Forum Discussion
Block-AADUser Playbook - Permissions error
Check out the below
$MIGuid = "<Enter your managed identity guid here>" $MI = Get-AzureADServicePrincipal -ObjectId $MIGuid $GraphAppId = "00000003-0000-0000-c000-000000000000" $PermissionName1 = "User.Read.All" $PermissionName2 = "User.ReadWrite.All" $PermissionName3 = "Directory.Read.All" $PermissionName4 = "Directory.ReadWrite.All" $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'" $AppRole1 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName1 -and $_.AllowedMemberTypes -contains "Application"} New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole1.Id $AppRole2 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName2 -and $_.AllowedMemberTypes -contains "Application"} New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole2.Id $AppRole3 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName3 -and $_.AllowedMemberTypes -contains "Application"} New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole3.Id $AppRole4 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName4 -and $_.AllowedMemberTypes -contains "Application"} New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole4.IdThis code snippet can be found here
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUserOrAdmin
Still have the same error.
Any ideas?
Thanks
Sorry i had made some changes to the logic app and forgot to revert them.
After the Global Admin authorized the API connection i have a different error message:
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2023-09-20T08:47:00",
"request-id": "c6e062ba-c64b-4e6b-xxxxx",
"client-request-id": "c6e062ba-c64b-xxxxx"
}where are the permissions assigned to the connection API:
The only action that has problems is the "Update User". I already tried changing just a field in the account and got the same error (the account is cloud only):
{
"method": "patch",
"path": "/v1.0/users/teste%40xxxxx.onmicrosoft.com",
"host": {
"connection": {
"name": "/subscriptions/b77f631f-be70-4922xxxxx/resourceGroups/xxxxxx/providers/Microsoft.Web/connections/azuread-Block-AADUser-Incident"
}
},
"body": {
"accountEnabled": false
}
}
I have also run only the "Update User" step with both the UPN and User ID typed directly in the action and got the same error.- I remember having the exact same struggle a few months ago. I ended up creating a Managed Identity that I connected to the playbook settings and then connected the Update User action to it, instead of authenticating and Enterprise App via OAuth. The Managed Identity needs:
1. Assign Password Administrator permission to managed identity.
2. Assign Microsoft Sentinel Responder permission to managed identity.
Good luck!Thanks for the help.
Can you give me so pointers on how to do that?
The Azure AD connector does not natively support managed identities.