Block-Aaduser sentinel playbook error

db67 6 Reputation points
2022-07-31T09:22:14.613+00:00

Hi,

I am attempting to utilise the block-aaduser playbook as offered by Microsoft to disable a user if an incident is triggered.

When I attempt to run the playbook it fails at the update-disable user with the following error output

{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2022-07-31T09:01:45",
"request-id": "fabb816d-c58e-43e4-9c1d-17c20985bb18",
"client-request-id": "fabb816d-c58e-43e4-9c1d-17c20985bb18"
}
}
}

I am using a managed identity and I have provided the managed identity with the sentinel responder role as per the pre requisites for this playbook

Can anyone assist?

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser

Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
3,075 questions
0 comments No comments
{count} vote

3 answers

Sort by: Most helpful
  1. Kamlesh Kumar 3,861 Reputation points
    2022-07-31T15:15:06.487+00:00

    Hi @db67 ,

    Welcome to Microsoft Q&A Platform. Thank you for the question.

    You have to 2 more API permission to resolve this issue. check the related thread here

    $GraphAppId = "00000003-0000-0000-c000-000000000000"  
    $PermissionName1 = "User.Read.All"  
    $PermissionName2 = "User.ReadWrite.All"  
    $PermissionName3 = "Directory.Read.All"  
    $PermissionName4 = "Directory.ReadWrite.All"  
    

    Regards,
    Kamlesh Kumar

    Please don't forget to click on 205836-130616-image.png or upvote 205759-130671-image.png button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is How

    Want a reminder to come back and check responses? Here is how to subscribe to a Notification

    If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators

    0 comments No comments

  2. Mohammed Altamash Khan 2,086 Reputation points
    2022-07-31T21:21:46.293+00:00

    Hi

    Open App registration in your portal ,
    Search The Client ID "fabb816d-c58e-43e4-9c1d-17c20985bb18" with "all" filter
    click on result and go in API permission in left pane and allow the permission .
    This should solve your issue.

    Regards

    -----------
    if this was helpful , kindly accept the answer ------------

    0 comments No comments

  3. Daniel B 0 Reputation points
    2023-03-30T21:03:04.4133333+00:00

    Hi All

    I have the same error when trying to run the logic app.

    I don't have an app registration so the above fix is no good for me.

    I am using the disable use playbook when a sentinel alert is triggered

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.