cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Error when running playbook Block-AADUser-Alert

myprofile490
Occasional Contributor

‎May 13 2022 02:36 AM

‎May 13 2022 02:36 AM

Error when running playbook Block-AADUser-Alert

Hello,
I have personal account and I am trying Microsoft Sentinel. My senario is when user account (not admin) changes his authentication method, an alert is triggered and then I run built-in playbook Block-AADUser-Alert to disable this account. I get following error when running this playbook:
{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource '[\"leloc@hoahung353.onmicrosoft.com\"]' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"date": "2022-05-13T03:06:46",
"request-id": "84bab933-eb79-4352-9bdf-e6d5444a1798",
"client-request-id": "84bab933-eb79-4352-9bdf-e6d5444a1798"
}
}
}

 

I have tried to assign all required permissions (User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All), authorized api connection,.. but it can not solve the issue. 

Would anyone help advise how to solve ? Is it because of personal account ?

Best Regards,

An

Labels:
2,051 Views
0 Likes
29 Replies
Reply
29 Replies
Gary Bushey

‎May 13 2022 03:42 AM

‎May 13 2022 03:42 AM

Re: Error when running playbook Block-AADUser-Alert

Does this only happen with one account? It sounds like there may be some fields for it missing. If other accounts work, I would try to compare the two and see if anything is missing.
0 Likes
Reply
myprofile490

‎May 13 2022 07:41 AM

‎May 13 2022 07:41 AM

Re: Error when running playbook Block-AADUser-Alert

I only create 3 accounts for testing, 1 admin and 2 normal users so the error happens for both non-admin accounts
0 Likes
Reply
mikhailf

‎May 13 2022 09:04 AM

‎May 13 2022 09:04 AM

Re: Error when running playbook Block-AADUser-Alert

I wonder why it is called "Resource" does not exist. Shouldn't it be "User" or "Account"?
Do you use this playbook from GitHub? https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser
0 Likes
Reply
myprofile490

‎May 14 2022 12:46 AM

‎May 14 2022 12:46 AM

Re: Error when running playbook Block-AADUser-Alert

@mikhailf No, I use the built-in playbook and I guess they are the same:

myprofile490_0-1652514383201.png

Regards,

An

0 Likes
Reply
mikhailf

‎May 14 2022 01:20 AM

‎May 14 2022 01:20 AM

Re: Error when running playbook Block-AADUser-Alert

On the main Overview page, you have "Run History" with "Succeed" or "Failed" results.
Click on "Failed" and you will be able to debug the playbook. Find the part where you have a red X and open it. Share the results here.

And ensure that you do not have an "Invalid connection" message for any of the blocks.
0 Likes
Reply
myprofile490

‎May 14 2022 01:42 AM

‎May 14 2022 01:42 AM

Re: Error when running playbook Block-AADUser-Alert

@mikhailf 

The playbook run succeeded, but the workflow get error at the operation that disable user:

myprofile490_0-1652517523921.pngmyprofile490_1-1652517588039.pngmyprofile490_2-1652517629170.pngmyprofile490_3-1652517760994.png

Best Regards,

An

0 Likes
Reply
mikhailf

‎May 14 2022 02:09 AM

‎May 14 2022 02:09 AM

Re: Error when running playbook Block-AADUser-Alert

Try this: https://developer.microsoft.com/en-us/graph/graph-explorer
On the left sid Sign-in to your account and then, run this query: GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName} -> https://graph.microsoft.com/v1.0/users/leloc@hoahung353.onmicrosoft.com.
And check if you get 200 or 404.

If you get 200, everything is fine. And I assume the issue is with the Playbook itself.
1. Check the permissions of the user that is used to connect the Playbook to AAD.
2. Check the fields in "Update user" and "Entities - Get Account" blocks. Ensure that they don't have any extra symbols like / " [ etc.

