Something that’s been on the waiting list for a number of customers and myself, is the ability to choose a System-assigned Managed Identity for Azure Sentinel Playbooks. This enables Azure Sentinel customers the ease of allowing the system to manage access of the logic behind the automated components, without the drudgery of manually maintaining AAD accounts.
This feature addition was announced over this last weekend HERE, but I want to ensure it gets the highlight it deserves because this is important. This is an area that adds to our Azure Sentinel Best Practices. You should consider it a best practice to use a System Managed Identity where possible.
Why a System Managed Identity?
There are a couple different areas of value that can be recognized for utilizing a System Managed Identity.
System assigned and maintained identities enables the management of secrets and credentials to secure communication between different services. It eliminates the need to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.
Additionally, when you enable a system-assigned managed identity an identity is created in Azure AD that is tied to the lifecycle of that service instance. So when the resource is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource can use this identity to request tokens from Azure AD.
How to do it
Note that each and every Playbook that you create, needs it’s own managed identity and standalone access to the Log Analytics workspace for Azure Sentinel – which means you’ll need to use the following steps for each Playbook you have.
- Locate and access the Playbook (specific Logic App resource) to which you want to assign a System Managed Identity and access the Identity blade.
2. Flip the toggle switch to “On” to enable the System Assigned identity status and Save it. Saving this new System Assigned Identity also generates it’s own AAD Object ID.
3. Next, access the Azure Sentinel Log Analytics workspace configuration, jump into the Access Control blade, and Add a new Role Assignment.
4. The Playbook (Logic App resource) will now show up as a “user” in the system. Assign the Azure Sentinel Responder role to the new resource for the Log Analytics workspace.
5. Now, in the Logic Apps Designer for the Playbook, create the new managed identity connection for the Azure Sentinel Connector. This will be a unique name per Playbook (Logic App resource).