Forum Discussion

Brass Contributor

Apr 25, 2019

AzureAD group membership as a condition

I am trying to create a playbook that checks a user against an AzureAD group. If the user is a member of the group it will perform one action (open ticket in service now) and if they are not a membe...

andrew_bryant

Brass Contributor

Apr 30, 2019

Chris Boehm

Hi Chris,

That is how I set it up, with one exception. I run a log query against the sentinel alert to get the username. Then I use the username in the check group membership step. Otherwise it is set up like you show. When I run against a user not in the group the false branch does not run. I think it is because the output body of the check membership step shows as "[]". So since it is null it does not execute the next for each step.

Ofer_Shezaf

Microsoft

May 05, 2019

Hi andrew_bryant

First, as discussed in another thread (and for the benefit of others), you don't need to query the Workspace but can rather extract the user names for an alert using the Sentinel connector actions.

As to your question, did you try to use an expression on the returned value rather than using it directly? I didn't try, but Length below looks promising.

andrew_bryant
Brass Contributor
May 10, 2019
Ofer_Shezaf

Interestingly, when I switched the action from querying the alert ID with log analytics to getting the account name from the sentinel alert it allowed me to create the condition under check group membership without putting it in its own for each loop. It wasn't allowing me to do that before. So now I can just create the condition to check whether the body equals the group ID. Tested it out and it works.

Thanks,
- Ofer_Shezaf
  Microsoft
  May 12, 2019
  andrew_bryant
  
  Good to know. My guess is that the challenge is all JSON transformation. We need to learn more about Logic App JSON handling. We will share our findings.
  
  ~ Ofer