Forum Discussion
Block-AADUser Playbook - Permissions error
Hello,
I'm having some trouble implementing the "Block-AADUser Playbook" from the Microsoft Sentinel GitHub repo. I have already done the steps required:
- Assign Microsoft Sentinel Responder role to the Playbook's managed identity
- Assign API permissions to the managed identity so that we can search for user's manager
- Open the playbook in the Logic App Designer and authorize Azure AD and Office 365 Outlook Logic App connections
The logic app is failing in the "Update user - disable user" step:
Additional info:
- The "Update user - disable user" step is connected with the API connection created by the template "azuread-Block-AADUser-Incident".
- The account I'm trying do disable does not have any Azure AD Roles.
- Used the template from Microsoft Sentinel "Block-AADUser-Incident".
I have seen other discussions regarding this issue and i think it's a permission issue.
Does the account that authorizes the API Connection needs to be a "Global Admin"? I have seen other people mention this but i can't find any documentation about this. I don't have a Global Admin account so i can't test this.
Is this true or there is another issue I'm not seeing?
Thanks
Check out the below
$MIGuid = "<Enter your managed identity guid here>" $MI = Get-AzureADServicePrincipal -ObjectId $MIGuid $GraphAppId = "00000003-0000-0000-c000-000000000000" $PermissionName1 = "User.Read.All" $PermissionName2 = "User.ReadWrite.All" $PermissionName3 = "Directory.Read.All" $PermissionName4 = "Directory.ReadWrite.All" $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'" $AppRole1 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName1 -and $_.AllowedMemberTypes -contains "Application"} New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole1.Id $AppRole2 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName2 -and $_.AllowedMemberTypes -contains "Application"} New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole2.Id $AppRole3 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName3 -and $_.AllowedMemberTypes -contains "Application"} New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole3.Id $AppRole4 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName4 -and $_.AllowedMemberTypes -contains "Application"} New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole4.IdThis code snippet can be found here
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUserOrAdmin
10 Replies
Thanks Christian_Bartsch and BillClarksonAntill for the responses.
I'm currently waiting for a a Global Admin to authorize the API Connects.
Regarding the error, yes its strange that is not a permissions error. I already tried using the user UPN and AAD User ID, on multiple users and got the same error. The inputs to the "Update User" step are all ok.
I found a question regarding the same error but ended without a clear response.
Error when running playbook Block-AADUser-Alert - Microsoft Community Hub- so in order to authenticate API connections you do need global administrator to approve the API connections
When this happens your permissions are used as the connection authentication, in this particular example you need permissions to azure active directory from the logic app, so the API connection needs the appropriate permissions to perform this function- Add a global admin autorize the API connections.
Still have the same error.
Any ideas?
Thanks- Can you provide the raw outputs and inputs of each action from the run history?
- I think it’s not an permission error at that point. The error message states it didn’t find the resource. So my best guess is, the playbook fails to extract the proper ID or UPN (whatever is used in the HTML PUT action).
