Forum Discussion
Solved
Error when running playbook Block-AADUser-Alert
Hello, I have personal account and I am trying Microsoft Sentinel. My senario is when user account (not admin) changes his authentication method, an alert is triggered and then I run built-in playbo...
- It seems that there are insufficient permissions. How do you connect the "Update user" part to AAD? Do you use managed identity or user? If it is a user, doesn't it have sufficient permissions to disable another user's account?
Could you try the second playbook for disabling AAD users? The one that is based on Incident.
And please, check this: https://github.com/microsoftgraph/microsoft-graph-docs/blob/main/api-reference/v1.0/resources/security-api-overview.md
There is a table with supported methods and systems.
Does that mean that PATCH method is not supported by Sentinel alerts?
Does this only happen with one account? It sounds like there may be some fields for it missing. If other accounts work, I would try to compare the two and see if anything is missing.
I only create 3 accounts for testing, 1 admin and 2 normal users so the error happens for both non-admin accounts
- I wonder why it is called "Resource" does not exist. Shouldn't it be "User" or "Account"?
Do you use this playbook from GitHub? https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser- On the main Overview page, you have "Run History" with "Succeed" or "Failed" results.
Click on "Failed" and you will be able to debug the playbook. Find the part where you have a red X and open it. Share the results here.
And ensure that you do not have an "Invalid connection" message for any of the blocks.
