cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Block-AADUser Playbook - Permissions error

costaluisc
Copper Contributor

‎Sep 14 2023 07:49 AM - edited ‎Sep 14 2023 07:58 AM

‎Sep 14 2023 07:49 AM - edited ‎Sep 14 2023 07:58 AM

Block-AADUser Playbook - Permissions error

Hello,

I'm having some trouble implementing the "Block-AADUser Playbook" from the Microsoft Sentinel GitHub repo. I have already done the steps required:

  1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity
  2. Assign API permissions to the managed identity so that we can search for user's manager
  3. Open the playbook in the Logic App Designer and authorize Azure AD and Office 365 Outlook Logic App connections

The logic app is failing in the "Update user - disable user" step:

 
"error": {
    "code""Request_ResourceNotFound",
    "message""Resource 'xxxx' does not exist or one of its queried reference-property objects are not present.",
    "innerError": {
      "date""2023-09-14T10:34:42",
      "request-id""xxxx",
      "client-request-id""xxxxx"
    }
  }
}

Additional info:

  • The "Update user - disable user" step is connected with the API connection created by the template "azuread-Block-AADUser-Incident".
  • The account I'm trying do disable does not have any Azure AD Roles.
  • Used the template from Microsoft Sentinel "Block-AADUser-Incident".

I have seen other discussions regarding this issue and i think it's a permission issue.

Does the account that authorizes the API Connection needs to be a "Global Admin"? I have seen other people mention this but i can't find any documentation about this. I don't have a Global Admin account so i can't test this.

Is this true or there is another issue I'm not seeing?

 

Thanks 

Labels:
1,722 Views
0 Likes
10 Replies
Reply
10 Replies
BillClarksonAntill

‎Sep 14 2023 09:28 PM

‎Sep 14 2023 09:28 PM

Re: Block-AADUser Playbook - Permissions error

so in order to authenticate API connections you do need global administrator to approve the API connections

When this happens your permissions are used as the connection authentication, in this particular example you need permissions to azure active directory from the logic app, so the API connection needs the appropriate permissions to perform this function
1 Like
Reply
Christian_Bartsch

‎Sep 17 2023 04:14 PM

‎Sep 17 2023 04:14 PM

Re: Block-AADUser Playbook - Permissions error

I think it’s not an permission error at that point. The error message states it didn’t find the resource. So my best guess is, the playbook fails to extract the proper ID or UPN (whatever is used in the HTML PUT action).
1 Like
Reply
costaluisc

‎Sep 18 2023 02:02 AM

‎Sep 18 2023 02:02 AM

Re: Block-AADUser Playbook - Permissions error

Thanks @Christian_Bartsch and @BillClarksonAntill for the responses.
I'm currently waiting for a a Global Admin to authorize the API Connects.
Regarding the error, yes its strange that is not a permissions error. I already tried using the user UPN and AAD User ID, on multiple users and got the same error. The inputs to the "Update User" step are all ok.


I found a question regarding the same error but ended without a clear response.
Error when running playbook Block-AADUser-Alert - Microsoft Community Hub

1 Like
Reply
costaluisc

‎Sep 19 2023 08:46 AM

‎Sep 19 2023 08:46 AM

Re: Block-AADUser Playbook - Permissions error

Add a global admin autorize the API connections.
Still have the same error.

Any ideas?

Thanks
0 Likes
Reply
Christian_Bartsch

‎Sep 19 2023 03:42 PM

‎Sep 19 2023 03:42 PM

Re: Block-AADUser Playbook - Permissions error

Can you provide the raw outputs and inputs of each action from the run history?
0 Likes
Reply
costaluisc

‎Sep 20 2023 02:10 AM - edited ‎Sep 20 2023 02:33 AM

‎Sep 20 2023 02:10 AM - edited ‎Sep 20 2023 02:33 AM

Re: Block-AADUser Playbook - Permissions error

Sorry i had made some changes to the logic app and forgot to revert them.
After the Global Admin authorized the API connection i have a different error message:
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2023-09-20T08:47:00",
"request-id": "c6e062ba-c64b-4e6b-xxxxx",
"client-request-id": "c6e062ba-c64b-xxxxx"
}

