Author: Accelerynt
For any technical questions, please contact info@accelerynt.com
This playbook is intended to be run from a Microsoft Sentinel entity. It will disable the Azure AD user account associated with the Microsoft Sentinel account entity.
Note This playbook is meant to be used in tandem with https://github.com/Accelerynt-Security/AS-Enable-Azure-AD-User-From-Entity. The "Create an App Registration" and "Create an Azure Key Vault Secret" setup steps only need to be completed once, as both playbooks share the same requirements.
The following items are required under the template settings during deployment:
- A Microsoft Azure Active Directory app registration with admin consent granted for "User.ManageIdentities.All" and "User.EnableDisableAccount.All" in the "Microsoft Graph" API
- An Azure key vault secret containing your app registration client secret
Note This playbook uses an HTTPS request rather than the built in Azure AD connector to update users, which is why the app registration is required. A version using the Azure AD connector can be found here: https://github.com/Accelerynt-Security/AS-Azure-AD-Disable-User.
Navigate to the Microsoft Azure Active Directory app registration page: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade
Click "New registration".
Enter "AS-Update-Azure-AD-User" for the name, all else can be left as is. Click "Register"
Once the app registration is created, you will be redirected to the "Overview" page. Under the "Essentials" section, take note of the "Application (client) ID", as this will be needed for deployment.
Next, you will need to add permissions for the app registration to call the Microsoft Graph API update user endpoint. From the left menu blade, click "API permissions" under the "Manage" section. Then, click "Add a permission".
From the "Select an API" pane, click the "Microsoft APIs" tab and select "Microsoft Graph".
Click "Application permissions", then scroll down to the "User" tab.
Click the "User.ManageIdentities.All" and "User.EnableDisableAccount.All" options, then click "Add permission".
Admin consent will be needed before your app registration can use the assigned permissions. Click "Grant admin consent for (name)".
Lastly, a client secret will need to be generated for the app registration. From the left menu blade, click "Certificates & secrets" under the "Manage" section. Then, click "New client secret".
Enter a description and select the desired expiration date, then click "Add".
Copy the value of the secret that is generated, as this will be needed for Create an Azure Key Vault Secret.
Navigate to the Azure key vaults page: https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults
Navigate to an existing key vault or create a new one. From the key vault overview page, click the "Secrets" menu option, found under the "Settings" section. Click "Generate/Import".
Choose a name for the secret, such as "AS-Update-Azure-AD-User--App-Registration-Client-Secret", and enter the client secret copied in the previous section. All other settings can be left as is. Click "Create".
Once your secret has been added to the vault, navigate to the "Access policies" menu option. Leave this page open, as you will need to return to it once the playbook has been deployed. See Granting Access to Azure Key Vault.
To configure and deploy this playbook:
Open your browser and ensure you are logged into your Microsoft Sentinel workspace. In a separate tab, open the link to our playbook on the Accelerynt Security GitHub Repository:
https://github.com/Accelerynt-Security/AS-Disable-Azure-AD-User-From-Entity
Click the “Deploy to Azure” button at the bottom and it will bring you to the custom deployment template.
In the Project details section:
- Select the Subscription and Resource group from the dropdown boxes you would like the playbook deployed to.
In the Instance details section:
-
Playbook Name: This can be left as "AS-Disable-Azure-AD-User-From-Entity" or you may change it.
-
Client ID: Enter the Application (client) ID of your app registration referenced in Create an App Registration.
-
Key Vault Name: Enter the name of the key vault referenced in Create an Azure Key Vault Secret.
-
Key Vault Secret Name: Enter the name of the key vault Secret created in Create an Azure Key Vault Secret.
Towards the bottom, click on "Review + create".
Once the resources have validated, click on "Create".
The resources should take around a minute to deploy. Once the deployment is complete, you can expand the "Deployment details" section to view them. Click the one corresponding to the Logic App.
Before the Logic App can run successfully, the key vault connection created during deployment must be granted access to the key vault storing your app registration client secret.
From the key vault "Access policies" page, click "Create".
Select the "Get" checkbox under "Secret permissions", then click "Next".
Paste "AS-Disable-Azure-AD-User-From-Entity" into the principal search box and click the option that appears. If the app registration also appears, select the option that does not match the Application (client) ID of your app registration. Click "Next" towards the bottom of the page.
Navigate to the "Review + create" section and click "Create".
