Forum Discussion
Error when running playbook Block-AADUser-Alert
- It seems that there are insufficient permissions. How do you connect the "Update user" part to AAD? Do you use managed identity or user? If it is a user, doesn't it have sufficient permissions to disable another user's account?
Could you try the second playbook for disabling AAD users? The one that is based on Incident.
And please, check this: https://github.com/microsoftgraph/microsoft-graph-docs/blob/main/api-reference/v1.0/resources/security-api-overview.md
There is a table with supported methods and systems.
Does that mean that PATCH method is not supported by Sentinel alerts?
On the left sid Sign-in to your account and then, run this query: GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName} -> https://graph.microsoft.com/v1.0/users/leloc@hoahung353.onmicrosoft.com.
And check if you get 200 or 404.
If you get 200, everything is fine. And I assume the issue is with the Playbook itself.
1. Check the permissions of the user that is used to connect the Playbook to AAD.
2. Check the fields in "Update user" and "Entities - Get Account" blocks. Ensure that they don't have any extra symbols like / " [ etc.
I am going to try to simulate the same error in my environment and update you.
I know the reason why - there is no attribute "accountEnabled" . If we use GET then we can see all attributes returned for this call and there is no "accountEnabled". I try other attribute like "mobiPhone", "mail", "officeLocation" and it works !mikhailf
- It fails with original playbook 😞
- Now try to do the same with the original playbook and update 🙂
- Yes, it works ! I remember that when searching on the Internet someone has the same issue i.e Update Users work without "For each" but when there is "For each" it fails
- Try to assign LeTai user the "User Administrator" role.
Open Azure AD -> Users -> LeTai -> Assigned roles -> Add Assignments -> User Administrator. mikhailf How can you conduct step 4 ?
I already connected Sentinel Alert with Global admin (mailto:letai@hoahung353.onmicrosoft.com)
Best Regards,
An
I just did a test. Got the same error using a user without any permissions and then assigned the User Administrator role.
1. Try to build a new playbook with a blank page
2. Add two parts (Microsoft Sentinel Alert and Update User)
3. Connect Microsoft Sentinel Alert with Global Admin (it doesn't make sense now because we are checking the update user part)
4. Connect Update user with a user that has the following role assigned "User Administrator".
5. Try to run the playbook with a test user. It should work.mikhailf what permission I set for you playbook ? I creat the same as your but runbook still failed and the error is insufficient privilege
Best Regards,
An
- I built this playbook to test the Disable Account. I use a Work or School account with Global admin account.
- I use Global admin account
- which playbook do you use ? and do you use "work or school" account or "personal" account ?
One more thing. You don't need to provide Azure Logic Apps - Azure AD with any permissions.
What is the user that connects "Update user" part with AzureAD?
Does it have permission to disable other accounts?
But I don't think that this is the reason. The playbook below works well and I can disable users using it. (Only two parts Sentinel Alert and Update User).
- Sounds great!
I used GET now with my user and I don't see any parameter that allows me to disable my account.
Have you found anything?