Error when running playbook Block-AADUser-Alert

Hello,
I have personal account and I am trying Microsoft Sentinel. My senario is when user account (not admin) changes his authentication method, an alert is triggered and then I run built-in playbook Block-AADUser-Alert to disable this account. I get following error when running this playbook:
{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource '[\"leloc@hoahung353.onmicrosoft.com\"]' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"date": "2022-05-13T03:06:46",
"request-id": "84bab933-eb79-4352-9bdf-e6d5444a1798",
"client-request-id": "84bab933-eb79-4352-9bdf-e6d5444a1798"
}
}
}

I have tried to assign all required permissions (User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All), authorized api connection,.. but it can not solve the issue.

Would anyone help advise how to solve ? Is it because of personal account ?

Best Regards,

soar

mikhailf
May 14, 2022
It seems that there are insufficient permissions. How do you connect the "Update user" part to AAD? Do you use managed identity or user? If it is a user, doesn't it have sufficient permissions to disable another user's account?

Could you try the second playbook for disabling AAD users? The one that is based on Incident.

And please, check this: https://github.com/microsoftgraph/microsoft-graph-docs/blob/main/api-reference/v1.0/resources/security-api-overview.md
There is a table with supported methods and systems.
Does that mean that PATCH method is not supported by Sentinel alerts?

Forum Discussion

Error when running playbook Block-AADUser-Alert

Share

Resources