user against an AzureAD group.  If the user is a member of the group it will perform one action (open ticket in service now) and if they are not a member it will perform a different one (create a powershell script to reset the password).

 

I create the check AzureAD group membership action and then create a condition based off that action.  when I add the check AzureAD group result to the condition, it automatically places it within a for each loop.  The result is, if the user is a member of the group it will successfully execute the True branch of the condition.  But if the user is not a member of the group, the check AzureAD group action returns a null value, so the for each action never fires and the false branch of the condition never fires.

 

I tried to work around this by using the list AzureAD group members action instead.  In this case, each member of the group is listed as a result.  If the user is a member of the group, it will execute the true branch once and then the false branch one time for each other member of the group.

 

Is there a workaround for this use case?

7 Replies

  • Chris Boehm's avatar
    Chris Boehm
    Former Employee
    Apr 29, 2019

    andrew_bryant 

     

    When you're setting up the actions in the playbooks, are you setting up a condition based on the previous data? My example:

     

    1. When Azure Sentinel alert is triggered do the following:

    2. Check group Membership with entities from the alert based on X group name.

    3. Used the For Each template: If the Body of the message is "True" do the following, if it's "False" do the following. I'm using the connectors within the body. 

     

     

     

    Hope this helps,

    • andrew_bryant's avatar
      andrew_bryant
      Brass Contributor
      Apr 30, 2019

      Chris Boehm 

       

      Hi Chris,

       

      That is how I set it up, with one exception.  I run a log query against the sentinel alert to get the username.  Then I use the username in the check group membership step.  Otherwise it is set up like you show.  When I run against a user not in the group the false branch does not run.  I think it is because the output body of the check membership step shows as "[]".  So since it is null it does not execute the next for each step.

      • Ofer_Shezaf's avatar
        Ofer_Shezaf
        Icon for Microsoft rankMicrosoft
        May 05, 2019

        Hi andrew_bryant 

         

        First, as discussed in another thread (and for the benefit of others), you don't need to query the Workspace but can rather extract the user names for an alert using the Sentinel connector actions. 

         

         

        As to your question, did you try to use an expression on the returned value rather than using it directly? I didn't try, but Length below looks promising.