Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,236 questions
Automated Automation Rule Deployment - Stuck with Service Principle Permissions via Lighthouse
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 16%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMJ%3C/text%3E%3C/svg%3E)
Ma Je
0
Reputation points
(Sorry for the tag, i couldnt find somthing closer to Microsoft Sentinel via Service Principal through Lighthouse)
Hi, I am trying to create a product where we essentially automatically deploy resources to customer environments for MSSP support. One of these items is an Automation Rule that triggers a logic app. I can deploy analytics rules, logic apps, workbooks, hunting queries absolutely fine, but when it comes to automation rules, there is some weird permission niche i cant seem to get.
Ive given my service principle the following permissions to try and test via lighthouse: Contributor
Logic App Contributor
Microsoft Sentinel Contributor
Microsoft Sentinel Automation Contributor
Microsoft Sentinel Playbook Operator
Microsoft Sentinel Responder
Yet every time i deploy with terraform i get the following:
The service principal does not have permission to trigger the Logic App.\nERROR:root:Please ensure the service principal has the '**Microsoft Sentinel Responder'** permissions.
Yet i do have that permission. I have also tested with just contributor access on my own dev environment where the service principle resides, and found it works just with contributor on the subscription.
Another note, i also have gone to my logic-app and authenticated the connection against my tenant id and service principle, so this should also not be an issue.
I wanted to ask if this is a bug that can be fixed, or if its an error with the back end permissions handling specifically for automation rules. If so, please can this be amended, so i can deploy automation rules using my lighthouse enabled service principle.
If so, the only other option is to have a service principle reside directly on a customer tenancy, in which case, what is the point of Lighthouse? I also wanted to query if user accounts have different permissions than service principles, as when i create automation rules as a user via lighthouse, there are no issues at all.
Cheers.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 94%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Sándor Tőkési 251 Reputation points2025-02-28T15:16:35.6666667+00:00 Not sure the issue is related, but does the Security Insights entity have permission to run Playbooks? (So, have you configured the Playbook permissions in Sentinel ?).
This config is needed to be able to run playbooks from automation rules. Since your issue is related to automation rules that contain playbooks, maybe this is the missing step.
Sign in to comment
Sign in to answer