SOLVED

Problem with Playbook permissions through Lighthouse

Copper Contributor

I have two tenants where I test Azure Lighthouse and I'm having playbook permissions trouble while doing this.

In the "customer" tenant I have established Sentinel and Playbooks. In this tenant all permissions have been granted and I can succesfully trigger playbooks manually with the local account. Sentinel and playbooks share the same resoruce group.

Through Lighthouse I have granted the "service provider" tenant these roles to customer's resource group: Microsoft Sentinel Contributor, Logic App Contributor, Managed Services Registration assignment Delete Role, Reader and Template Spec Contributor. I have access to the customer's Sentinel through the service provider tenant , and in the service provider tenant I can succesfully create a playbook.

 

The problem is when I try to manually trigger the playbook I created in the service provider tenant, I receive this error:

"Caller is missing required playbook triggering permissions on playbook resource '[RESOURCE]', or Microsoft Sentinel is missing required permissions to verify the caller has permissions".

 

What permisson do I miss? I can't find any documents that describes what I'm missing.

3 Replies

Thank you for the articles! I haven't actually found those two articles. I followed the last article and found the relevant information under
"An automation rule created in the customer workspace (while signed into the service provider tenant) is configured to run a playbook located in the customer tenant" which linked to this: https://learn.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook?tabs=LAC%2Cincide...

Azure Security Insights in service provider tenant was missing Microsoft Sentinel Automation Contributor role. I added the role through Lighthouse and my issue is resolved.

Thank you for help!

@pednie i have a question for you and for maybe @Clive_Watson 

I am managing a customer's Sentinel and want to run response playbooks from under the Incidents tab.

None of the resources are in my sentinel, infact I do not have any sentinel deployed. Still do I need to delegate Automation Contributor role to the Azure Security Insights app ? 

If yes, I do not see it the Enterprise applications menu

 

1 best response