cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Block-AADUser - Azure Sentinel Playbook

danb1967
Copper Contributor

‎Jul 24 2022 01:13 AM

‎Jul 24 2022 01:13 AM

Block-AADUser - Azure Sentinel Playbook

Hi,

I am a security Engineer and I have just started using Sentinel and Logic Apps for the first time.

 

I have been adding various out of the box playbooks etc and triggering them in my lab.

 

One playbook I am keen to see working is Block-AADUser/

 

This is available on github https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser

 

I have followed the post deployment steps 

 

1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity - 


2. Assign API permissions to the managed identity so that we can search for user's manager. You can find the managed identity object ID on the Identity blade under Settings for the Logic App. If you don't have Azure AD PowerShell module, you will have to install it and connect to Azure AD PowerShell module. 

 

I am confused at part 3 instruction

 

3. Open the playbook in the Logic App Designer and authorize Azure AD and Office 365 Outlook Logic App connections

 

Does this simply mean within the login app that I need to connect using an account that has permissions in both Azure and Office365 or do I need to ad additional steps into the playbook to connect this playbook to office365 or azure?

 

Labels:
2,708 Views
0 Likes
2 Replies
Reply
2 Replies
mikhailf

‎Jul 24 2022 10:59 AM

‎Jul 24 2022 10:59 AM

Re: Block-AADUser - Azure Sentinel Playbook

Hello @danb1967,

"Does this simply mean within the login app that I need to connect using an account that has permissions in both Azure and Office365" - this is exactly what you need to do. You can also open the Logic App -> API Connections -> Open each connection and go to "Edit API Connection" -> Authorize it.

 

You can also configure connections with Managed Identity or Service Principal.

0 Likes
Reply
danb1967

‎Jul 31 2022 01:16 AM

‎Jul 31 2022 01:16 AM

Re: Block-AADUser - Azure Sentinel Playbook

Hi,

I am using a managed identity to run this.

When I run the trigger the playbook completes but when I look into the run details I see that most of the actions seem to be 'skipped'

When I click into these I see errors like

{"code":"ActionConditionFailed","message":"The execution of template action 'Update_user_-_disable_user' is skipped: there are no items to repeat."}

So I have misconfigured something somewhere.

How best to troubleshoot this or has anyone here seen these types of errors before?

Should I be using the managed identity as the connection for all section of the logic app? If I open the logic app and breakdown each part I can connect various different accounts.

0 Likes
Reply