Exchange Security Insights Online Collector Issue with Azure Automation

[NickNicolaou2129]

Describe the bug I provided the necessary information to the Azure Resource Manager (ARM) Template and the deployment completed successfully. However, when I check the Azure Automation job I see the following issue:

When I check the modules, I see that two of the required modules are out of date with the following error:

To Reproduce Steps to reproduce the behavior:

1. Go to the data connector
2. Click on "Deploy" option with ARM template
3. Scroll down to enter the required information
4. Go to azure automation, then click jobs to see the job error status as failed.

Expected behavior The data connector should be online and ingesting logs from Exchange Online.

[github-actions[bot]]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[v-sudkharat]

Hi @NickNicolaou2129, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 11-01-2024. Additionally, could you please provide more details on this like which solution or content you are facing issue.

[NickNicolaou2129]

Hi @v-sudkharat, I am using the following data connector:

[v-sudkharat]

@NickNicolaou2129, thanks!

[v-sudkharat]

hey @NickNicolaou2129, We have repro this module's issue from our end and it get successfully imported -

could you please check below few steps after post deployment's -

1. Redeploy the ARM temple and fill the with correct filed for - Automation Accounts_ESI_Data Collector_tenant Name

2. Check for the deployment status-

3. If still module not installed correctly, please try to update with below version -

Once it get updated, please check for the job and let us know if issue still persist. Thanks!

[NickNicolaou2129]

Hi @v-sudkharat, I updated the module version but just like in your screenshot the module version column remains the same (1.19)

For the tenant name, that is the red covered one, correct?

[NickNicolaou2129]

Hi @v-sudkharat, I re-deployed with the tenant name from the primary domain (tenantname.onmicrosoft.com). However the job still fails when trying to connect to Exchange Online:

[v-sudkharat]

Hey @NickNicolaou2129, just checking with you, could you please check, you have below mentioned pre-requisites role-permission on your tenant -

Please refer below screenshot and MS document link for reference -

MS DOC- https://learn.microsoft.com/en-us/azure/automation/automation-role-based-access-control

And also check you are getting same issue in exception tab after deployment of job-

If still having same issue, we will schedule a call to check on this.

Thanks!

[v-sudkharat]

Hi @NickNicolaou2129, I hope you are doing well. We are waiting for your response on above comment. It would be great if you check on that and let us know if it helps to resolve your issue. Thanks!

[NickNicolaou2129]

Hi @v-sudkharat, I am waiting for the permissions

[v-sudkharat]

Hi @NickNicolaou2129, Noted. Please let us know once it done. Thanks!

[NickNicolaou2129]

Hi @v-sudkharat, I now have the correct permissions:

I have performed the deployment using my company tenant name and ran the job within the Azure Automation Runbook, however I still see the following results:

I also attempted a new deployment with "mytenant.onmicrosoft.com" as the tenant name and this still has the same result.

[v-sudkharat]

Hi @NickNicolaou2129, thanks for your response. we are working on replicating this issue from our end. we will get back to you by - 17-01-2024. Thanks!

[v-sudkharat]

Hi @NickNicolaou2129, we have connected with our respective concern team on this issue, and based on that we are sharing below point's. Please validate it from your end -

1. Regarding Module installation - Could you please check the ExchangeOnlineManagement , Microsoft.Graph.Authentication, Microsoft.Graph.Users and Microsoft.Graph.Groups module get installed correctly. If there is issue with module's, please remove/delete that and try to add them again by using below manual steps -

Note: Please follow below steps correctly.

2. After all Modules get installed you need to follow step 3 which is Mandatory before executing the runbook-

Once you done with all the above steps and having the issue, please check in the "Errors" and "Exception" tab for any entry or share the ss with us -

Thanks!

[v-sudkharat]

Hi @NickNicolaou2129, We are waiting for your response, could you please let us know if your issue gets resolved.

Thanks!

[NickNicolaou2129]

Hi @v-sudkharat, The modules looked fine, I then requested the permissions to be added to the managed identity for step 3. I will let you know once this is done :) Many thanks, Nicholas

[v-sudkharat]

Hi @NickNicolaou2129, thanks for sharing the update with us. Please let us know once it done. Thanks!

[v-sudkharat]

Hi @NickNicolaou2129, just checking, have you got a change to checking on this? Thanks!

[v-sudkharat]

Hi @NickNicolaou2129, Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 25-01-2024 date, we will be closing this issue.
Thanks!

[NickNicolaou2129]

Hi, I am still waiting to run the script to get the permissions. Please bare with me :)

[v-sudkharat]

Hi @NickNicolaou2129, thank you for your update. We understand that obtaining permissions can take some time. Please take the time you need, or it would be great any ETA, you can provide us, so we can update based on that. and let us know once you have run the script.

Thanks!

[v-sudkharat]

Hi @NickNicolaou2129, Hope this message finds you well. Any update for us regarding this issue. Please let us know if your issue gets resolved, so we can close it. Thanks!

[NickNicolaou2129]

Hi! I am still getting the correct permissions in my organisation. Nearly there :)

[v-sudkharat]

@NickNicolaou2129, Ok. Please let us know once it done. Thanks!

[NickNicolaou2129]

Hi @v-sudkharat , I see that we are now receving the logs. However the parsers are not working correctly:

Exchange Env List:

Exchange Configuration:

[v-sudkharat]

Hi @NickNicolaou2129, thank you for your response. We will check on the parser and get back to you by - 12-02-2024. Meanwhile. could you please let us know have you compliant with below role? And if it not those roles then please mentioned the current roll/permission which granted to the application. role - Global Readers, Group Member Note - The Global Readers, is required the read the Exchange Security Data.

Sharing the MS doc for reference, which supported the Exchange.ManageAsApp permission - https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#assign-microsoft-entra-roles-to-the-application

Thanks!

[NickNicolaou2129]

Yes, we have the permissions:

[v-sudkharat]

Hi @NickNicolaou2129, Could you please share mail address with us So if required, we connect with you via call and check on issue. Thanks!

[NickNicolaou2129]

Hi, can you please share your email address with me first? I do not want to put this here publicly

[v-sudkharat]

@NickNicolaou2129, Sure, Please sent it out to below mail id's - v-muuppugund@microsoft.com / v-sudkharat@microsoft.com