Permissions issue with Run-MDEAntivirus playbook

Copper Contributor



I am having a permissions issue with getting the playbook template ‘Run-MDEAntivirus’ working. So far I have:


  1. Given Microsoft Sentinel permissions to run playbooks in the correct Resource Group.
  2. Deployed the Playbook template from Sentinel (as at January 2023) with a system assigned managed identity.
  3. Used Powershell to grant the managed identity permissions ‘Machine.Scan’, ‘Machine.ReadWrite.All’ and ‘Machine.Read.All’
  4. Dropped an EICAR file on a host and watched the playbook trigger as expected.

Steps using the Sentinel connector inside the Logic app work (these all have green tickets and contain the expected data). The first MDE step ‘Machines - Get a Single Machine’ fails with a 403 error. Message it returns is ‘Missing application roles. API required roles: Machine.Read.All,Machine.ReadWrite.All, application roles ‘Machine.Scan’.


I am not clear where I need to add those privileges. My understanding is the Logic App is using the wdatp-Run-MDEAntivirus API connection which in turn is using the Managed Identity (that has the right privileges). Any suggestions on what to do next would be welcome.





2 Replies
Hello. Do you solve this issue?
Hi Mprossau,

I think that you might want to check that your API connection on the playbook also has permission for the following as listed:


Let me know if that fixes your issue.