Update-VIPUsers-Watchlist-from-AzureAD-Group cannot retrieve the full user list #11394
Comments
|
Hi @pixel559 , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks! |
|
Hi @pixel559, we are working on this issue will update on this soon. Thanks!! |
|
Hi @pixel559, could you please provide more information regarding this issue? Clarifying more details will help us to resolve it more effectively. Thanks!! |
|
Hi @pixel559, we are waiting for your valuable feedback. Please Provide update on the same. Thanks!! |
|
Hi @v-shukore , could you please elaborate as to which details you need? "HTTP_-Get_VIP_Azure_AD_Group_Members": { This and later steps need to be updated for the logic app to work correctly. Please note, this request is open for over 2 month now, and only at this point the additional information is requested. |
|
Hi @pixel559, |
|
Hello @v-shukore , |
This refers to the playbook that can be found below:
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Update-VIPUsers-Watchlist-from-AzureAD-Group
https://techcommunity.microsoft.com/blog/microsoftsentinelblog/update-microsoft-sentinel-vip-users-watchlist-from-azure-ad-group-using-playbook/3100184
This playbook is not working correctly for the Entra ID group with more than 100 users.
The VIP users list is not being updated correctly. The VIP group has over 300 members and on the logic app step for 'HTTP - Get VIP Azure AD Group Members' only 100 users is returned.
It looks like the API is returning only 100 results due to paging.
https://learn.microsoft.com/en-us/graph/paging?tabs=http
There is a '@odata.nextLink' in the result of the initial call and the API call needs to keep on being repeated as long as nextlink is available to retrieve all users from the group.
Please update the template to overcome the paging problem that leads to incomplete VIP User List.
The text was updated successfully, but these errors were encountered: