Forum Discussion

TanukiSec's avatar
TanukiSec
Copper Contributor
Nov 17, 2022

Provide MS Sentinel explicit permissions to run playbooks via ARM

Hi,   Simple ask.   Using ARM to add a template to a new install of Sentinel (LA workspace, sentinel, analytics, workbooks and playbooks all installed in one go) I can't figure out how to assign ...
automation
playbooks
siem
soar
SamCoronado's avatar
SamCoronado
Copper Contributor
Jan 19, 2023

TanukiSec 

In case you're still looking for this, in your ARM Template you can add a role assignment granting the Microsoft Sentinel Automation Contributor role (which uses a fixed GUID of 

f4c81013-99ee-4d62-a7ee-b3f1f648599a) to the Azure Security Insights App Object 

 

{
    "type": "Microsoft.Authorization/roleAssignments",
    "apiVersion": "2020-10-01-preview",
    "name": "[parameters('roleNameGuid')]",
    "properties": {
        "principalId": "[parameters('azureSecurityInsightsObjectId')]",
        "principalType": "ServicePrincipal",
        "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','f4c81013-99ee-4d62-a7ee-b3f1f648599a')]"
    }
}

 

The Azure Security Insights app Id is 98785600-1bb7-4fb9-b9fa-19afe2c8a360, and the app Object ID can be retrieved with Azure PowerShell using either of the below commands:

 

Get-AzADServicePrincipal -ApplicationId "98785600-1bb7-4fb9-b9fa-19afe2c8a360"
Get-AzADServicePrincipal -SearchString "Azure Security Insights"


Hope this helps!

Sam

Resources