Microsoft sentinel Playbook permission issue

Question

Microsoft sentinel Playbook permission issue

Anusree Pal 0

We are receiving this error whener trying to integrate any logic app with the automation rule. We have added the Sentinel contributor rolein te system assigned MI and also added a few roles in the resource group and log analytics workspace as shown below. we are also not getting the option in the settings of the microsoft sentinel to add playbook permission , please help. User's image

User's image

enter image description here

Mike Urnun 9,792 Reputation points Moderator

2023-12-27T20:25:43.95+00:00

Hello @Pal, Anusree (External) - Thanks for reaching out. Regarding the empty list under Manage Permissions above, are you the owner of the resource group that contains the playbook? The following is stated in the Sentinel doc:

Give Microsoft Sentinel permissions to run playbooks Microsoft Sentinel uses a special service account to run incident-trigger playbooks manually or to call them from automation rules. The use of this account (as opposed to your user account) increases the security level of the service. For an automation rule to run a playbook, this account must be granted explicit permissions to the resource group where the playbook resides. At that point, any automation rule can run any playbook in that resource group. To grant these permissions to this service account, your account must have Owner permissions to the resource groups containing the playbooks.

Also, could you share more details on the use of system assigned MI? Could you try giving the Azure Sentinel Responder role to the system-assigned MI of the playbook as shown in the following blog post? Managed Identity for Azure Sentinel Logic Apps connector
Anusree Pal 0 Reputation points

2023-12-28T03:34:43.3233333+00:00

I have owner access in the subscription, and responder role is already added.

1 answer

Your answer

Mike Urnun 9,792 Reputation points Moderator

2023-12-27T20:25:43.95+00:00

Hello @Pal, Anusree (External) - Thanks for reaching out. Regarding the empty list under Manage Permissions above, are you the owner of the resource group that contains the playbook? The following is stated in the Sentinel doc:

Give Microsoft Sentinel permissions to run playbooks Microsoft Sentinel uses a special service account to run incident-trigger playbooks manually or to call them from automation rules. The use of this account (as opposed to your user account) increases the security level of the service. For an automation rule to run a playbook, this account must be granted explicit permissions to the resource group where the playbook resides. At that point, any automation rule can run any playbook in that resource group. To grant these permissions to this service account, your account must have Owner permissions to the resource groups containing the playbooks.

Also, could you share more details on the use of system assigned MI? Could you try giving the Azure Sentinel Responder role to the system-assigned MI of the playbook as shown in the following blog post? Managed Identity for Azure Sentinel Logic Apps connector
Anusree Pal 0 Reputation points

2023-12-28T03:34:43.3233333+00:00

I have owner access in the subscription, and responder role is already added.

Answer 1

Hello,

Based on the information provided it seems that Sentinel itself doesn't have permissions defined to the RG where playbooks are located. Also, the figure above seems to show permissions for 'incident-playbook' so at least for me it's unknown which permissions your own account is having. Could you share more details about the permissions set at the moment?

When you open up Sentinel playbook permissions blade you should see all RGs as from the sub (based on your permissions) as well as defined permissions to Sentinel SP underneath 'Current permissions', see figures 1 & 2 below.

If you have down-level permissions (for example Sentinel Contributor) and don't have owner permissions to all RGs you should still see the RGs but there should be mention 'No permissions. Only owner on the resource group can add permissions' at the end of the each RG.

Browse RGs Sentinel-1

Current permissions

Sentinel-2

When you set permissions from Sentinel, it sets permissions to Entra ID Service Principal (Azure Security Insights) and you can confirm this from the RG where you're defining the permissions.

Sentinel-3

Let me know are you able to see the RGs and set permissions to Sentinel SP to the RG where playbook(s) are located. Lastly, I assume that all the resources are in the same subscription?

Here is just in case links to relevant Sentinel documentation:

https://learn.microsoft.com/en-us/azure/sentinel/roles

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#microsoft-sentinel-playbook-operator

Share via

Microsoft sentinel Playbook permission issue

1 answer

Your answer