I am going to try to simulate the same error in my environment and update you.
0 Likes
Reply
mikhailf

‎May 14 2022 02:31 AM

‎May 14 2022 02:31 AM

Re: Error when running playbook Block-AADUser-Alert

By the way, did you give the following permissions to the app: User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All ?
The user that connects the block "Update user" with Azure AD must have sufficient permissions and not the app itself.
0 Likes
Reply
myprofile490

‎May 14 2022 02:32 AM

‎May 14 2022 02:32 AM

Re: Error when running playbook Block-AADUser-Alert

@mikhailf Yes I tried graph explorer and when I use method GET then it works, but when I use method PATCH with request body { accountEnabled: false} as in the playbook, then I get not insufficient privilege although I have assigned all required permissions:

myprofile490_0-1652520410763.png

myprofile490_1-1652520565449.png

 

myprofile490_2-1652520653034.png

 

myprofile490_3-1652520767763.png

Regards,

An

0 Likes
Reply
myprofile490

‎May 14 2022 02:43 AM

‎May 14 2022 02:43 AM

Re: Error when running playbook Block-AADUser-Alert

@mikhailf I go to Azure AD -> Enterprise Application -> Azure Logic App -> permission, I found following permissions. I don't know how to assign more permissions, and I guess User.ReadWrite.All, Directory.ReadWrite.All cover User.Read.All, Directory.Read.All:

myprofile490_0-1652521419000.png

Best Regards,

An

0 Likes
Reply
mikhailf

‎May 14 2022 03:18 AM

‎May 14 2022 03:18 AM

Re: Error when running playbook Block-AADUser-Alert

What if you click on "Grant admin consent for Hoa Hung"?
0 Likes
Reply
myprofile490

‎May 14 2022 03:21 AM

‎May 14 2022 03:21 AM

Re: Error when running playbook Block-AADUser-Alert

@mikhailf I did that but it does not help.

0 Likes
Reply
best response confirmed by myprofile490 (Occasional Contributor)
mikhailf

‎May 14 2022 07:53 AM

‎May 14 2022 07:53 AM

Solution

Re: Error when running playbook Block-AADUser-Alert

It seems that there are insufficient permissions. How do you connect the "Update user" part to AAD? Do you use managed identity or user? If it is a user, doesn't it have sufficient permissions to disable another user's account?

Could you try the second playbook for disabling AAD users? The one that is based on Incident.

And please, check this: https://github.com/microsoftgraph/microsoft-graph-docs/blob/main/api-reference/v1.0/resources/securi...
There is a table with supported methods and systems.
Does that mean that PATCH method is not supported by Sentinel alerts?
0 Likes
Reply
myprofile490

‎May 14 2022 06:20 PM

‎May 14 2022 06:20 PM

Re: Error when running playbook Block-AADUser-Alert

@mikhailf There are 2 api for the "Update user" and I authroized both of them:

myprofile490_0-1652577410570.png

Regarding the support table from the link you mentioned, I don't see Azure AD there, There is Azure AD IP which is different from Azure AD, I guess. I have tried Incident instead of alert but I still get the same error

Best Regards,

An

0 Likes
Reply
myprofile490

‎May 14 2022 06:22 PM

‎May 14 2022 06:22 PM

Re: Error when running playbook Block-AADUser-Alert

oh sorry might be you are correct, PATCH alert is not supported for Azure Sentinel
0 Likes
Reply
myprofile490

‎May 15 2022 11:46 PM

‎May 15 2022 11:46 PM

Re: Error when running playbook Block-AADUser-Alert

I know the reason why - there is no attribute "accountEnabled" . If we use GET then we can see all attributes returned for this call and there is no "accountEnabled". I try other attribute like "mobiPhone", "mail", "officeLocation" and it works !@mikhailf 

1 Like
Reply
mikhailf

‎May 15 2022 11:52 PM

‎May 15 2022 11:52 PM

Re: Error when running playbook Block-AADUser-Alert

Sounds great!
I used GET now with my user and I don't see any parameter that allows me to disable my account.
Have you found anything?
0 Likes
Reply
mikhailf

‎May 16 2022 12:07 AM - edited ‎May 16 2022 01:05 AM

‎May 16 2022 12:07 AM - edited ‎May 16 2022 01:05 AM

Re: Error when running playbook Block-AADUser-Alert

@myprofile490 

 

But I don't think that this is the reason. The playbook below works well and I can disable users using it. (Only two parts Sentinel Alert and Update User). 

 

Test.PNG

0 Likes
Reply
mikhailf

‎May 16 2022 02:19 AM

‎May 16 2022 02:19 AM

Re: Error when running playbook Block-AADUser-Alert

@myprofile490 

One more thing. You don't need to provide Azure Logic Apps - Azure AD with any permissions.

What is the user that connects "Update user" part with AzureAD? 

Does it have permission to disable other accounts?Connected.png

0 Likes
Reply