Forum Discussion
Solved
Error when running playbook Block-AADUser-Alert
Hello, I have personal account and I am trying Microsoft Sentinel. My senario is when user account (not admin) changes his authentication method, an alert is triggered and then I run built-in playbo...
- It seems that there are insufficient permissions. How do you connect the "Update user" part to AAD? Do you use managed identity or user? If it is a user, doesn't it have sufficient permissions to disable another user's account?
Could you try the second playbook for disabling AAD users? The one that is based on Incident.
And please, check this: https://github.com/microsoftgraph/microsoft-graph-docs/blob/main/api-reference/v1.0/resources/security-api-overview.md
There is a table with supported methods and systems.
Does that mean that PATCH method is not supported by Sentinel alerts?
By the way, did you give the following permissions to the app: User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All ?
The user that connects the block "Update user" with Azure AD must have sufficient permissions and not the app itself.
The user that connects the block "Update user" with Azure AD must have sufficient permissions and not the app itself.
mikhailf I go to Azure AD -> Enterprise Application -> Azure Logic App -> permission, I found following permissions. I don't know how to assign more permissions, and I guess User.ReadWrite.All, Directory.ReadWrite.All cover User.Read.All, Directory.Read.All:
Best Regards,
An
- oh sorry might be you are correct, PATCH alert is not supported for Azure Sentinel
mikhailf There are 2 api for the "Update user" and I authroized both of them:
Regarding the support table from the link you mentioned, I don't see Azure AD there, There is Azure AD IP which is different from Azure AD, I guess. I have tried Incident instead of alert but I still get the same error
Best Regards,
An
- It seems that there are insufficient permissions. How do you connect the "Update user" part to AAD? Do you use managed identity or user? If it is a user, doesn't it have sufficient permissions to disable another user's account?
Could you try the second playbook for disabling AAD users? The one that is based on Incident.
And please, check this: https://github.com/microsoftgraph/microsoft-graph-docs/blob/main/api-reference/v1.0/resources/security-api-overview.md
There is a table with supported methods and systems.
Does that mean that PATCH method is not supported by Sentinel alerts? mikhailf I did that but it does not help.
- What if you click on "Grant admin consent for Hoa Hung"?