Microsoft graph Security connector Error

mara7 161 Reputation points
2024-01-19T06:31:21.6933333+00:00

Hello, I configure logic Apps that can create tiindicator. So, I used Microsoft graph Security connector and I made App (has ThreatIndicators.ReadWrite.OwnedBy)

{
  "error": {
    "code": "UnknownError",
    "message": "Auth token does not contain valid permissions or user does not have valid roles.",
    "innerError": {
      "date": "2024-01-19T06:20:15",
      "request-id": "7aa066c6-24b5-411a-85f4-de698f743234",
      "client-request-id": "7aa066c6-24b5-411a-85f4-de698f743234"
    }
  }
}
Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,845 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
976 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Luis Arias 4,721 Reputation points
    2024-01-19T12:03:36.79+00:00

    Hi mara7,

    I replicated the environment and I achieve to solve the error message using a User Managed Identity and adding the proper role assigment to work with the graph API(At the begining I try with system assigned but it doesn't work).

    So here the actions to replicate the solution:

    • Create a manage identity resource
    • Assign the Service App role assigment to this managed idnetity by powershell:
    Install-Module AzureAD
Import-Module AzureAD
Connect-AzureAD
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$DisplayNameOfMSI = "mi-la-qa-03"
$PermissionName = "SecurityActions.ReadWrite.All"
# Execute two times for : SecurityActions.ReadWrite.All and SecurityEvents.ReadWrite.All 

$MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$DisplayNameOfMSI'")
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
    • Assign this managed identity to logi apps

    User's image

    • Modify the connection step for the connector:

    User's image
    User's image

    • Run And test

    Workflow Execution

    Let me know any question.

    References:

    Luis,

    If the information helped address your question, please Accept the answer.

    0 comments