Forum Discussion
Provide MS Sentinel explicit permissions to run playbooks via ARM
Hi,
Simple ask.
Using ARM to add a template to a new install of Sentinel (LA workspace, sentinel, analytics, workbooks and playbooks all installed in one go) I can't figure out how to assign the permissions required as part of the initial ARM install.
For the GUI it's simple enough - Sentinel > Settings > Settings > Playbook Permissions > Configure permissions > select RG and apply.
How can this be replicated using ARM only - no PS and no GUI -- ideally i would like the ARM template to be a one shot.
Any help is appreciated.
Cheers
- SamCoronadoCopper Contributor
TanukiSec
In case you're still looking for this, in your ARM Template you can add a role assignment granting the Microsoft Sentinel Automation Contributor role (which uses a fixed GUID off4c81013-99ee-4d62-a7ee-b3f1f648599a) to the Azure Security Insights App Object{ "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2020-10-01-preview", "name": "[parameters('roleNameGuid')]", "properties": { "principalId": "[parameters('azureSecurityInsightsObjectId')]", "principalType": "ServicePrincipal", "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','f4c81013-99ee-4d62-a7ee-b3f1f648599a')]" } }
The Azure Security Insights app Id is 98785600-1bb7-4fb9-b9fa-19afe2c8a360, and the app Object ID can be retrieved with Azure PowerShell using either of the below commands:
Get-AzADServicePrincipal -ApplicationId "98785600-1bb7-4fb9-b9fa-19afe2c8a360" Get-AzADServicePrincipal -SearchString "Azure Security Insights"
Hope this helps!
Sam