Sep 14 2023 07:49 AM - edited Sep 14 2023 07:58 AM
Hello,
I'm having some trouble implementing the "Block-AADUser Playbook" from the Microsoft Sentinel GitHub repo. I have already done the steps required:
The logic app is failing in the "Update user - disable user" step:
Additional info:
I have seen other discussions regarding this issue and i think it's a permission issue.
Does the account that authorizes the API Connection needs to be a "Global Admin"? I have seen other people mention this but i can't find any documentation about this. I don't have a Global Admin account so i can't test this.
Is this true or there is another issue I'm not seeing?
Thanks
Sep 14 2023 09:28 PM
Sep 17 2023 04:14 PM
Sep 18 2023 02:02 AM
Thanks @Christian_Bartsch and @BillClarksonAntill for the responses.
I'm currently waiting for a a Global Admin to authorize the API Connects.
Regarding the error, yes its strange that is not a permissions error. I already tried using the user UPN and AAD User ID, on multiple users and got the same error. The inputs to the "Update User" step are all ok.
I found a question regarding the same error but ended without a clear response.
Error when running playbook Block-AADUser-Alert - Microsoft Community Hub
Sep 19 2023 08:46 AM
Sep 19 2023 03:42 PM
Sep 20 2023 02:10 AM - edited Sep 20 2023 02:33 AM
Sorry i had made some changes to the logic app and forgot to revert them.
After the Global Admin authorized the API connection i have a different error message:
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2023-09-20T08:47:00",
"request-id": "c6e062ba-c64b-4e6b-xxxxx",
"client-request-id": "c6e062ba-c64b-xxxxx"
}
where are the permissions assigned to the connection API:
The only action that has problems is the "Update User". I already tried changing just a field in the account and got the same error (the account is cloud only):
{
"method": "patch",
"path": "/v1.0/users/teste%40xxxxx.onmicrosoft.com",
"host": {
"connection": {
"name": "/subscriptions/b77f631f-be70-4922xxxxx/resourceGroups/xxxxxx/providers/Microsoft.Web/connections/azuread-Block-AADUser-Incident"
}
},
"body": {
"accountEnabled": false
}
}
I have also run only the "Update User" step with both the UPN and User ID typed directly in the action and got the same error.
Sep 20 2023 04:05 PM
Sep 21 2023 01:23 AM - edited Sep 21 2023 01:25 AM
Thanks for the help.
Can you give me so pointers on how to do that?
The Azure AD connector does not natively support managed identities.
Sep 22 2023 09:16 PM
Solution
Check out the below
$MIGuid = "<Enter your managed identity guid here>"
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$PermissionName1 = "User.Read.All"
$PermissionName2 = "User.ReadWrite.All"
$PermissionName3 = "Directory.Read.All"
$PermissionName4 = "Directory.ReadWrite.All"
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole1 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName1 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole1.Id
$AppRole2 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName2 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole2.Id
$AppRole3 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName3 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole3.Id
$AppRole4 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName4 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole4.Id
This code snippet can be found here
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUserOrAdmin
Sep 25 2023 01:44 AM - edited Sep 25 2023 01:45 AM
Thanks for the help @BillClarksonAntill and @Christian_Bartsch
For other people that have the same error I recommend that instead of using the "Disable User" action, you switch to an http action and call the Graph API to disable the user (link). Then authenticate using in the http action with the playbook managed identity, after giving the permissions stated in the documentation.
Sep 22 2023 09:16 PM
Solution
Check out the below
$MIGuid = "<Enter your managed identity guid here>"
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$PermissionName1 = "User.Read.All"
$PermissionName2 = "User.ReadWrite.All"
$PermissionName3 = "Directory.Read.All"
$PermissionName4 = "Directory.ReadWrite.All"
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole1 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName1 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole1.Id
$AppRole2 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName2 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole2.Id
$AppRole3 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName3 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole3.Id
$AppRole4 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName4 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole4.Id
This code snippet can be found here
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUserOrAdmin