User missing from incident owners

Question

GreetingsI cannot understand an issue I'm facing. In our small team of SOC-analysts I, as a manager, is unable to add incidents to one of the analysts. His account isn't listed as a possible owner and isn't found when searching for it. He can take ownership of incidents himself but cannot be assigned by someone else.Where exactly does Sentinel get the possible owners from? Both analysts have native EntraID accounts and the same roles in Sentinel and the LA workspace.&nbsp;PeaceFredrik

rutgersmeets · Answer

Hi Fredrik,Azure Portal obtains this information from Microsoft Graph.https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&amp;tabs=httpI recommend logging on to Microsoft Graph Explorer to see if the user shows up there. Make sure to override the maximum number of results using the $top parameter.My hunch is that the user might have non-ascii characters in their name, and that the search option does not account for that. A review of the output should confirm that.Rutger

rutgersmeets · Answer

Here’s a link to Graph Explorer: https://developer.microsoft.com/en-us/graph/graph-explorerPlease make sure to log on (top right) and authorize the app.

Forum Discussion

User missing from incident owners

Share

Resources