Cross Tenancy Automated Response Powershell

New Contributor

Hello Community,

 

I am stumbling on the following problem:

 

- I have a script that creates the automation response rules for a specific tenant. 

 

Now this works like a charm when the Logic App is in the same tenant and subscription. 

 

But I am stumbling on the error that a different tenant with a different subscription does not accept it because it is missing Microsoft.SecurityInsights/alertRules/read permissions.

 

My questions:

- Is it possible at all to add an automation rule with a logic app located at a different tenant?

If yes, how to do so?

 

The current Powershell Script:

```

$SentinelConnection = @{
ResourceGroupName = "resourcegroupwithsentinel"
WorkspaceName = "azuresentinel"
}

$LogicAppConnection = @{
ResourceGroupName = "resourcegroupwithlogicappindifferenttenant"
Name = "logicappname"
}

$LogicAppResourceId = Get-AzLogicApp @LogicAppConnection
$LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl @LogicAppConnection -TriggerName "Microsoft_Sentinel_alert"
$AlertRules = Get-AzSentinelAlertRule @SentinelConnection
foreach ($rule in $AlertRules){
New-AzSentinelAlertRuleAction @SentinelConnection -AlertRuleId $rule.Name -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value)
}

```

1 Reply

@asterictlvdw 

 

I found out how to fix the issue and not get the error anymore. Turns out you have to authenticate twice. 1 for the tenant the Automation Rule needs to be applied to and 1 for the tenant that contains the Logic App. What I have done:

 

- Created Parameters for mandatory user input
- Created some Optional Parameters for user input
- Saved the Connect-AzAccount Profiles to variables (2)
- Executed the correct profile for based on the script. The LogicAppRules commands needed to have the DefaultProfile of the environment where the sentinel environment was connected to.

The full solution code is as followed:

```
Write-Host "Please Connect to Tenant with Account that manages Sentinel Environment: $($DestinationResourceGroupName)\$($DestinationWorkpaceName) first!"
$DestinationProfile = Connect-AzAccount -Subscription $DestinationID -ErrorAction Stop
Write-Host "Please Connect to Tenant with Account that manages LogicApp: $($LogicAppResourceName)\$($LogicAppName)!"
$SourceProfile = Connect-AzAccount -Subscription $SourceID -ErrorAction Stop

$SentinelConnection = @{
ResourceGroupName = $DestinationResourceGroupName
WorkspaceName = $DestinationWorkpaceName
}

$LogicAppConnection = @{
ResourceGroupName = $LogicAppResourceName
Name = $LogicAppName
}

function CreateAutomationRule(){
$LogicAppResourceId = Get-AzLogicApp @LogicAppConnection
$TriggerName = (Get-AzLogicAppTrigger @LogicAppConnection).Name
$LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl @LogicAppConnection -TriggerName $TriggerName
$AlertRules = Get-AzSentinelAlertRule @SentinelConnection -DefaultProfile $DestinationProfile
foreach ($rule in $AlertRules){
New-AzSentinelAlertRuleAction @SentinelConnection -DefaultProfile $DestinationProfile -AlertRuleId $rule.Name -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value)
}
}
CreateAutomationRule
```