1

I am stumbling on the following problem:

  • I have a script that creates the automation response rules for a specific tenant.

Now this works like a charm when the Logic App is in the same tenant and subscription.

But I am stumbling on the error that a different tenant with a different subscription does not accept it because it is missing Microsoft.SecurityInsights/alertRules/read permissions.

I know this is manually possible by navigating to the automation tab and creating the automated response there and selecting the playbook, but it doesnt work with the Powershell script I have written.

My questions:

  • Is it possible at all to add an automation rule with a logic app located at a different tenant?

If yes, how to do so?

The current Powershell Script:

$SentinelConnection = @{
    ResourceGroupName = "resourcegroupwithsentinel"
    WorkspaceName     = "azuresentinel"
}
    
$LogicAppConnection = @{
    ResourceGroupName = "resourcegroupwithlogicappindifferenttenant"
    Name              = "logicappname"
}
    
$LogicAppResourceId = Get-AzLogicApp @LogicAppConnection
$LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl @LogicAppConnection -TriggerName "Microsoft_Sentinel_alert"
$AlertRules = Get-AzSentinelAlertRule @SentinelConnection

foreach ($rule in $AlertRules) {
    New-AzSentinelAlertRuleAction @SentinelConnection -AlertRuleId $rule.Name -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value)
}

To summarize:

  • I want a script that allows a 'Playbook' (a self-created logic app) to be used as an automated response for a different Azure Sentinel environment in a different tenant with a automated Powershell Script.

Example of the error:

Get-AzSentinelAlertRule : The client 'emailaddress' with object id 'objectid' does not have authorization to perform action 
'Microsoft.SecurityInsights/alertRules/read' over scope 
'/subscriptions/subscriptionid/resourceGroups/resourcegroup/providers/Microsoft.OperationalInsights/workspaces/workspace/providers/Microsoft.SecurityInsights' or 
the scope is invalid. If access was recently granted, please refresh your credentials.
Leonardo van de Weteringh
  • 33
  • 6
  • Do you have credentials for the other subscription? `Connect-AzContext` + `Get-AzSentinelAlertRule @SentinelConnection -DefaultProfile (Get-AzContext )` should do. – Mathias R. Jessen Sep 26 '22 at 08:46
  • You mean 'Set-AzContext' I think and yes. The same credentials have access to this subscription already. I have configured the delegation with Azure Logichouse. The commands you have are a bit confusing? Do I need to pipeline them or do I need to run them seperately and save them in a variable? – Leonardo van de Weteringh Sep 26 '22 at 08:50

1 Answers1

0

Thanks to @Mathias R. Jessen for his help I found out how to fix the issue and not get the error anymore. Turns out you have to authenticate twice. 1 for the tenant the Automation Rule needs to be applied to and 1 for the tenant that contains the Logic App. What I have done:

  • Created Parameters for mandatory user input
  • Created some Optional Parameters for user input
  • Saved the Connect-AzAccount Profiles to variables (2)
  • Executed the correct profile for based on the script. The LogicAppRules commands needed to have the DefaultProfile of the environment where the sentinel environment was connected to.

The full solution code is as followed:

Write-Host "Please Connect to Tenant with Account that manages Sentinel Environment: $($DestinationResourceGroupName)\$($DestinationWorkpaceName) first!"
$DestinationProfile = Connect-AzAccount -Subscription $DestinationID -ErrorAction Stop
Write-Host "Please Connect to Tenant with Account that manages LogicApp: $($LogicAppResourceName)\$($LogicAppName)!"
$SourceProfile = Connect-AzAccount -Subscription $SourceID -ErrorAction Stop

$SentinelConnection = @{
    ResourceGroupName = $DestinationResourceGroupName
    WorkspaceName = $DestinationWorkpaceName
}

$LogicAppConnection = @{
    ResourceGroupName = $LogicAppResourceName
    Name = $LogicAppName
}

function CreateAutomationRule(){
$LogicAppResourceId = Get-AzLogicApp @LogicAppConnection 
$TriggerName = (Get-AzLogicAppTrigger @LogicAppConnection).Name
$LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl @LogicAppConnection -TriggerName $TriggerName
$AlertRules = Get-AzSentinelAlertRule @SentinelConnection -DefaultProfile $DestinationProfile
foreach ($rule in $AlertRules){
New-AzSentinelAlertRuleAction @SentinelConnection -DefaultProfile $DestinationProfile -AlertRuleId $rule.Name -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value)
}
}
CreateAutomationRule
Leonardo van de Weteringh
  • 33
  • 6