Microsoft Sentinel - Caller does not have permissions when deploying automation rule through repositories

Question

I am having trouble deploying an automation rule which calls on a playbook, through an Azure DevOps repository to Microsoft Sentinel. When attempting to deploy the automation rule, I get the error:

[Warning] Failed to deploy D:\a\1\s\AutomationRules\Deploy\Enrich - Email Reported By User.json with error: 9:26:02 AM - The deployment 'Sentinel_Deployment_GUID' failed with error(s). Showing 1 out of 1 error(s).

Status Message: Caller is missing required playbook triggering permissions on playbook resource '/subscriptions/SomeSubscriptionID/resourceGroups/Prod-UKS/providers/Microsoft.Logic/workflows/Enrichment-AbuseIPDB', or Microsoft Sentinel is missing required permissions to verify the caller has permissions (Code:BadRequest)

I have checked the permissions on the sentinel workspace and Sentinel has permissions to the resource group. To double check this I have tried two different resource groups (both have permissions) both have failed.

Can anyone tell me what the caller is when deploying through the repositories? Is it some kind of special service principal I need to give access to?

One other thing, I am getting this error for my own tenant. So the playbook referenced above is in the same tenant as the sentinel instance.

I also have a number of customer tenants managed via lighthouse, how will this affect those tenants if I want to deploy automation rules to their sentinel instances, which call on a playbook in my tenant?

Thank you in advance!

Answer 1

Hi @Liam Jones ,

Thanks for your post! I understand that you are trying to deploy an automation rule which calls on a playbook, but are receiving the following error:

Caller is missing required playbook triggering permissions on playbook resource, or Microsoft Sentinel is missing required permissions to verify the caller has permissions

The caller can be either the user or service principal who performed the operation, so in this case the message should be referring to your specific user permissions. The message also indicates though that the permissions may be missing on the Sentinel side as well.

To resolve this issue, you need to confirm that you have the following permissions configured:

1. Logic App Contributor role on any resource group containing playbooks you want to run. Your user account needs to have both the Logic App Contributor and Owner roles assigned.
2. The Directory Readers role in Azure AD assigned to your account. Alternatively, you can create a custom role with microsoft.directory/servicePrincipals added as an action.
3. Since Sentinel uses the Azure Security Insights Enterprise Application to grant permissions, make sure that it has the Azure Sentinel Automation Contributor role assigned to it if you still see the error after adding the other permissions.
4. For Lighthouse setups, you need to grant Azure Sentinel Automation Contributor permissions to the Azure Security Insights app in the service provider tenant to the Resource Group where the playbooks are in the customer tenant.

Additional resources:

Azure Sentinel Automation (Preview) - Issue with Permission assignment

Caller is missing required playbook triggering permissions on playbook resource

Let me know if this helps. If the suggestions do not work we can continue the discussion and follow up offline if needed.

-

If the information helped you, please Accept the answer. This will help us as well as others in the community who might be researching similar issues.

Answer 2

Make sure the person deploying or manually running the logic app has the Sentinel Playbook Operator assigned on the app.