SA1.5 Authentication and Permissions

5 hours · Module 1 · Free

Figure SA1.5 — Three authentication patterns and the permission matrix. Every playbook in this course follows these patterns with least-privilege grants.

Operational Objective

Every playbook calls APIs. APIs require authentication. The authentication method determines who the playbook authenticates as, what it can access, and where credentials are stored. Get this wrong and you have a playbook that cannot execute (insufficient permissions), a playbook that can do too much (excessive permissions creating attack surface), or a playbook with hardcoded credentials visible to anyone who can read the Logic App definition. This sub teaches the three authentication patterns, the exact PowerShell commands for granting Graph permissions to managed identities, and the Key Vault integration that keeps secrets out of playbook definitions.

Deliverable: The ability to configure managed identity authentication for Microsoft APIs, Key Vault integration for third-party APIs, and least-privilege permission grants for every playbook type in this course.

⏱ Estimated completion: 30 minutes

Pattern 1: Managed identity for Microsoft APIs

Managed identity solves the credential management problem. Instead of creating a service account with a password that expires, embedding a client secret that leaks, or hardcoding an API key that appears in version control — you enable a system-assigned identity on the Logic App and Azure handles credential issuance, rotation, and revocation automatically.

When your playbook calls Microsoft Graph to query a user’s risk level, the HTTP action authenticates using the managed identity. Azure intercepts the request, obtains an OAuth token for the identity, attaches it to the API call, and the Graph API validates the token. The entire flow happens without credentials appearing anywhere — not in the Logic App definition, not in the run history, not in the logs.

Enabling managed identity. Navigate to your Logic App → Settings → Identity → System assigned → Status: On → Save. Azure creates the identity and shows the Object ID. You need this ID for permission grants.

Granting Azure RBAC roles. For Sentinel and Log Analytics operations, the managed identity needs RBAC roles at the workspace level. Navigate to Sentinel workspace → Access control (IAM) → Add role assignment → select role → select the Logic App’s managed identity as member.

Enrichment playbooks need two roles: Microsoft Sentinel Responder (read incidents, add comments, change properties) and Log Analytics Reader (run KQL queries). These roles provide the minimum access for Tier 1 operations.

Granting Microsoft Graph permissions. This is where most builders get stuck. The Azure portal does not support granting application permissions to managed identities — only to app registrations. You must use PowerShell.

The process using Microsoft Graph PowerShell SDK:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# Install the module if not present
Install-Module Microsoft.Graph -Scope CurrentUser

# Connect with admin permissions
Connect-MgGraph -Scopes "AppRoleAssignment.ReadWrite.All"

# Get the managed identity's service principal
$MI = Get-MgServicePrincipal -Filter "displayName eq 'SA-Playbook-Enrichment-First'"

# Get the Microsoft Graph service principal (always the same appId)
$Graph = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"

# Find the specific permission
$UserRead = $Graph.AppRoles | Where-Object { $_.Value -eq "User.Read.All" }
$RiskyUser = $Graph.AppRoles | Where-Object { $_.Value -eq "IdentityRiskyUser.Read.All" }

# Grant User.Read.All
New-MgServicePrincipalAppRoleAssignment `
    -ServicePrincipalId $MI.Id `
    -PrincipalId $MI.Id `
    -ResourceId $Graph.Id `
    -AppRoleId $UserRead.Id

# Grant IdentityRiskyUser.Read.All
New-MgServicePrincipalAppRoleAssignment `
    -ServicePrincipalId $MI.Id `
    -PrincipalId $MI.Id `
    -ResourceId $Graph.Id `
    -AppRoleId $RiskyUser.Id

After running these commands, the managed identity can call Graph endpoints that require these permissions. The permissions take effect within minutes — no Logic App restart required.

Using managed identity in the Logic App. In the HTTP action, set Authentication type to “Managed Identity,” set Managed Identity to “System-assigned,” and set Audience to https://graph.microsoft.com. For Log Analytics queries, the “Run query and list results” action handles authentication through the connector configuration — select “Connect with managed identity” during setup.

Pattern 2: Key Vault for API keys

Third-party APIs like VirusTotal, AbuseIPDB, and Shodan use API keys. These keys must never appear in your Logic App definition. Anyone with read access to the Logic App (Contributor role on the resource group) can view the full JSON definition, including any hardcoded values.

Setting up Key Vault. Create an Azure Key Vault (portal.azure.com → Create resource → Key Vault). Use the same resource group as your Logic Apps. Enable RBAC authorization model (not the legacy access policy model).

Storing secrets. Navigate to Key Vault → Objects → Secrets → Generate/Import. Create one secret per API key: “VirusTotal-API-Key” → paste the key → Create. Repeat for AbuseIPDB, Shodan, and any other external API.

Granting access. The Logic App’s managed identity needs the “Key Vault Secrets User” role on the Key Vault. Navigate to Key Vault → Access control (IAM) → Add role assignment → Key Vault Secrets User → select the Logic App’s managed identity.

Reading secrets in the Logic App. Add an action: “Azure Key Vault — Get secret.” Select the Key Vault name and the secret name (“VirusTotal-API-Key”). The action returns the secret value at runtime. Reference the output in subsequent HTTP actions:

In the HTTP action headers, add: x-apikey → dynamic content → “Get secret” → value.

The API key is read from Key Vault each time the playbook runs. If you rotate the key (generate a new one in VirusTotal, update the Key Vault secret), the Logic App uses the new key on the next run with no playbook modification.

Pattern 3: Connector-managed authentication

Some Logic App connectors handle authentication through their own connection mechanism. The Teams connector, Outlook connector, and SharePoint connector use delegated (user-context) authentication — when you create the connection, you sign in with your account, and the connector uses your identity for subsequent actions.

This is acceptable for notification actions (posting to Teams, sending email) but has an operational risk: the connection is tied to a specific user account. If that user’s password changes, MFA re-enrollment is required, or the account is disabled, the connection breaks and the playbook fails.

The mitigation: create connections using a dedicated service account (e.g., soc-automation@northgateeng.com) that is excluded from password expiration policies, has a dedicated MFA method, and is not used for interactive sign-in. Document the service account in the playbook runbook and include connection refresh in the quarterly maintenance checklist.

For Microsoft Graph operations, always prefer managed identity over connector-managed auth. Managed identity uses application permissions (no user context required) and does not depend on any individual user account.

Least privilege — the design principle

Every permission beyond the minimum required is attack surface. An enrichment playbook with Directory.ReadWrite.All (granted “just in case”) gives a compromised managed identity the ability to create admin accounts, modify group memberships, and change conditional access policies. An enrichment playbook with User.Read.All limits the compromise to reading user properties — visibility without modification capability.

The permission matrix by playbook type is not a guideline — it is the specification. When you build each playbook in this course, the sub specifies the exact permissions required. Do not add permissions that are not listed. If a future playbook enhancement requires a new permission, grant it explicitly at that time — do not pre-grant permissions for features you have not built yet.

Quarterly permission audit. Every 90 days, review all managed identity permissions. For each Logic App, list its granted permissions and compare against the actions the playbook currently uses. If a permission was granted during development but the corresponding action was removed in a later revision, remove the permission. The command to list all permissions:

1
2
3
4
$MI = Get-MgServicePrincipal -Filter "displayName eq 'SA-Playbook-Enrichment-First'"
Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $MI.Id |
    Select-Object ResourceDisplayName, AppRoleId |
    Format-Table -AutoSize

⚠ Compliance Myth: "Managed identities are less secure than service accounts because Azure controls the credentials"

The myth: Managed identities rely on Azure for credential management. If Azure has a security incident, managed identity credentials could be compromised. Service accounts with passwords we control are more secure.

The reality: Service account passwords are stored in Entra ID (also Azure infrastructure), can be extracted via credential theft (Mimikatz, DCSync), are often set to never expire, and are frequently shared across multiple scripts. Managed identity credentials are never exposed to any user, cannot be extracted from the directory, rotate automatically, and are bound to a single Azure resource. Every security metric favors managed identity: no credential exposure, no theft surface, no expiration management, no shared secrets. The Azure infrastructure risk applies equally to both — service account passwords are stored in the same Azure AD infrastructure that issues managed identity tokens.

Decision point: Your containment playbook needs to revoke user sessions (Graph: User.RevokeSessions.All) and isolate endpoints (MDE: Machine.Isolate). Should you use one Logic App with both permission sets or two separate Logic Apps? One Logic App is simpler to build, test, and maintain. Two Logic Apps provide permission isolation — if one managed identity is compromised, the attacker only gets half the containment capability. For most organisations, one Logic App is correct: the operational complexity of coordinating two Logic Apps outweighs the marginal security benefit. Exception: if your compliance framework mandates separation of identity management and endpoint management roles, split the Logic Apps.

Try it: Configure managed identity permissions

For your enrichment playbook from SA1.4:

Confirm managed identity is enabled (Logic App → Identity → System assigned → On)
Grant Sentinel Responder + Log Analytics Reader on the workspace (IAM → Add role assignment)
Use the PowerShell commands above to grant User.Read.All and IdentityRiskyUser.Read.All
Test: add an HTTP action calling https://graph.microsoft.com/v1.0/identityProtection/riskyUsers with managed identity auth
Verify the call succeeds (200 response)
List all permissions with Get-MgServicePrincipalAppRoleAssignment — confirm only the two Graph permissions are present

If you plan to add VirusTotal enrichment: 7. Create a Key Vault and store your VirusTotal API key 8. Grant “Key Vault Secrets User” to the Logic App’s managed identity 9. Add a “Get secret” action and use the output in an HTTP call to VirusTotal

Your enrichment playbook calls Graph to query user risk data. The call returns 403 Forbidden. Managed identity is enabled. What is the most likely cause?

The Graph application permission (IdentityRiskyUser.Read.All) has not been granted to the managed identity via PowerShell. Enabling managed identity creates the identity but does not grant API permissions. The portal does not support granting Graph application permissions to managed identities — you must use Connect-MgGraph and New-MgServicePrincipalAppRoleAssignment.

The managed identity needs Global Administrator role. Global Admin is never required for enrichment. The specific Graph permission provides exactly the needed access. Granting Global Admin to a Logic App creates massive attack surface.

The HTTP action audience URL is wrong. An incorrect audience URL would produce 401 Unauthorized (invalid token), not 403 Forbidden (valid token, insufficient permissions). 403 means authentication succeeded but authorization failed.

Managed identity does not support Graph API. Managed identity supports all Microsoft APIs including Graph, ARM, Log Analytics, and MDE.

Where this goes deeper. SA5 configures identity containment permissions (User.RevokeSessions.All, UserAuthenticationMethod.ReadWrite.All) for the containment playbook. SA6 configures MDE RBAC permissions for endpoint isolation. SA10 covers Azure Functions authentication — managed identity for Azure APIs, Key Vault for external APIs, and the Function-to-Sentinel integration pattern.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus

← SA1.4 Your First Playbook SA1.6 Entity Extraction and Mapping →