cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cross Tenancy Automated Response Powershell

asterictlvdw
Copper Contributor

‎Sep 26 2022 01:31 AM

‎Sep 26 2022 01:31 AM

Cross Tenancy Automated Response Powershell

Hello Community,

 

I am stumbling on the following problem:

 

- I have a script that creates the automation response rules for a specific tenant. 

 

Now this works like a charm when the Logic App is in the same tenant and subscription. 

 

But I am stumbling on the error that a different tenant with a different subscription does not accept it because it is missing Microsoft.SecurityInsights/alertRules/read permissions.

 

My questions:

- Is it possible at all to add an automation rule with a logic app located at a different tenant?

If yes, how to do so?

 

The current Powershell Script:

```

$SentinelConnection = @{
ResourceGroupName = "resourcegroupwithsentinel"
WorkspaceName = "azuresentinel"
}

$LogicAppConnection = @{
ResourceGroupName = "resourcegroupwithlogicappindifferenttenant"
Name = "logicappname"
}

$LogicAppResourceId = Get-AzLogicApp @LogicAppConnection
$LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl @LogicAppConnection -TriggerName "Microsoft_Sentinel_alert"
$AlertRules = Get-AzSentinelAlertRule @SentinelConnection
foreach ($rule in $AlertRules){
New-AzSentinelAlertRuleAction @SentinelConnection -AlertRuleId $rule.Name -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value)
}

```

382 Views
0 Likes
1 Reply
Reply
1 Reply
asterictlvdw

‎Sep 26 2022 05:51 AM

‎Sep 26 2022 05:51 AM

Re: Cross Tenancy Automated Response Powershell

@asterictlvdw 

 

I found out how to fix the issue and not get the error anymore. Turns out you have to authenticate twice. 1 for the tenant the Automation Rule needs to be applied to and 1 for the tenant that contains the Logic App. What I have done:

 

- Created Parameters for mandatory user input
- Created some Optional Parameters for user input
- Saved the Connect-AzAccount Profiles to variables (2)
- Executed the correct profile for based on the script. The LogicAppRules commands needed to have the DefaultProfile of the environment where the sentinel environment was connected to.

The full solution code is as followed:

```
Write-Host "Please Connect to Tenant with Account that manages Sentinel Environment: $($DestinationResourceGroupName)\$($DestinationWorkpaceName) first!"
$DestinationProfile = Connect-AzAccount -Subscription $DestinationID -ErrorAction Stop
Write-Host "Please Connect to Tenant with Account that manages LogicApp: $($LogicAppResourceName)\$($LogicAppName)!"
$SourceProfile = Connect-AzAccount -Subscription $SourceID -ErrorAction Stop

$SentinelConnection = @{
ResourceGroupName = $DestinationResourceGroupName
WorkspaceName = $DestinationWorkpaceName
}

$LogicAppConnection = @{
ResourceGroupName = $LogicAppResourceName
Name = $LogicAppName
}

function CreateAutomationRule(){
$LogicAppResourceId = Get-AzLogicApp @LogicAppConnection
$TriggerName = (Get-AzLogicAppTrigger @LogicAppConnection).Name
$LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl @LogicAppConnection -TriggerName $TriggerName
$AlertRules = Get-AzSentinelAlertRule @SentinelConnection -DefaultProfile $DestinationProfile
foreach ($rule in $AlertRules){
New-AzSentinelAlertRuleAction @SentinelConnection -DefaultProfile $DestinationProfile -AlertRuleId $rule.Name -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value)
}
}
CreateAutomationRule
```

0 Likes
Reply