 

where are the permissions assigned to the connection API:

costaluisc_0-1695202352391.png

 

The only action that has problems is the "Update User". I already tried changing just a field in the account and got the same error (the account is cloud only):
{
"method": "patch",
"path": "/v1.0/users/teste%40xxxxx.onmicrosoft.com",
"host": {
"connection": {
"name": "/subscriptions/b77f631f-be70-4922xxxxx/resourceGroups/xxxxxx/providers/Microsoft.Web/connections/azuread-Block-AADUser-Incident"
}
},
"body": {
"accountEnabled": false
}
}

I have also run only the "Update User" step with both the UPN and User ID typed directly in the action and got the same error.

0 Likes
Reply
Christian_Bartsch

‎Sep 20 2023 04:05 PM

‎Sep 20 2023 04:05 PM

Re: Block-AADUser Playbook - Permissions error

I remember having the exact same struggle a few months ago. I ended up creating a Managed Identity that I connected to the playbook settings and then connected the Update User action to it, instead of authenticating and Enterprise App via OAuth. The Managed Identity needs:


1. Assign Password Administrator permission to managed identity.
2. Assign Microsoft Sentinel Responder permission to managed identity.

Good luck!
1 Like
Reply
costaluisc

‎Sep 21 2023 01:23 AM - edited ‎Sep 21 2023 01:25 AM

‎Sep 21 2023 01:23 AM - edited ‎Sep 21 2023 01:25 AM

Re: Block-AADUser Playbook - Permissions error

Thanks for the help.
Can you give me so pointers on how to do that?
The Azure AD connector does not natively support managed identities.

0 Likes
Reply
best response confirmed by costaluisc (Copper Contributor)
BillClarksonAntill

‎Sep 22 2023 09:16 PM

‎Sep 22 2023 09:16 PM

Solution

Re: Block-AADUser Playbook - Permissions error

@costaluisc 

 

Check out the below

 

$MIGuid = "<Enter your managed identity guid here>"
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid

$GraphAppId = "00000003-0000-0000-c000-000000000000"
$PermissionName1 = "User.Read.All"
$PermissionName2 = "User.ReadWrite.All"
$PermissionName3 = "Directory.Read.All"
$PermissionName4 = "Directory.ReadWrite.All"

$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole1 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName1 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole1.Id

$AppRole2 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName2 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole2.Id

$AppRole3 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName3 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole3.Id

$AppRole4 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName4 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole4.Id

 

This code snippet can be found here 

 

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUserOrAdmin 

0 Likes
Reply
costaluisc

‎Sep 25 2023 01:44 AM - edited ‎Sep 25 2023 01:45 AM

‎Sep 25 2023 01:44 AM - edited ‎Sep 25 2023 01:45 AM

Re: Block-AADUser Playbook - Permissions error

Thanks for the help @BillClarksonAntill and @Christian_Bartsch 

For other people that have the same error I recommend that instead of using the "Disable User" action, you switch to an http action and call the Graph API to disable the user (link). Then authenticate using in the http action with the playbook managed identity, after giving the permissions stated in the documentation.

1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by costaluisc (Copper Contributor)
BillClarksonAntill

‎Sep 22 2023 09:16 PM

‎Sep 22 2023 09:16 PM

Solution

Re: Block-AADUser Playbook - Permissions error

@costaluisc 

 

Check out the below

 

$MIGuid = "<Enter your managed identity guid here>"
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid

$GraphAppId = "00000003-0000-0000-c000-000000000000"
$PermissionName1 = "User.Read.All"
$PermissionName2 = "User.ReadWrite.All"
$PermissionName3 = "Directory.Read.All"
$PermissionName4 = "Directory.ReadWrite.All"

$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole1 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName1 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole1.Id

$AppRole2 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName2 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole2.Id

$AppRole3 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName3 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole3.Id

$AppRole4 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName4 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole4.Id

 

This code snippet can be found here 

 

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUserOrAdmin 

View solution in original post

0 Likes
Reply