diff --git a/Packs/MicrosoftGraphIdentityandAccess/Integrations/MicrosoftGraphIdentityandAccess/MicrosoftGraphIdentityandAccess.py b/Packs/MicrosoftGraphIdentityandAccess/Integrations/MicrosoftGraphIdentityandAccess/MicrosoftGraphIdentityandAccess.py index 30116e9f12f7..d7d10cfec860 100644 --- a/Packs/MicrosoftGraphIdentityandAccess/Integrations/MicrosoftGraphIdentityandAccess/MicrosoftGraphIdentityandAccess.py +++ b/Packs/MicrosoftGraphIdentityandAccess/Integrations/MicrosoftGraphIdentityandAccess/MicrosoftGraphIdentityandAccess.py @@ -10,6 +10,14 @@ # Disable insecure warnings urllib3.disable_warnings() # pylint: disable=no-member DATE_FORMAT = '%Y-%m-%dT%H:%M:%S.%f' +REQUIRED_PERMISSIONS = ( + 'offline_access', # allows device-flow login + 'IdentityRiskEvent.Read.All', + 'IdentityRiskyUser.ReadWrite.All', + 'RoleManagement.ReadWrite.Directory', + 'Policy.ReadWrite.ConditionalAccess', + 'Policy.Read.All' +) class Client: # pragma: no cover @@ -44,7 +52,7 @@ def __init__(self, app_id: str, verify: bool, proxy: bool, "command_prefix": "msgraph-identity", } if not client_credentials: - args["scope"] = 'offline_access RoleManagement.ReadWrite.Directory' + args["scope"] = ' '.join(REQUIRED_PERMISSIONS) args["token_retrieval_url"] = 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token' self.ms_client = MicrosoftClient(**args) # type: ignore diff --git a/Packs/MicrosoftGraphIdentityandAccess/Integrations/MicrosoftGraphIdentityandAccess/MicrosoftGraphIdentityandAccess_description.md b/Packs/MicrosoftGraphIdentityandAccess/Integrations/MicrosoftGraphIdentityandAccess/MicrosoftGraphIdentityandAccess_description.md index 76608d35492c..95ffa7848210 100644 --- a/Packs/MicrosoftGraphIdentityandAccess/Integrations/MicrosoftGraphIdentityandAccess/MicrosoftGraphIdentityandAccess_description.md +++ b/Packs/MicrosoftGraphIdentityandAccess/Integrations/MicrosoftGraphIdentityandAccess/MicrosoftGraphIdentityandAccess_description.md @@ -29,7 +29,11 @@ Follow these steps for a self-deployed configuration: 4. Enter your Tenant ID in the ***Tenant ID*** parameter. ### Required Permissions -RoleManagement.ReadWrite.Directory - Application +- `IdentityRiskEvent.Read.All` +- `IdentityRiskyUser.ReadWrite.All` +- `RoleManagement.ReadWrite.Directory` +- `Policy.ReadWrite.ConditionalAccess` +- `Policy.Read.All` ### Azure Managed Identities Authentication ___ diff --git a/Packs/MicrosoftGraphIdentityandAccess/Integrations/MicrosoftGraphIdentityandAccess/README.md b/Packs/MicrosoftGraphIdentityandAccess/Integrations/MicrosoftGraphIdentityandAccess/README.md index 26143f28912e..34de185c0eaf 100644 --- a/Packs/MicrosoftGraphIdentityandAccess/Integrations/MicrosoftGraphIdentityandAccess/README.md +++ b/Packs/MicrosoftGraphIdentityandAccess/Integrations/MicrosoftGraphIdentityandAccess/README.md @@ -17,6 +17,16 @@ Use the Azure Active Directory Identity And Access integration to manage roles a | Use system proxy settings | False | 4. Click **Test** to validate the URLs, token, and connection. + + +## Required Permissions +To use this integration, the following permissions are required on the Azure app. +- `IdentityRiskEvent.Read.All` +- `IdentityRiskyUser.ReadWrite.All` +- `RoleManagement.ReadWrite.Directory` +- `Policy.ReadWrite.ConditionalAccess` +- `Policy.Read.All` + ## Commands You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. diff --git a/Packs/MicrosoftGraphIdentityandAccess/ReleaseNotes/1_2_45.md b/Packs/MicrosoftGraphIdentityandAccess/ReleaseNotes/1_2_45.md new file mode 100644 index 000000000000..deb09593ec01 --- /dev/null +++ b/Packs/MicrosoftGraphIdentityandAccess/ReleaseNotes/1_2_45.md @@ -0,0 +1,6 @@ + +#### Integrations + +##### Azure Active Directory Identity And Access + +Fixed an issue where the *Device Code Flow* did not include all the required scopes. \ No newline at end of file diff --git a/Packs/MicrosoftGraphIdentityandAccess/TestPlaybooks/MSGraph-Identity-testplaybook.yml b/Packs/MicrosoftGraphIdentityandAccess/TestPlaybooks/MSGraph-Identity-testplaybook.yml index 8306449fa957..856a60a64909 100644 --- a/Packs/MicrosoftGraphIdentityandAccess/TestPlaybooks/MSGraph-Identity-testplaybook.yml +++ b/Packs/MicrosoftGraphIdentityandAccess/TestPlaybooks/MSGraph-Identity-testplaybook.yml @@ -1,19 +1,19 @@ id: Identity & Access test playbook version: -1 -vcShouldKeepItemLegacyProdMachine: false name: Identity & Access test playbook starttaskid: "0" tasks: "0": id: "0" - taskid: 0a2de1dd-32b0-499b-8b5d-fe8b5ee033da + taskid: 6caa0aef-05cf-4421-844f-722a7fcaed2b type: start task: - id: 0a2de1dd-32b0-499b-8b5d-fe8b5ee033da + id: 6caa0aef-05cf-4421-844f-722a7fcaed2b version: -1 name: "" iscommand: false brand: "" + description: '' nexttasks: '#none#': - "7" @@ -30,14 +30,184 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: 04bf540f-25c5-4b38-85e7-963568d5b061 + type: regular + task: + id: 04bf540f-25c5-4b38-85e7-963568d5b061 + version: -1 + name: msgraph-identity-auth-test + description: Tests connectivity to Microsoft. + script: MicrosoftGraphIdentityandAccess|||msgraph-identity-auth-test + type: regular + iscommand: true + brand: MicrosoftGraphIdentityandAccess + nexttasks: + '#none#': + - "6" + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 370 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "3": + id: "3" + taskid: 458d2616-864d-47c6-84e7-37c9373b7628 + type: regular + task: + id: 458d2616-864d-47c6-84e7-37c9373b7628 + version: -1 + name: msgraph-identity-directory-role-member-add + description: Add a user to a role. + script: MicrosoftGraphIdentityandAccess|||msgraph-identity-directory-role-member-add + type: regular + iscommand: true + brand: MicrosoftGraphIdentityandAccess + nexttasks: + '#none#': + - "4" + scriptarguments: + role_id: + complex: + root: MSGraphIdentity.Role.[6] + accessor: id + user_id: + complex: + root: MSGraphIdentity.RoleMember + accessor: user_id + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 895 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "4": + id: "4" + taskid: f37824fe-b943-431d-8adc-ff881ee4c46d + type: regular + task: + id: f37824fe-b943-431d-8adc-ff881ee4c46d + version: -1 + name: msgraph-identity-directory-role-member-remove + description: Removes a user from a role. + script: MicrosoftGraphIdentityandAccess|||msgraph-identity-directory-role-member-remove + type: regular + iscommand: true + brand: MicrosoftGraphIdentityandAccess + nexttasks: + '#none#': + - "8" + scriptarguments: + role_id: + complex: + root: MSGraphIdentity.Role.[6] + accessor: id + user_id: + complex: + root: MSGraphIdentity.RoleMember + accessor: user_id + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 1070 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "5": + id: "5" + taskid: 9be231ca-cb3c-4bfb-8097-9794792ef035 + type: regular + task: + id: 9be231ca-cb3c-4bfb-8097-9794792ef035 + version: -1 + name: msgraph-identity-directory-role-members-list + description: Gets all members in the role ID. + script: MicrosoftGraphIdentityandAccess|||msgraph-identity-directory-role-members-list + type: regular + iscommand: true + brand: MicrosoftGraphIdentityandAccess + nexttasks: + '#none#': + - "3" + scriptarguments: + limit: {} + role_id: + complex: + root: MSGraphIdentity.Role.[0] + accessor: id + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "6": + id: "6" + taskid: 3c9bc415-81cd-4525-8a2c-4677e158c3ca + type: regular + task: + id: 3c9bc415-81cd-4525-8a2c-4677e158c3ca + version: -1 + name: msgraph-identity-directory-roles-list + description: Lists roles in the directory. + script: MicrosoftGraphIdentityandAccess|||msgraph-identity-directory-roles-list + type: regular + iscommand: true + brand: MicrosoftGraphIdentityandAccess + nexttasks: + '#none#': + - "5" + scriptarguments: + limit: + simple: "20" + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 545 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 "7": id: "7" - taskid: ffd25416-d2a9-45c2-84ac-da67fbe4b21a + taskid: 28b7b9a9-8e50-4a9a-88d9-9df339a8d7b7 type: regular task: - id: ffd25416-d2a9-45c2-84ac-da67fbe4b21a + id: 28b7b9a9-8e50-4a9a-88d9-9df339a8d7b7 version: -1 name: DeleteContext description: Delete field from context @@ -47,10 +217,14 @@ tasks: brand: "" nexttasks: '#none#': - - "8" + - "2" scriptarguments: all: simple: "yes" + index: {} + key: {} + keysToKeep: {} + subplaybook: {} separatecontext: false view: |- { @@ -64,25 +238,24 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "8": id: "8" - taskid: 65919e2a-e2f0-4f9e-8e20-0e0f217b991a + taskid: 3dbfa74a-3063-4be8-883d-1aa66dc6c222 type: title task: - id: 65919e2a-e2f0-4f9e-8e20-0e0f217b991a + id: 3dbfa74a-3063-4be8-883d-1aa66dc6c222 version: -1 name: Done type: title iscommand: false brand: "" + description: '' separatecontext: false view: |- { "position": { - "x": 40, - "y": 410 + "x": 50, + "y": 1245 } } note: false @@ -90,16 +263,14 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false view: |- { "linkLabelsPosition": {}, "paper": { "dimensions": { - "height": 425, - "width": 390, - "x": 40, + "height": 1260, + "width": 380, + "x": 50, "y": 50 } } diff --git a/Packs/MicrosoftGraphIdentityandAccess/pack_metadata.json b/Packs/MicrosoftGraphIdentityandAccess/pack_metadata.json index 687ec7095839..b14b6f2e2b4c 100644 --- a/Packs/MicrosoftGraphIdentityandAccess/pack_metadata.json +++ b/Packs/MicrosoftGraphIdentityandAccess/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Microsoft Graph Identity and Access", "description": "Use this pack to manage roles and members in Microsoft.", "support": "xsoar", - "currentVersion": "1.2.44", + "currentVersion": "1.2.45", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",