"Authorization failed" error for Logic app writing a comment to Sentinel Incident
I have created a managed identity named id-sentinel-playbook that is used in 2 logic apps. Both the logic apps retrieve information from different external apis and writes the results as comments into the Sentinel incident. The managed identity id-sentinel-playbook has been assigned 2 roles - Microsoft Sentinel Responder and Microsoft Sentinel Automation Contributor role (See screenshot). However when one of the logic apps transacts with Sentinel such as checking the watchlist or writing comment into a Sentinel incident, there is the 403 forbidden error (See screenshot). It works fine when I use my Azure account as connection for the logic app. The other logic app also works fine when the same managed identity id-sentinel-playbook is used as connection to Sentinel. I have compared the identity of both the logic apps and they are the same. I have also searched online for existing answers and all point to the managed identity having insufficient roles, however id-sentinel-playbook already has the Microsoft Sentinel Responder role and strangely the other logic app that writes comments into the Sentinel incident as well, works. Here is the screenshot of the logic app having the user managed identity. The other logic app has the same. Please help. I spent 2 days investigating this and have no more ideas on how to further investigate this😓.
Azure network security perimeter with storage accounts and Runbooks
I know this is a preview feature, and I don't know if it will be fixed in the future. The problem arises when you try to secure traffic between Azure serverless runbooks and a storage account. No matter what configuration you use, the runbook will access the storage account using a 10.x.x.x IP. That means you can't secure traffic using storage account firewall rules since private IPs are not allowed. I thought that with Azure's network security perimeter, this would be fixed since you can put your storage inside and specify that only resources from the subscription are allowed to access it. But no, it still doesn't work. Is Microsoft aware of this issue? I know you can use hybrid workers to get a public IP and so on, but that destroys the power of runbooks if you can't use the serverless option. Thanks for your time!
What service principal is used to authenticate Logic Apps to Azure resources?
This question is a bit more academic than practical, but I'm just trying to enhance my knowledge of how Azure authentication works under the hood. The default way to authenticate managed Logic Apps connections is through an OAuth popup asking you to grant permissions. Based on my reading of the Azure docs, this means that you're granting access to the delegated permissions of a service principal. For connectors that access the Graph API, such a service principal in your tenant with the correct delegated permissions: However, I'm struggling to find an equivalent service principal for connectors that use the Azure Resource Management API to interact with services like Log Analytics, sentinel, Logic Apps, etc. I do see a service principal called Azure Logic Apps, but it doesn't have any permissions associated with it. My understanding is that it would need to have the delegated permission user_impersonation to access Azure resources: So my questions here are What Service Principal is used for the OAuth connection to the Azure Resource Management API? If the Azure Logic Apps service principal is used, how is it able to connect to the ARM API without any permissions? Is there some Azure magic happening under the hood here?
Run Logic app if new virtual machine is created
Hello, I'm building logic app that get triggered on resource creation event by connecting it to event grid. my goal is only to run this if new vm is created however logic app get executed on every create success event. I noticed whenever there is deletion or creation on VM the logic app get triggered. Even in the event payload there is no difference between create and delete VM. how to limit the call of logic app only if new VM is created?
Adding users to an AD group with Azure Functions/Logic Apps
I want to add users to an Entra ID/Azure AD group. The list of users will be retrieved from a REST API call with Azure Functions, and then saved into a database, probably Azure SQL. I'm planning on then using Azure Logic Apps to connect the database to the AD group. How can I make the script run every time the REST API changes? Can I add users to the AD group from SQL? Is there a better way to go about this?Former Employer Abuse
My former employer, Albert Williams, president of American Security Force Inc., keeps adding my outlook accounts, computers and mobile devices to the company's azure cloud even though I left the company more than a year ago. What can I do to remove myself from his grip? Does Microsoft have a solution against abusive employers?
