Hi mara7,
I replicated the environment and I achieve to solve the error message using a User Managed Identity and adding the proper role assigment to work with the graph API(At the begining I try with system assigned but it doesn't work).
So here the actions to replicate the solution:
- Create a manage identity resource
- Assign the Service App role assigment to this managed idnetity by powershell:
Install-Module AzureAD
Import-Module AzureAD
Connect-AzureAD
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$DisplayNameOfMSI = "mi-la-qa-03"
$PermissionName = "SecurityActions.ReadWrite.All"
# Execute two times for : SecurityActions.ReadWrite.All and SecurityEvents.ReadWrite.All
$MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$DisplayNameOfMSI'")
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
- Assign this managed identity to logi apps
- Modify the connection step for the connector:
- Run And test
Let me know any question.
References:
- https://learn.microsoft.com/en-us/graph/permissions-reference
- https://github.com/microsoftgraph/security-api-solutions/blob/master/Docs/Authentication-AppOnly/RegisterNewMSGraphSecurityAPIApp.md
- https://learn.microsoft.com/en-us/graph/security-concept-overview
- https://learn.microsoft.com/en-us/connectors/microsoftgraphsecurity/
- https://techcommunity.microsoft.com/t5/azure-integration-services-blog/grant-graph-api-permission-to-managed-identity-object/ba-p/2792127
Luis,
If the information helped address your question, please Accept the answer.