Jul 24 2022 01:13 AM
Hi,
I am a security Engineer and I have just started using Sentinel and Logic Apps for the first time.
I have been adding various out of the box playbooks etc and triggering them in my lab.
One playbook I am keen to see working is Block-AADUser/
This is available on github https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser
I have followed the post deployment steps
1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity -
2. Assign API permissions to the managed identity so that we can search for user's manager. You can find the managed identity object ID on the Identity blade under Settings for the Logic App. If you don't have Azure AD PowerShell module, you will have to install it and connect to Azure AD PowerShell module.
I am confused at part 3 instruction
3. Open the playbook in the Logic App Designer and authorize Azure AD and Office 365 Outlook Logic App connections
Does this simply mean within the login app that I need to connect using an account that has permissions in both Azure and Office365 or do I need to ad additional steps into the playbook to connect this playbook to office365 or azure?
Jul 24 2022 10:59 AM
Hello @danb1967,
"Does this simply mean within the login app that I need to connect using an account that has permissions in both Azure and Office365" - this is exactly what you need to do. You can also open the Logic App -> API Connections -> Open each connection and go to "Edit API Connection" -> Authorize it.
You can also configure connections with Managed Identity or Service Principal.
Jul 31 2022 01:16 AM