Forum Discussion

TanukiSec's avatar
TanukiSec
Copper Contributor
Nov 17, 2022

Provide MS Sentinel explicit permissions to run playbooks via ARM

Hi,

 

Simple ask.

 

Using ARM to add a template to a new install of Sentinel (LA workspace, sentinel, analytics, workbooks and playbooks all installed in one go) I can't figure out how to assign the permissions required as part of the initial ARM install.

 

For the GUI it's simple enough - Sentinel > Settings > Settings > Playbook Permissions > Configure permissions > select RG and apply.

 

How can this be replicated using ARM only - no PS and no GUI -- ideally i would like the ARM template to be a one shot.

 

Any help is appreciated.

 

Cheers

 

  • SamCoronado's avatar
    SamCoronado
    Copper Contributor

    TanukiSec 

    In case you're still looking for this, in your ARM Template you can add a role assignment granting the Microsoft Sentinel Automation Contributor role (which uses a fixed GUID of 

    f4c81013-99ee-4d62-a7ee-b3f1f648599a) to the Azure Security Insights App Object 

     

    {
        "type": "Microsoft.Authorization/roleAssignments",
        "apiVersion": "2020-10-01-preview",
        "name": "[parameters('roleNameGuid')]",
        "properties": {
            "principalId": "[parameters('azureSecurityInsightsObjectId')]",
            "principalType": "ServicePrincipal",
            "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','f4c81013-99ee-4d62-a7ee-b3f1f648599a')]"
        }
    }

     

    The Azure Security Insights app Id is 98785600-1bb7-4fb9-b9fa-19afe2c8a360, and the app Object ID can be retrieved with Azure PowerShell using either of the below commands:

     

    Get-AzADServicePrincipal -ApplicationId "98785600-1bb7-4fb9-b9fa-19afe2c8a360"
    Get-AzADServicePrincipal -SearchString "Azure Security Insights"


    Hope this helps!

    Sam

Resources