Forum Discussion

Copper Contributor

Sep 14, 2023

Solved

Block-AADUser Playbook - Permissions error

Hello, I'm having some trouble implementing the "Block-AADUser Playbook" from the Microsoft Sentinel GitHub repo. I have already done the steps required: Assign Microsoft Sentinel Responder role t...

Sep 22, 2023

Check out the below

$MIGuid = "<Enter your managed identity guid here>"
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid

$GraphAppId = "00000003-0000-0000-c000-000000000000"
$PermissionName1 = "User.Read.All"
$PermissionName2 = "User.ReadWrite.All"
$PermissionName3 = "Directory.Read.All"
$PermissionName4 = "Directory.ReadWrite.All"

$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole1 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName1 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole1.Id

$AppRole2 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName2 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole2.Id

$AppRole3 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName3 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole3.Id

$AppRole4 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName4 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole4.Id

This code snippet can be found here

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUserOrAdmin

costaluisc

Copper Contributor

Sep 20, 2023

Sorry i had made some changes to the logic app and forgot to revert them.
After the Global Admin authorized the API connection i have a different error message:
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2023-09-20T08:47:00",
"request-id": "c6e062ba-c64b-4e6b-xxxxx",
"client-request-id": "c6e062ba-c64b-xxxxx"
}

where are the permissions assigned to the connection API:

The only action that has problems is the "Update User". I already tried changing just a field in the account and got the same error (the account is cloud only):
{
"method": "patch",
"path": "/v1.0/users/teste%40xxxxx.onmicrosoft.com",
"host": {
"connection": {
"name": "/subscriptions/b77f631f-be70-4922xxxxx/resourceGroups/xxxxxx/providers/Microsoft.Web/connections/azuread-Block-AADUser-Incident"
}
},
"body": {
"accountEnabled": false
}
}

I have also run only the "Update User" step with both the UPN and User ID typed directly in the action and got the same error.

Christian_Bartsch

Brass Contributor

Sep 20, 2023

I remember having the exact same struggle a few months ago. I ended up creating a Managed Identity that I connected to the playbook settings and then connected the Update User action to it, instead of authenticating and Enterprise App via OAuth. The Managed Identity needs:

1. Assign Password Administrator permission to managed identity.
2. Assign Microsoft Sentinel Responder permission to managed identity.

Good luck!

costaluisc

Copper Contributor

Sep 21, 2023

Thanks for the help.
Can you give me so pointers on how to do that?
The Azure AD connector does not natively support managed identities.

BillClarksonAntill

Iron Contributor

Sep 22, 2023

costaluisc

Check out the below

$MIGuid = "<Enter your managed identity guid here>"
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid

$GraphAppId = "00000003-0000-0000-c000-000000000000"
$PermissionName1 = "User.Read.All"
$PermissionName2 = "User.ReadWrite.All"
$PermissionName3 = "Directory.Read.All"
$PermissionName4 = "Directory.ReadWrite.All"

$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole1 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName1 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole1.Id

$AppRole2 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName2 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole2.Id

$AppRole3 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName3 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole3.Id

$AppRole4 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName4 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole4.Id

This code snippet can be found here

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUserOrAdmin

costaluisc
Copper Contributor
Sep 25, 2023
Thanks for the help BillClarksonAntill and Christian_Bartsch
For other people that have the same error I recommend that instead of using the "Disable User" action, you switch to an http action and call the Graph API to disable the user (https://dev.to/briancollet/how-to-disable-azure-ad-users-with-azure-logic-apps-and-microsoft-graph-api-48kl). Then authenticate using in the http action with the playbook managed identity, after giving the permissions stated in the documentation.