Forum Discussion
Sentinel permissions for playbook
Can someone advice me what permissions are needed to be able authorize Sentinel to run playbooks here? I currently have on the whole resource group where are playbooks as well as Sentine...
Marek Stelcik Hi,
you need to give sentinel permissions on the resource group where your playbooks are located to give Microsoft Sentinel permissions to run.
if a playbook appears "grayed out" in the drop-down list, it means Sentinel does not have permission to that playbook's resource group. Click the Manage playbook permissions link to assign permissions. In the Manage permissions panel that opens up, mark the check boxes of the resource groups containing the playbooks you want to run, and click Apply. Manage permissions.
to be able to create a playbook, you need to be an owner on the resource group where you need to create it or a contributor logic app role.
Is it possible this documentation is not fully complete?
• Give Microsoft Sentinel permissions to run playbooks
Microsoft Sentinel uses a special service account to run incident-trigger playbooks manually or to call them from automation rules. The use of this account (as opposed to your user account) increases the security level of the service.
For an automation rule to run a playbook, this account must be granted explicit permissions to the resource group where the playbook resides. At that point, any automation rule can run any playbook in that resource group. To grant these permissions to this service account, your account must have Owner permissions to the resource groups containing the playbooks.
I have owner on the resource group but still cannot select it in Sentinel to allow automation. I assume some additional directory reader role or subscription reader role are needed??
• Give Microsoft Sentinel permissions to run playbooks
Microsoft Sentinel uses a special service account to run incident-trigger playbooks manually or to call them from automation rules. The use of this account (as opposed to your user account) increases the security level of the service.
For an automation rule to run a playbook, this account must be granted explicit permissions to the resource group where the playbook resides. At that point, any automation rule can run any playbook in that resource group. To grant these permissions to this service account, your account must have Owner permissions to the resource groups containing the playbooks.
I have owner on the resource group but still cannot select it in Sentinel to allow automation. I assume some additional directory reader role or subscription reader role are needed??
- you mean your runbooks are not showing in your automation rule while creating it?
- They are showing but cannot be added, as you indicated in first advice, you need to grant Sentinel possibility to run playbooks. However I cannot set up this. I am OWNER of the resource group where both sentinel is and where playbooks are, but when trying to select resource group that contains playbook no resource groups pops up . It seems OWNER rights are not sufficient and I need some permissions on higher level (subscription)???
- Grant yourself owner role on the resource group where your sentinel instance is deployed.