Issue
With the Microsoft Entra ID (Azure AD) integration with Red Canary, an automation to suspend the user is configured, however it is not working. The playbook fired on a relevant threat and shows as successful in Red Canary, but did not actually suspend the user in Azure.
Resolution
See Utilize Entra ID Protection response actions to install the Enterprise Application Red Canary +Azure AD Response Actions.
Prerequisites:
-
Global Administrator Access:
- Ensure you are logged in as a Global Administrator.
-
Correct Entra ID Tenant Installation:
-
Install the app in the appropriate Entra ID tenant(s) where you want response actions to apply.
- The default tenant may be the only tenant selected for install. However, if other relevant tenants exist, be sure to install the app in those tenants.
-
-
Admin Consent Requests:
- Confirm that the app installation is not pending approval in the Admin Consent Requests section in Azure.
Cause
The customer does not have the enterprise application for Red Canary + Azure AD Response Actions installed.
Red Canary cannot execute response actions via the Graph API in the Azure environment. This can be verified by this kind of response from Graph after we build our token and try to execute an API call:
{
"error": {
"code": "Authorization_IdentityNotFound",
"message": "The identity of the calling application could not be established.",
"innerError": {
"date": "2024-07-30T18:06:54",
"request-id": "9876541-abab-cdcd-efef-eb1234567",
"client-request-id": "9876541-abab-cdcd-efef-eb1234567"
}
}
}
Comments
0 comments
Please sign in to leave a comment.