Hi
I am struggling with PowerShell script that is needed to deploy a template Playbook in MS Sentinel. I am new to MS Sentinel, and trying out the different functions to see if it will be of use to our organization.
This is the playbook that I want to deploy:
The template provides you with the PowerShell, command that needs to be run as per the template instructions. Running the PowerShell script ends up in an error, that not even CoPilot can help me with.
This is the code required as a prerequisite for the template to run:
$MIGuid = '<Enter your managed identity guid here>'
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
$MDEAppId = 'fc780465-2017-40d4-a0c5-307022471b92'
$PermissionName = 'Machine.Scan'
$MDEServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$MDEAppId'"
$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id $PermissionName = 'Machine.Read.All'
$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id $PermissionName = 'Machine.ReadWrite.All'
$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id
This is ending up in this error.
$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id
New-AzureADServiceAppRoleAssignment : A positional parameter cannot be found that accepts argument 'Machine.Scan'.
At line:13 char:1
+ New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -Principal ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [New-AzureADServiceAppRoleAssignment], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.Open.AzureAD16.PowerShell.NewServicePrincipalAppRoleAssignment
New-AzureADServiceAppRoleAssignment : A positional parameter cannot be found that accepts argument 'Machine.Scan'.
At line:17 char:1
+ New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -Principal ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [New-AzureADServiceAppRoleAssignment], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.Open.AzureAD16.PowerShell.NewServicePrincipalAppRoleAssignment
New-AzureAdServiceAppRoleAssignment : Error occurred while executing NewServicePrincipalAppRoleAssignment
Code: Request_BadRequest
Message: Permission being assigned already exists on the object
RequestId: 32fd5b32-db1a-4997-8955-4405ab244b23
DateTimeStamp: Fri, 13 Sep 2024 10:35:28 GMT
Details: PropertyName - None, PropertyErrorCode - InvalidUpdate
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At line:21 char:1
+ New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -Principal ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureADServiceAppRoleAssignment], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewServicePrincipalAppRoleAssignmen
The one thing that I am not sure about is if my Principal ID that is retrieved by
$MIGuid = '<Enter your managed identity guid here>'
is correct. I am using the Object id from the template. Not sure if this is correct??
Any help would be appreciated!!