Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Block-AADUser - Azure Sentinel Playbook

Copper Contributor

Hi,

I am a security Engineer and I have just started using Sentinel and Logic Apps for the first time.

 

I have been adding various out of the box playbooks etc and triggering them in my lab.

 

One playbook I am keen to see working is Block-AADUser/

 

This is available on github https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser

 

I have followed the post deployment steps 

 

1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity - 


2. Assign API permissions to the managed identity so that we can search for user's manager. You can find the managed identity object ID on the Identity blade under Settings for the Logic App. If you don't have Azure AD PowerShell module, you will have to install it and connect to Azure AD PowerShell module. 

 

I am confused at part 3 instruction

 

3. Open the playbook in the Logic App Designer and authorize Azure AD and Office 365 Outlook Logic App connections

 

Does this simply mean within the login app that I need to connect using an account that has permissions in both Azure and Office365 or do I need to ad additional steps into the playbook to connect this playbook to office365 or azure?

 

2 Replies

Hello @danb1967,

"Does this simply mean within the login app that I need to connect using an account that has permissions in both Azure and Office365" - this is exactly what you need to do. You can also open the Logic App -> API Connections -> Open each connection and go to "Edit API Connection" -> Authorize it.

 

You can also configure connections with Managed Identity or Service Principal.

Hi,

I am using a managed identity to run this.

When I run the trigger the playbook completes but when I look into the run details I see that most of the actions seem to be 'skipped'

When I click into these I see errors like

{"code":"ActionConditionFailed","message":"The execution of template action 'Update_user_-_disable_user' is skipped: there are no items to repeat."}

So I have misconfigured something somewhere.

How best to troubleshoot this or has anyone here seen these types of errors before?

Should I be using the managed identity as the connection for all section of the logic app? If I open the logic app and breakdown each part I can connect various different accounts.