Error when running playbook Block-AADUser-Alert

Occasional Contributor

I have personal account and I am trying Microsoft Sentinel. My senario is when user account (not admin) changes his authentication method, an alert is triggered and then I run built-in playbook Block-AADUser-Alert to disable this account. I get following error when running this playbook:
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource '[\"\"]' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"date": "2022-05-13T03:06:46",
"request-id": "84bab933-eb79-4352-9bdf-e6d5444a1798",
"client-request-id": "84bab933-eb79-4352-9bdf-e6d5444a1798"


I have tried to assign all required permissions (User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All), authorized api connection,.. but it can not solve the issue. 

Would anyone help advise how to solve ? Is it because of personal account ?

Best Regards,


29 Replies
Does this only happen with one account? It sounds like there may be some fields for it missing. If other accounts work, I would try to compare the two and see if anything is missing.
I only create 3 accounts for testing, 1 admin and 2 normal users so the error happens for both non-admin accounts
I wonder why it is called "Resource" does not exist. Shouldn't it be "User" or "Account"?
Do you use this playbook from GitHub?

@mikhailf No, I use the built-in playbook and I guess they are the same:




On the main Overview page, you have "Run History" with "Succeed" or "Failed" results.
Click on "Failed" and you will be able to debug the playbook. Find the part where you have a red X and open it. Share the results here.

And ensure that you do not have an "Invalid connection" message for any of the blocks.


The playbook run succeeded, but the workflow get error at the operation that disable user:


Best Regards,


Try this:
On the left sid Sign-in to your account and then, run this query: GET{id | userPrincipalName} ->
And check if you get 200 or 404.

If you get 200, everything is fine. And I assume the issue is with the Playbook itself.
1. Check the permissions of the user that is used to connect the Playbook to AAD.
2. Check the fields in "Update user" and "Entities - Get Account" blocks. Ensure that they don't have any extra symbols like / " [ etc.

I am going to try to simulate the same error in my environment and update you.
By the way, did you give the following permissions to the app: User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All ?
The user that connects the block "Update user" with Azure AD must have sufficient permissions and not the app itself.

@mikhailf Yes I tried graph explorer and when I use method GET then it works, but when I use method PATCH with request body { accountEnabled: false} as in the playbook, then I get not insufficient privilege although I have assigned all required permissions:









@mikhailf I go to Azure AD -> Enterprise Application -> Azure Logic App -> permission, I found following permissions. I don't know how to assign more permissions, and I guess User.ReadWrite.All, Directory.ReadWrite.All cover User.Read.All, Directory.Read.All:


Best Regards,


What if you click on "Grant admin consent for Hoa Hung"?

@mikhailf I did that but it does not help.

best response confirmed by myprofile490 (Occasional Contributor)
It seems that there are insufficient permissions. How do you connect the "Update user" part to AAD? Do you use managed identity or user? If it is a user, doesn't it have sufficient permissions to disable another user's account?

Could you try the second playbook for disabling AAD users? The one that is based on Incident.

And please, check this:
There is a table with supported methods and systems.
Does that mean that PATCH method is not supported by Sentinel alerts?

@mikhailf There are 2 api for the "Update user" and I authroized both of them:


Regarding the support table from the link you mentioned, I don't see Azure AD there, There is Azure AD IP which is different from Azure AD, I guess. I have tried Incident instead of alert but I still get the same error

Best Regards,


oh sorry might be you are correct, PATCH alert is not supported for Azure Sentinel

I know the reason why - there is no attribute "accountEnabled" . If we use GET then we can see all attributes returned for this call and there is no "accountEnabled". I try other attribute like "mobiPhone", "mail", "officeLocation" and it works !@mikhailf 

Sounds great!
I used GET now with my user and I don't see any parameter that allows me to disable my account.
Have you found anything?



But I don't think that this is the reason. The playbook below works well and I can disable users using it. (Only two parts Sentinel Alert and Update User). 




One more thing. You don't need to provide Azure Logic Apps - Azure AD with any permissions.

What is the user that connects "Update user" part with AzureAD? 

Does it have permission to disable other accounts?Connected.png