Forum Discussion
Solved
Error when running playbook Block-AADUser-Alert
Hello, I have personal account and I am trying Microsoft Sentinel. My senario is when user account (not admin) changes his authentication method, an alert is triggered and then I run built-in playbo...
- It seems that there are insufficient permissions. How do you connect the "Update user" part to AAD? Do you use managed identity or user? If it is a user, doesn't it have sufficient permissions to disable another user's account?
Could you try the second playbook for disabling AAD users? The one that is based on Incident.
And please, check this: https://github.com/microsoftgraph/microsoft-graph-docs/blob/main/api-reference/v1.0/resources/security-api-overview.md
There is a table with supported methods and systems.
Does that mean that PATCH method is not supported by Sentinel alerts?
On the main Overview page, you have "Run History" with "Succeed" or "Failed" results.
Click on "Failed" and you will be able to debug the playbook. Find the part where you have a red X and open it. Share the results here.
And ensure that you do not have an "Invalid connection" message for any of the blocks.
Click on "Failed" and you will be able to debug the playbook. Find the part where you have a red X and open it. Share the results here.
And ensure that you do not have an "Invalid connection" message for any of the blocks.
The playbook run succeeded, but the workflow get error at the operation that disable user:
Best Regards,
An
- By the way, did you give the following permissions to the app: User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All ?
The user that connects the block "Update user" with Azure AD must have sufficient permissions and not the app itself.mikhailf I go to Azure AD -> Enterprise Application -> Azure Logic App -> permission, I found following permissions. I don't know how to assign more permissions, and I guess User.ReadWrite.All, Directory.ReadWrite.All cover User.Read.All, Directory.Read.All:
Best Regards,
An
- Try this: https://developer.microsoft.com/en-us/graph/graph-explorer
On the left sid Sign-in to your account and then, run this query: GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName} -> https://graph.microsoft.com/v1.0/users/leloc@hoahung353.onmicrosoft.com.
And check if you get 200 or 404.
If you get 200, everything is fine. And I assume the issue is with the Playbook itself.
1. Check the permissions of the user that is used to connect the Playbook to AAD.
2. Check the fields in "Update user" and "Entities - Get Account" blocks. Ensure that they don't have any extra symbols like / " [ etc.
I am going to try to simulate the same error in my environment and update you.I know the reason why - there is no attribute "accountEnabled" . If we use GET then we can see all attributes returned for this call and there is no "accountEnabled". I try other attribute like "mobiPhone", "mail", "officeLocation" and it works !mikhailf