Creating Logic App to Identify Low Storage Devices from Intune
Hello everyone, I’m seeking some assistance with creating a Logic App. I need to identify devices in Intune that have 5GB or less of available space and receive an email with the details of these devices, including their names. Is this achievable?Guide: How to Connect ServiceNow to Azure DevOps with a Fully Configurable, No-Code, 2-Way Sync
Let's talk about integrations. You need them because your business runs on too many different software systems that don't communicate with each other, so people end up working in data silos without a reliable source of truth. So each department ends up dealing with incomplete data or relying on inefficient and unreliable manual data transfer processes. So what are your options? Integrations break data silos, increase the capabilities of the entire software stack, improve overall efficiency, and provide you with real-time visibility and alignment. However integration requests are overflowing the backlogs of every IT department. Does that sound right? If not, let me know in the comments. Integration solutions today are either too basic, or excessively complicated, forcing you to default to a complex and costly solution provided by external consultants or you get to DIY like building an IKEA bedroom set without instructions. Unito is a Microsoft partner with a new integration for ServiceNow to Azure DevOps. What makes it different? It was designed with 2-way sync from the start in the form of a no-code platform that's still fully configurable. So you get 50+ powerful integrations right out of the box, and the ability to deeply customize and adapt them without writing or maintaining code. But you can if you want to. So anyone can sync records in ServiceNow to Azure DevOps work items with real-time 2-way updates between fields. How does it work? Users create low-code 2-way integrations called "flows". The flow represents the connection between ServiceNow and Azure DevOps. You start by selecting a table in ServiceNow and a project in ADO. Then, you choose a flow direction for item creation. Do you want manually created records to automatically add work items in ADO; vice versa; or both? Next, you set rules with an "if this, then that" logic to filter out unrelated records or work items. Typically you would add tags in ADO and only sync work items with those tags, but you can also filter by custom fields or any other native field. Finally, you set up a table of field mappings populated with drop-down menus that include data pulled from ServiceNow and ADO: Here's a longer guide to connecting Azure DevOps projects to ServiceNow tables. Let me know if you have any questions or comments!
azure automation hybrid worker platform best practice
Hi We're moving services around and checking that some of your architecture is according to best practices. What is the recommendations on where to install Azure automation hybrid worker? Can we install on an AD server? AD Sync Server? Dedicated server? Kind RegardsError Running Script in Runbook with System Assigned Managed Identity
Hello everyone, I could use some assistance, please. I'm encountering an error when trying to run a script within a runbook. I'm using PowerShell 5.1 with a system-assigned managed identity. The script works find without using the managed identiy via powershell outside of azure. Error: System.Management.Automation.ParameterBindingException: Cannot process command because of one or more missing mandatory parameters: Credential. at System.Management.Automation.CmdletParameterBinderController.PromptForMissingMandatoryParameters(Collection1 fieldDescriptionList, Collection1 missingMandatoryParameters) at System.Management.Automation.CmdletParameterBinderController.HandleUnboundMandatoryParameters I am using this script Connect-ExchangeOnline -ManagedIdentity -Organization domain removed for privacy reasons # Specify the user's mailbox identity $mailboxIdentity = "email address removed for privacy reasons" # Get mailbox configuration and statistics for the specified mailbox $mailboxConfig = Get-Mailbox -Identity $mailboxIdentity $mailboxStats = Get-MailboxStatistics -Identity $mailboxIdentity # Check if TotalItemSize and ProhibitSendQuota are not null and extract the sizes if ($mailboxStats.TotalItemSize -and $mailboxConfig.ProhibitSendQuota) { $totalSizeBytes = $mailboxStats.TotalItemSize.Value.ToString().Split("(")[1].Split(" ")[0].Replace(",", "") -as [double] $prohibitQuotaBytes = $mailboxConfig.ProhibitSendQuota.ToString().Split("(")[1].Split(" ")[0].Replace(",", "") -as [double] # Convert sizes from bytes to gigabytes $totalMailboxSize = $totalSizeBytes / 1GB $mailboxWarningQuota = $prohibitQuotaBytes / 1GB # Check if the mailbox size exceeds 90% of the warning quota if ($totalMailboxSize -ge ($mailboxWarningQuota * 0.0)) { # Send an email notification $emailBody = "The mailbox $($mailboxIdentity) has reached $($totalMailboxSize) GB, which exceeds 90% of the warning quota." Send-MailMessage -To "email address removed for privacy reasons" -From "email address removed for privacy reasons" -Subject "Mailbox Size Warning" -Body $emailBody -SmtpServer "smtp.office365.com" -Port 587 -UseSsl -Credential (Get-Credential) } } else { Write-Host "The required values(TotalItemSize or ProhibitSendQuota) are not available." }
