search

Azure / azure-rest-api-specs

The source for REST API specifications for Microsoft Azure.
MIT License
2.64k stars 5.08k forks source link

Sentinel API Data Connector - Create Permissions. #11979

Open dlaarschot opened 3 years ago

dlaarschot commented 3 years ago

Morning,

I am currently trying to create a new data connector to O365 with the Sentinel API. Using the address https://management.azure.com/subscriptions/**SUB_ID**/resourceGroups/**MYRG**/providers/Microsoft.OperationalInsights/workspaces/**WSNAME**/providers/Microsoft.SecurityInsights/dataConnectors/**GUID**?api-version=2020-01-01.

If I send a PUT request with my auth token then the connector is created and works fine. If we send the request from a service principal login with full access to the Azure Management API and Office 365 I get an unauthorized response. I have used the documentation from https://docs.microsoft.com/en-us/rest/api/securityinsights/dataconnectors/createorupdate which does not indicate what permissions are required for a service principal account to access the API. Is there permissions that are not documented that are required for access to this API or is this a bug.

hesaad commented 3 years ago

Adding @tianderturpijn @javiersoriano if there is an update on SPN work

ghost commented 3 years ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzmonLogA.

Issue Details
Morning, I am currently trying to create a new data connector to O365 with the Sentinel API. Using the address https://management.azure.com/subscriptions/**SUB_ID**/resourceGroups/**MYRG**/providers/Microsoft.OperationalInsights/workspaces/**WSNAME**/providers/Microsoft.SecurityInsights/dataConnectors/**GUID**?api-version=2020-01-01. If I send a PUT request with my auth token then the connector is created and works fine. If we send the request from a service principal login with full access to the Azure Management API and Office 365 I get an unauthorized response. I have used the documentation from https://docs.microsoft.com/en-us/rest/api/securityinsights/dataconnectors/createorupdate which does not indicate what permissions are required for a service principal account to access the API. Is there permissions that are not documented that are required for access to this API or is this a bug.
Author: dlaarschot
Assignees: leni-msft, akning-ms
Labels: `Monitor - LogAnalytics`, `Service Attention`, `needs-triage`, `question`
Milestone: -
ghost commented 3 years ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @chlahav.

Issue Details
Morning, I am currently trying to create a new data connector to O365 with the Sentinel API. Using the address https://management.azure.com/subscriptions/**SUB_ID**/resourceGroups/**MYRG**/providers/Microsoft.OperationalInsights/workspaces/**WSNAME**/providers/Microsoft.SecurityInsights/dataConnectors/**GUID**?api-version=2020-01-01. If I send a PUT request with my auth token then the connector is created and works fine. If we send the request from a service principal login with full access to the Azure Management API and Office 365 I get an unauthorized response. I have used the documentation from https://docs.microsoft.com/en-us/rest/api/securityinsights/dataconnectors/createorupdate which does not indicate what permissions are required for a service principal account to access the API. Is there permissions that are not documented that are required for access to this API or is this a bug.
Author: dlaarschot
Assignees: -
Labels: `Security`, `Service Attention`, `question`
Milestone: -
aredwood commented 3 years ago

fwiw, I'm experiencing this issue and haven't been able to find a fix for it.

Kaloszer commented 1 year ago

Is there any update on this bug? It's been almost 3 years. Any sort of feedback on whether this is a bug and when it would be taken into account for a fix would be welcome.

I believe this is still an issue as this is not possible to add this with an User Assigned Managed Identity either using a bicep/arm template. It does not define what permissions are missing, neither could I find anything in the docs.

image

@EDIT

I think the issue here was that the account deploying those resources did not have an AAD role of Security Administrator - I have since moved to GH Federated Credentials as before I was deploying that over a managed identity over lighthouse, so that eliminated the 'spn not being in the customers tenant' issue for me.

austinmccollum commented 8 months ago

assign:austinmccollum