Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Azure Sentinel Automation (Preview) - Issue with Permission assignment

Brass Contributor

Hi @AzureSentinel Team,

 

I believe this is a bug unless there is any reason to do so.

 

At Azure Sentinel Automation (Preview) when tried to assign permission for logic app I am getting the error below.

 

Pls Note: Although i am the owner of subscription i am not able to assign the permission whereas only global admin with subscription ownership can do this role assignment.  

 

Saving automation rule 'TEST 1' failed. Error: Caller is missing required playbook triggering permissions on playbook resource '/subscriptions/xxx/resourceGroups/yyy/providers/Microsoft.Logic/workflows/logicapp1', or Azure Sentinel is missing required permissions to verify the caller has permissions

 

Thanks.

18 Replies

@PrashTechTalk I think this is related to there being a requirement to allow Automation to kick off the playbook in the resource group that the playbook resides in.  Got to the Azure Sentinel Settings menu option, then select Settings in header, and expand Playbook permissions.  Click on the "Configure permissions" button and assign the correct permissions to your resource group if it does not already have the permissions needed.

 

 

My query is that as a Owner of the subscription one cannot assign these permission instead it expected elevated role like Global admin which is not correct
Hi all.
I'm facing the same issue here. Query is pretty simple and the automation is to run a Logic App to send emails with the incident's details.
Guess this is a bug, as I'm the owner and can't assign permissions as instructed before by @Gary Bushey.
Looking forward to get more inputs.
Hi, @PrashTechTalk and @denismello

As mentioned here, even if you're the owner, you must have the Logic App Contributor role on any resource group containing playbooks you want to run.
I use this to fix the issue.
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook#respond-to-inciden...
are you working in a Lighthouse setup?

@Javier Soriano Hi Javier,   Yes it is though Azure Lighthouse setup.

Ok, that requires additional permissions. You need to grant Azure Sentinel Automation Contributor permissions to the Azure Security Insights app in the service provider tenant, to the RG where the playbooks are in the customer tenant. So basically you need to include this additional authorization in your Azure Lighthouse delegation.

Regards
That's interesting Javier, because we didn't need to do this

Perfect. Very same response from your support team as well on this issue. Good to highlight this at the documentation or may have improved from the time the this issue was raised.

There are two main scenarios when managing cross-tenant automation rules:
• Automation rule created in the customer tenant is configured to run a playbook located in the service provider tenant. This approach is normally used to protect intellectual property in the playbook. Nothing special is required for this scenario to work. Just grant permissions to the relevant resource group where the playbook is located via Manage playbook permissions menu as explained here.
• Automation rule created in the customer tenant is configured to run a playbook located in the customer tenant. Used when there is no need to protect intellectual property. For this scenario to work, permissions to execute the playbook need to be granted to Azure Sentinel in both tenants. In the customer tenant, you grant them via Manage playbook permissions menu as explained here. To grant the relevant permissions to the service provider tenant, you need to include the Azure Security Insights app in your Azure Lighthouse delegation template with the Azure Sentinel Automation Contributor role. The scenario looks like this:

yes, we're adding this to the official docs this week
Thijs, did you create the automation rules while logged in the service provider tenant?

@Javier Soriano - I noticed an intresting one here.  

 

Scenario 1:  Unable to see Manage Permission Link

Although being a owner of the azure subscription and adding logic app contributor role to my user id  within the customer tenant. I am not able to see the Manage Permission link at the sentinel automation rule.   Why cant one edit the permission in this case ??

Do you expect the user to have Azure Sentinel Contributor role other than owner and logic app contributor. ??

 

Scenario 2: Able to see Manage Permission Link but cannot modify.

With Azure lighthouse after including delegation of Azure Security Insights with Azure Sentinel Contributor role from the service provider tenant  I am able to check its permission but not change it, this is acceptable as I am NOT in the service provider tenant and with Azure Lighthouse a user can max have a contributor role.

Thanks all for your inputs.
To answer Javier's comments, I want to add that I'm using a Visual Studio subscription. Is this an issue?
It is really simple to reproduce the error: I go to "Automation" (on Azure Sentinel tab), then I click on "Create new automation rule".
After selecting the options and the Playbook I want to run, I got the error: "Failed to save automation rule. Save the automation rule 'XXX' failed. Error: Caller is missing required playbook triggering permissions on playbook resource '/subscriptions/a1040a9c-a6129-4918-b809-922ee8ccf811/resourceGroups/Azure_Sentinel_name/provide... or Azure Sentinel is missing required permissions to verify the caller has permissions.

If you want to set up a call to go through this, please let me know.

Regards.
For scenario #1...how can you have owner on the subscription via Lighthouse? that role is not allowed in an Lighthouse delegation: https://docs.microsoft.com/en-us/azure/lighthouse/concepts/tenants-users-roles#role-support-for-azur...

For scenario #2, azure security insights app must have Azure Sentinel Automation Contributor (not Azure Sentinel Contributor).
Are you also working in a Lighthouse setup or in a single AAD tenant setup? if you're working in a single tenant, these instructions should work: https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook#respond-to-inciden...

For the multi-tenant scenario, we have now added the proper instructions here: https://docs.microsoft.com/en-us/azure/sentinel/automate-incident-handling-with-automation-rules#per...
Adding more details to those scenarios.

Scenario #1
I never mentioned I am the owner through Azure Lighthouse instead I am the guest user existing in the primary tenant.

Scenario 2.
Already assigned the Azure Sentinel Automation Contributor through Azure Lighthouse template deployment as stated earlier in my message.

In my scenario i am using analytical rule and runbook both in primary tenant. I have contributor level permissions on resource group containing sentinel and logic apps, rg containing runbook is already allowed permission to run runbook from Sentinel Setting runbook permissions.

When I try to run the runbook from incident alerts I am getting Missing Permissions to view playbook runs.

We are using Lighthouse but here we are not doing anything cross tenant in terms of Sentinel.

 

I have Sentinel Contributor role on the Lighthouse level as well.

@Javier Soriano 

I am managing a customer's Sentinel and want to run response playbooks from under the Incidents tab.

None of the resources are in my sentinel, infact I do not have any sentinel deployed. Still do I need to delegate Automation Contributor role to the Azure Security Insights app ? 

If yes, I do not see it the Enterprise applications menu