Create AAD Data Connector with Management API

Noah Libeskind 0 Reputation points
2024-02-27T20:14:00.35+00:00

I'm trying to create the Azure Active Directory (now called Microsoft Entra ID) data connector on Sentinel using the Azure Resource Management API in the GccHigh (US Gov cloud environment). I'm getting an "Invalid License" error which doesn't make sense because I've already enabled it through the UI on portal.azure.us on Sentinel. I am working with this documentation: https://learn.microsoft.com/en-us/rest/api/securityinsights/data-connectors/create-or-update?view=rest-securityinsights-2023-11-01&tabs=HTTP#aaddataconnector
Request: PUT https://management.usgovcloudapi.net/subscriptions/{subscriptionId}/resourceGroups/{rgName}/providers/Microsoft.OperationalInsights/workspaces/{laName}/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab4?api-version=2023-11-01

{

  "kind": "AzureActiveDirectory",   "properties": {     "tenantId": "myTenantId",     "dataTypes": {       "indicators": {         "state": "Enabled"       },       "alerts" :{         "state": "Enabled"       }     }   } } Response: 401 Unauthorized

{     "error": {         "code": "InvalidLicense",         "message": "License is invalid"     } }

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
980 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay-MSFT 16,026 Reputation points Microsoft Employee
    2024-02-28T07:32:52.6833333+00:00

    @Noah Libeskind

    Thank you for posting your query on Microsoft Q&A, from above description I could see that you are getting the following response when trying to create an AAD data connector via rest API for your sentinel workspace.

    Response: 401 Unauthorized

    {    

    "error": {         "code": "InvalidLicense",         "message": "License is invalid"     }

    }

    Please do correct me if this is not the case by responding in the comments section.

    Seems like a permission or a license issue to me, kindly validate if the following prerequisites are met:

    • A Microsoft Entra ID P1 or P2 license is required to ingest sign-in logs into Microsoft Sentinel. Any Microsoft Entra ID license (Free/O365/P1 or P2) is sufficient to ingest the other log types. Additional per-gigabyte charges may apply for Azure Monitor (Log Analytics) and Microsoft Sentinel.
    • Your user must be assigned the Microsoft Sentinel Contributor role on the workspace.
    • Your user must be assigned the Global Administrator or Security Administrator roles on the tenant you want to stream the logs from.
    • Your user must have read and write permissions to the Microsoft Entra diagnostic settings in order to be able to see the connection status.
    • Install the solution for Microsoft Entra ID from the Content Hub in Microsoft Sentinel. For more information, see Discover and manage Microsoft Sentinel out-of-the-box content.

    Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

    Thanks,

    Akshay Kaushik