Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
What’s new: Managed Identity for Azure Sentinel Logic Apps connector
Published Jan 17 2021 10:40 AM 33.3K Views
Microsoft

Now available: Grant permissions directly to a playbook to operate on Azure Sentinel, instead of creating additional identities. 

 

Azure Sentinel Logic Apps connector is the bridge between Sentinel and Playbooks, serving as the basis for incident automation scenarios.The connector requires an identity on whose behalf it will operate on Azure Sentinel. Until now, you could do one of the following: use an Azure AD user which has been assigned an Azure Sentinel RBAC role, or create a Service Principal (for example, in form of an Azure AD registered application) and grant it the Azure Sentinel RBAC role.  

Each one of these options has its advantages, but also limitations: Many would prefer not to authenticate with a user to a tool that generates automated actions. It is harder to audit (for example, using the incident table) which actions have been taken on behalf of a user and which are made by the playbook. It also makes less sense to see, for example, new comments that were generated by a playbook, but appear as if a user is their author. Also, if user leaves the organization, you need to update all the connections that use its identity. 

The service principal connection type allows us to create a registered application and use it as the identity behind the connector. You can define what this app can do, who can access it and what resources can this app access. Its easy to delete it or replace its credentials if it’s suspected to have been compromisedFor these reasons it’s great from a security perspective, but it still requires managing as another identity in the cloud that has credentials and permissions which potentially others can use.  

Now, with the availability of Managed Identity for the Azure Sentinel connector, you can give permissions directly to the playbook (Logic App workflow resource), so Sentinel connector actions will operate on its behalf, as if it were an independent object which has permissions on Azure Sentinel. This lowers the number of identities you have to manage and gives the power to give access directly to the resource that operates. 

 

How does it work?

When you turn on this feature in the Logic Appit is registered with Azure Active Directory and represented by an object ID. This identity can be assigned an Azure RBAC role on your Sentinel Workspace. The Azure Sentinel connector is configured to operate on its behalf as the selected API connection referenced by this connector. 
 

How to use it? 

To start using this new capability: 

 

Turn on managed Identity in the Logic Apps resource

  1. In the Logic apps resource page, go to Identity. 
    image.png
  2. In System assigned tab, turn the status toggle to on. 
    liortamir_0-1610873416437.png
  3. Click on Save.

     You will get a notification that this playbook was registered with Azure Active Directory:
    image.png

    Also, object ID will appear:

    image.png

 

Grant permission

  1. In Azure Sentinel, go to Settings -> workspace settings -> Access Control (IAM) 

  2. Click on Add -> Add role assignment 
    liortamir_1-1610873416453.png

  3. Choose Azure Sentinel Responder role, and search for the playbook name. Select it and click save. 

liortamir_2-1610873416463.png

 

 Authenticate to Azure Sentinel Connector

  1. In Logic Apps designer, in any of the Azure Sentinel connector steps, select Connect with managed identity 
    liortamir_3-1610873416472.png
  2. Choose a name that will be affiliated with this connection, and click on Create 
    liortamir_4-1610873416479.png

     

Other connectors supporting managed identity

Thanks to new Azure Logic Apps feature, more Azure AD-based connectors allow this as well. Currently, the following connectors support this feature:

Azure API Management, Azure App Services, Azure Functions, HTTP, HTTP Webhook, Azure Automation, Azure Container Instance, Azure Data Explorer, Azure Data Factory, Azure Data Lake, Azure Event Grid, Azure IoT Central V3, Azure Key Vault, Azure Log Analytics, Azure Monitor Logs, Azure Resource Manager, Azure Sentinel, HTTP with Azure AD.

 

Learn More

4 Comments
Version history
Last update:
‎Jan 17 2021 10:42 AM
Updated by: