Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

AzureAD group membership as a condition

Brass Contributor

I am trying to create a playbook that checks a user against an AzureAD group.  If the user is a member of the group it will perform one action (open ticket in service now) and if they are not a member it will perform a different one (create a powershell script to reset the password).

 

I create the check AzureAD group membership action and then create a condition based off that action.  when I add the check AzureAD group result to the condition, it automatically places it within a for each loop.  The result is, if the user is a member of the group it will successfully execute the True branch of the condition.  But if the user is not a member of the group, the check AzureAD group action returns a null value, so the for each action never fires and the false branch of the condition never fires.

 

I tried to work around this by using the list AzureAD group members action instead.  In this case, each member of the group is listed as a result.  If the user is a member of the group, it will execute the true branch once and then the false branch one time for each other member of the group.

 

Is there a workaround for this use case?

7 Replies

@andrew_bryant 

 

@Chris Boehm: Is this something you can help with? 

@andrew_bryant 

 

When you're setting up the actions in the playbooks, are you setting up a condition based on the previous data? My example:

 

1. When Azure Sentinel alert is triggered do the following:

2. Check group Membership with entities from the alert based on X group name.

3. Used the For Each template: If the Body of the message is "True" do the following, if it's "False" do the following. I'm using the connectors within the body. 

 

 

Annotation 2019-04-29 095230.png

 

Hope this helps,

@Chris Boehm 

 

Hi Chris,

 

That is how I set it up, with one exception.  I run a log query against the sentinel alert to get the username.  Then I use the username in the check group membership step.  Otherwise it is set up like you show.  When I run against a user not in the group the false branch does not run.  I think it is because the output body of the check membership step shows as "[]".  So since it is null it does not execute the next for each step.

@Chris Boehm 

 

Chris,

 

Any other suggestions on how to try this?

 

Thanks,

 

Andrew

Hi @andrew_bryant 

 

First, as discussed in another thread (and for the benefit of others), you don't need to query the Workspace but can rather extract the user names for an alert using the Sentinel connector actions. 

 

2019-05-05 03_57_19-Clipboard.png

 

As to your question, did you try to use an expression on the returned value rather than using it directly? I didn't try, but Length below looks promising.

 

2019-05-05 03_59_47-Logic Apps Designer - Microsoft Azure - portal.azure.com.png 

@Ofer_Shezaf 

 

Interestingly, when I switched the action from querying the alert ID with log analytics to getting the account name from the sentinel alert it allowed me to create the condition under check group membership without putting it in its own for each loop.  It wasn't allowing me to do that before.  So now I can just create the condition to check whether the body equals the group ID.  Tested it out and it works.

 

Thanks,

@andrew_bryant 

 

Good to know. My guess is that the challenge is all JSON transformation. We need to learn more about Logic App JSON handling. We will share our findings.

 

~ Ofer