Oct 03 2023 11:39 PM
Oct 03 2023 11:39 PM
I have two tenants where I test Azure Lighthouse and I'm having playbook permissions trouble while doing this.
In the "customer" tenant I have established Sentinel and Playbooks. In this tenant all permissions have been granted and I can succesfully trigger playbooks manually with the local account. Sentinel and playbooks share the same resoruce group.
Through Lighthouse I have granted the "service provider" tenant these roles to customer's resource group: Microsoft Sentinel Contributor, Logic App Contributor, Managed Services Registration assignment Delete Role, Reader and Template Spec Contributor. I have access to the customer's Sentinel through the service provider tenant , and in the service provider tenant I can succesfully create a playbook.
The problem is when I try to manually trigger the playbook I created in the service provider tenant, I receive this error:
"Caller is missing required playbook triggering permissions on playbook resource '[RESOURCE]', or Microsoft Sentinel is missing required permissions to verify the caller has permissions".
What permisson do I miss? I can't find any documents that describes what I'm missing.
Oct 05 2023 01:19 AMSolution
Oct 05 2023 03:30 AM - edited Oct 05 2023 03:31 AM
Thank you for the articles! I haven't actually found those two articles. I followed the last article and found the relevant information under
"An automation rule created in the customer workspace (while signed into the service provider tenant) is configured to run a playbook located in the customer tenant" which linked to this: https://learn.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook?tabs=LAC%2Cincide...
Azure Security Insights in service provider tenant was missing Microsoft Sentinel Automation Contributor role. I added the role through Lighthouse and my issue is resolved.
Thank you for help!
Oct 23 2023 08:09 AM
I am managing a customer's Sentinel and want to run response playbooks from under the Incidents tab.
None of the resources are in my sentinel, infact I do not have any sentinel deployed. Still do I need to delegate Automation Contributor role to the Azure Security Insights app ?
If yes, I do not see it the Enterprise applications menu