Forum Discussion
Block-AADUser Playbook - Permissions error
Check out the below
$MIGuid = "<Enter your managed identity guid here>" $MI = Get-AzureADServicePrincipal -ObjectId $MIGuid $GraphAppId = "00000003-0000-0000-c000-000000000000" $PermissionName1 = "User.Read.All" $PermissionName2 = "User.ReadWrite.All" $PermissionName3 = "Directory.Read.All" $PermissionName4 = "Directory.ReadWrite.All" $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'" $AppRole1 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName1 -and $_.AllowedMemberTypes -contains "Application"} New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole1.Id $AppRole2 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName2 -and $_.AllowedMemberTypes -contains "Application"} New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole2.Id $AppRole3 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName3 -and $_.AllowedMemberTypes -contains "Application"} New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole3.Id $AppRole4 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName4 -and $_.AllowedMemberTypes -contains "Application"} New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole4.IdThis code snippet can be found here
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUserOrAdmin
When this happens your permissions are used as the connection authentication, in this particular example you need permissions to azure active directory from the logic app, so the API connection needs the appropriate permissions to perform this function
Still have the same error.
Any ideas?
Thanks
- Can you provide the raw outputs and inputs of each action from the run history?
Sorry i had made some changes to the logic app and forgot to revert them.
After the Global Admin authorized the API connection i have a different error message:
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2023-09-20T08:47:00",
"request-id": "c6e062ba-c64b-4e6b-xxxxx",
"client-request-id": "c6e062ba-c64b-xxxxx"
}where are the permissions assigned to the connection API:
The only action that has problems is the "Update User". I already tried changing just a field in the account and got the same error (the account is cloud only):
{
"method": "patch",
"path": "/v1.0/users/teste%40xxxxx.onmicrosoft.com",
"host": {
"connection": {
"name": "/subscriptions/b77f631f-be70-4922xxxxx/resourceGroups/xxxxxx/providers/Microsoft.Web/connections/azuread-Block-AADUser-Incident"
}
},
"body": {
"accountEnabled": false
}
}
I have also run only the "Update User" step with both the UPN and User ID typed directly in the action and got the same error.- I remember having the exact same struggle a few months ago. I ended up creating a Managed Identity that I connected to the playbook settings and then connected the Update User action to it, instead of authenticating and Enterprise App via OAuth. The Managed Identity needs:
1. Assign Password Administrator permission to managed identity.
2. Assign Microsoft Sentinel Responder permission to managed identity.
Good luck!
