Feb 03 2024 02:52 AM
Hello,
I have to integrate antivirus run scan into azure sentinel using playbook (template Run MDE Antivirus - Incident Trigger).
According to the prerequisites, I need to grant some permissions using powershell command.
"Run the following code replacing the managed identity object id. You find the managed identity object id on the Identity blade under Settings for the Logic App."
From the powershell, I enter the following command:
$MIGuid = '0fff8f4e-xxxx-xxxx-xxxx-xxxxxxxxxxxxx'
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
I receive the following error message
Get-AzureADServicePrincipal: You must call the Connect-AzureAD cmdlet before calling any other cmdlets.
Any idea ?
PS: I'm not a developper...
Regards,
HA
Feb 03 2024 04:01 AM - edited Feb 03 2024 04:02 AM
Hi,
In Powershell just run the command Connect-AzureAD, this will trigger a sign in prompt, sign in with the account that has the admin privs assigned to it. Once you have run the command, and signed in, copy and paste the pre-req code.
Feb 03 2024 04:34 AM
Feb 03 2024 04:38 AM - edited Feb 03 2024 04:44 AM
Looks like '$MDEAppId'' in $MDEServicePrincipal should just be '$MDEAppId' delete one of the ' and try running it once more?
Feb 03 2024 04:54 AM
Feb 03 2024 05:05 AM - edited Feb 03 2024 05:21 AM
Hi,
I meant run all the code again from the prerequisites.
$MIGuid = 'Enter your managed identity guid here'
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
$MDEAppId = 'fc780465-2017-40d4-a0c5-307022471b92'
$PermissionName = 'Machine.Scan'
$MDEServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$MDEAppId'"
$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id $PermissionName = 'Machine.Read.All'
$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id $PermissionName = 'Machine.ReadWrite.All'
$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id
I've made the fix I believe will resove your issue in the above code, before running that please do connect-azuread first, and make sure to enter your managed identity on the first line. To do that click into the playbook, select identity under settings, and copy and paste the Object ID. Make sure to keep the ' ' and enter the object ID in between.
Feb 03 2024 08:14 AM
Feb 03 2024 12:17 PM - edited Feb 03 2024 12:30 PM
SolutionHey @HA01329.
So your managed identity will have Scan permissions now. There's an issue with the PowerShell and the $PermissionName variable (line 3) is what needs to be changed to fix the other two perm assignments.
My PowerShell isn't that good so we are going to take the noob way out. Run the code two more times and change line 3 from $PermissionName = 'Machine.Scan' to $PermissionName = 'Machine.Read.All' on run 1 and $PermissionName = 'Machine.ReadWrite.All' on run 2.
This will flag errors but when you view the managed identity it will then have all permissions required. I will probably get giggled at for the above but its a workaround until I look into PowerShell more!
(I had a quick look into the perms, and Machine.Scan should include the read perms anyway and Machine.ReadWrite.All shouldn't be needed as I don't believe the logic app includes tagging etc? So this logic app/playbook should now work without you running the code 2 more times for the extra perms, but to leave out any doubts and link with the prereqs I've included the work around anyway)
Have a good weekend :)
Feb 04 2024 11:45 PM
Feb 03 2024 12:17 PM - edited Feb 03 2024 12:30 PM
SolutionHey @HA01329.
So your managed identity will have Scan permissions now. There's an issue with the PowerShell and the $PermissionName variable (line 3) is what needs to be changed to fix the other two perm assignments.
My PowerShell isn't that good so we are going to take the noob way out. Run the code two more times and change line 3 from $PermissionName = 'Machine.Scan' to $PermissionName = 'Machine.Read.All' on run 1 and $PermissionName = 'Machine.ReadWrite.All' on run 2.
This will flag errors but when you view the managed identity it will then have all permissions required. I will probably get giggled at for the above but its a workaround until I look into PowerShell more!
(I had a quick look into the perms, and Machine.Scan should include the read perms anyway and Machine.ReadWrite.All shouldn't be needed as I don't believe the logic app includes tagging etc? So this logic app/playbook should now work without you running the code 2 more times for the extra perms, but to leave out any doubts and link with the prereqs I've included the work around anyway)
Have a good weekend :)