SOLVED

User Risk Confirmation Using Logic Apps

%3CLINGO-SUB%20id%3D%22lingo-sub-1458828%22%20slang%3D%22en-US%22%3EUser%20Risk%20Confirmation%20Using%20Logic%20Apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1458828%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20been%20working%20on%20one%20of%20the%20playbooks%20available%20on%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FConfirm-AADRiskyUser%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FConfirm-AADRiskyUser%3C%2FA%3E%26nbsp%3Bto%20confirm%2Fdismiss%20user%20risks%20using%20playbook.%3C%2FP%3E%3CP%3EWe%20deployed%20the%20playbook%20as%20a%20template%2C%20made%20required%20changes%20and%20tried%20triggering%20the%20playbook%20it%20failed.%26nbsp%3B%3C%2FP%3E%3CP%3EAlternatively%20tried%20creating%20a%20fresh%20one%20with%20the%20same%20logic%2C%20but%20it%20failed.%3C%2FP%3E%3CP%3E1)%20System%20assigned%20identity%20didn't%20work%3C%2FP%3E%3CP%3E2)%20Tried%20with%20user%20assigned%20identity%20it%20failed%3C%2FP%3E%3CP%3E3)%20Tried%20with%20AD%20OAuth%20it%20failed%20as%20well.%3C%2FP%3E%3CP%3EApp%20has%20user.readwrite.all%20permissions%2C%20managed%20identity%20was%20added%20into%20security%20administrator%20role%20and%20still%20the%20same%20result.%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20error%20that%20we%20encounter%20for%20all%20the%203%20ways%20is%20%22code%3A%20AccessDenied%2C%20message%3A%20Your%20account%20does%20not%20have%20access%20to%20this%20report%20or%20data.%20Please%20contact%20your%20global%20administrator%20to%20request%20access%22.%20Ironically%20the%201st%20http%20connector%20that%20fetches%20the%20data%20of%20the%20user%20works%20like%20a%20charm%20and%20for%20all%20the%203%20identities.%20It's%20just%20that%20writing%20back%20is%20an%20issue.%20Is%20there%20anything%20that%20we%20are%20missing%20from%20our%20end%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20we%20have%20playbooks%20for%20dismissing%20sign-in%20risks%20as%20well%3F%20If%20not%20atleast%20the%20API%20reference%20to%20create%20a%20playbook.%20I%20tried%20with%20adminconfirmedsafe%20but%20it%20didn't%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20assist.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1458828%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1459653%22%20slang%3D%22en-US%22%3ERe%3A%20User%20Risk%20Confirmation%20Using%20Logic%20Apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1459653%22%20slang%3D%22en-US%22%3EYou%20should%20configure%20the%20system%20assigned%20identity%20with%20the%20security%20admin%20role.%3CBR%20%2F%3E%3CBR%20%2F%3EOr%20the%20app%20you%20have%20configured%20needs%20the%20permission%20'IdentityRiskyUser.ReadWrite.All'%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1462799%22%20slang%3D%22en-US%22%3ERe%3A%20User%20Risk%20Confirmation%20Using%20Logic%20Apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1462799%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%20for%20your%20response.%20However%2C%20if%20you%20check%20I%20have%20already%20mentioned%20that%20we%20have%20tried%20by%20assigning%20read.write%20permissions%20to%20the%20app%20and%20also%20tried%20by%20assigning%20security%20admin%20role%20to%20it%20and%20it%20still%20failed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1462923%22%20slang%3D%22en-US%22%3ERe%3A%20User%20Risk%20Confirmation%20Using%20Logic%20Apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1462923%22%20slang%3D%22en-US%22%3ECould%20you%20share%20the%20permissions%20you%20have%20added%20to%20the%20app%20registration%20please%3F%3CBR%20%2F%3EIn%20a%20screenshot%20if%20possible%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1463150%22%20slang%3D%22en-US%22%3ERe%3A%20User%20Risk%20Confirmation%20Using%20Logic%20Apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1463150%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20attached%20the%20screenshot.%20If%20this%20has%20worked%20for%20you%2C%20will%20it%20be%20possible%20for%20you%20to%20share%20the%20playbook%20with%20me%2C%20especially%20the%20HTTP%20writeback%20part%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1463176%22%20slang%3D%22en-US%22%3ERe%3A%20User%20Risk%20Confirmation%20Using%20Logic%20Apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1463176%22%20slang%3D%22en-US%22%3EYou%20need%20to%20add%20application%20permissions%2C%20not%20delegated%20permissions%3C%2FLINGO-BODY%3E
Contributor

Hello,

 

We have been working on one of the playbooks available on https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Confirm-AADRiskyUser to confirm/dismiss user risks using playbook.

We deployed the playbook as a template, made required changes and tried triggering the playbook it failed. 

Alternatively tried creating a fresh one with the same logic, but it failed.

1) System assigned identity didn't work

2) Tried with user assigned identity it failed

3) Tried with AD OAuth it failed as well.

App has user.readwrite.all permissions, managed identity was added into security administrator role and still the same result. 

The error that we encounter for all the 3 ways is "code: AccessDenied, message: Your account does not have access to this report or data. Please contact your global administrator to request access". Ironically the 1st http connector that fetches the data of the user works like a charm and for all the 3 identities. It's just that writing back is an issue. Is there anything that we are missing from our end?

 

Do we have playbooks for dismissing sign-in risks as well? If not atleast the API reference to create a playbook. I tried with adminconfirmedsafe but it didn't work.

 

Please assist.

 

5 Replies
You should configure the system assigned identity with the security admin role.

Or the app you have configured needs the permission 'IdentityRiskyUser.ReadWrite.All'

@Thijs Lecomte 

Many thanks for your response. However, if you check I have already mentioned that we have tried by assigning read.write permissions to the app and also tried by assigning security admin role to it and it still failed.

Could you share the permissions you have added to the app registration please?
In a screenshot if possible

@Thijs Lecomte 

 

I've attached the screenshot. If this has worked for you, will it be possible for you to share the playbook with me, especially the HTTP writeback part?

Best Response confirmed by Pranesh1060 (Contributor)
Solution
You need to add application permissions, not delegated permissions