piaudonn
commented
1 year ago @briandelmsft if you are good with that, I'll make the changes on the different small permission scripts
Closed piaudonn closed 1 year ago
piaudonn
commented
1 year ago @briandelmsft if you are good with that, I'll make the changes on the different small permission scripts
briandelmsft
commented
1 year ago @piaudonn I'm wondering if we should just get rid of the small ones. In my mind the small ones exist for 2 reasons, as a sort of document of what permissions that specific module needs, and, if we need to change permissions for a module that we could say just run the update for that module. But is it really worth it? We could document in md the permissions specific to each module.
How does this new script handle if the permission is already assigned? Does it throw an error? If it does can we handle that error since if the permission is already present it's not really an issue for us. If the full script can re-execute on an existing deployment to add additional perms without throwing tons of errors I think we can get rid of the small scripts
piaudonn
commented
1 year ago When there are duplication:
⚙️ Connect to the Azure AD tenant: 550a9b78-cb2e-43e0-9c5b-db194784b875 ⚙️ Connecting to to the Azure subscription: 12f5f23d-9ade-4a66-ad94-67cf1314f629 ⚙️ Setting permission Data.Read on LS-Get-UEBAInsights ❌ Permission being assigned already exists on the object ⚙️ Adding Microsoft Sentinel Responder to LS-Get-UEBAInsights ❌ Operation returned an invalid status code 'Conflict' ⚙️ Setting permission MailboxSettings.Read on LS-Get-OOFDetails ❌ Permission being assigned already exists on the object ⚙️ Adding Microsoft Sentinel Responder to LS-Get-OOFDetails ❌ Operation returned an invalid status code 'Conflict' ⚙️ Setting permission Data.Read on LS-Get-RelatedAlerts ❌ Permission being assigned already exists on the object ⚙️ Adding Microsoft Sentinel Responder to LS-Get-RelatedAlerts ❌ Operation returned an invalid status code 'Conflict' ⚙️ Setting permission User.Read.All on LS-Get-MDEInsights ✅ Permission granted ⚙️ Setting permission AdvancedQuery.Read.All on LS-Get-MDEInsights ✅ Permission granted ⚙️ Setting permission Machine.Read.All on LS-Get-MDEInsights ...
Need to handle the case when it does not exist though.
piaudonn
commented
1 year ago I added the handling of principals not existing.
... ⚙️ Setting permission Data.Read on LS-Get-UEBwAInsights ❌ Principal not found. ⚙️ Adding Microsoft Sentinel Responder to LS-Get-UEBwAInsights ❌ Principal not found. ...
Yeah, the small scripts could go away. I have not used them since we have the custom connector.
briandelmsft
commented
1 year ago what if we assigned a ℹ️ to the cases where the permission was already assigned instead of an ❌
I think if that were the case we could just do away with the small scripts and just guide people to re-run the full script in cases where permissions get added to modules over time
piaudonn
commented
1 year ago ⚙️ Setting permission Data.Read on LS-Get-UEBAInsights ℹ️ Permission being assigned already exists on the object ⚙️ Adding Microsoft Sentinel Responder to LS-Get-UEBAInsights ℹ️ Role already assigned
briandelmsft
commented
1 year ago I am getting failures about insufficient privileges, it seems on any of the Microsoft Graph permissions. When I did the consent, I only consented as the user, not the organization. Does the consent need to be for the whole organization? It was done as a GA:
Also, is the warning to be expected?
piaudonn
commented
1 year ago I don't have the warning. It doesn't look like you have the consent on the enterprise app in your tenant for that user. No user consented permissions found for the application under Microsoft Graph PowerShell
briandelmsft
commented
1 year ago Maybe it's an old module on my box that I need to update.
I did have the consent on the user, but I removed it so it would re-prompt for admin consent but I haven't got around to trying it again yet
briandelmsft
commented
1 year ago @piaudonn I tracked the warning down to the Az.Resources module. I was running 6.0.0, when I upgraded to the current (6.4.1) the warning went away. I'm not sure what version specifically fixed it. I don't know if this warrants putting in some module version check into the script? but it certainly runs much nicer when you don't get those warnings
As for the insufficient privileges I'm still getting that error. This time I left the consent grants in place so you should see them if you check the lab
piaudonn
commented
1 year ago @briandelmsft scope updated in the script Also created the Legacy version of the script and updated the troubleshooting documentation.
Remove dependency on the soon to be deprecated AzureAD module Add some error management ℹ️ Use emojis in the output
Fixes #160