Merge pull request #10492 from Accelerynt-Security/05-15-2024--AS-Revoke-Azure-AD-User-Session-From-Entity

Update azuredeploy.json
2024-05-24 14:21:00 +05:30 · 2024-05-24 14:21:00 +05:30 · a6594e2697
--- a/Playbooks/AS-Revoke-Azure-AD-User-Session-From-Entity/README.md
+++ b/Playbooks/AS-Revoke-Azure-AD-User-Session-From-Entity/README.md
@ -1,4 +1,4 @@
-# AS-Revoke-Azure-AD-User-Session-From-Entity
+# AS-Revoke-Entra-ID-User-Session-From-Entity

 Author: Accelerynt

@ -34,7 +34,7 @@ Click "**New registration**".

 ![RevokeUserSession_App_Registration_1](Images/RevokeUserSession_App_Registration_1.png)

-Enter "**AS-Revoke-Azure-AD-User-Session**" for the name, all else can be left as is. Click "**Register**"
+Enter "**AS-Revoke-Entra-ID-User-Session**" for the name, all else can be left as is. Click "**Register**"

 ![RevokeUserSession_App_Registration_2](Images/RevokeUserSession_App_Registration_2.png)

@ -79,7 +79,7 @@ Navigate to an existing key vault or create a new one. From the key vault overvi

 ![RevokeUserSession_Key_Vault_1](Images/RevokeUserSession_Key_Vault_1.png)

-Choose a name for the secret, such as "**AS-Revoke-Azure-AD-User-Session--App-Registration-Client-Secret**", and enter the client secret copied in the [previous section](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Revoke-Azure-AD-User-Session-From-Entity#create-an-app-registration). All other settings can be left as is. Click "**Create**". 
+Choose a name for the secret, such as "**AS-Revoke-Entra-ID-User-Session--App-Registration-Client-Secret**", and enter the client secret copied in the [previous section](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Revoke-Azure-AD-User-Session-From-Entity#create-an-app-registration). All other settings can be left as is. Click "**Create**". 

 ![RevokeUserSession_Key_Vault_2](Images/RevokeUserSession_Key_Vault_2.png)

@ -108,7 +108,7 @@ In the **Project Details** section:

 In the **Instance Details** section:

-* **Playbook Name**: This can be left as "**AS-Revoke-Azure-AD-User-Session-From-Entity**" or you may change it.
+* **Playbook Name**: This can be left as "**AS-Revoke-Entra-ID-User-Session-From-Entity**" or you may change it.

 * **Client ID**: Enter the Application (client) ID of your app registration referenced in [Create an App Registration](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Revoke-Azure-AD-User-Session-From-Entity#create-an-app-registration).

@ -143,7 +143,7 @@ Select the "**Get**" checkbox under "**Secret permissions**", then click "**Next

 ![RevokeUserSession_Key_Vault_Access_2](Images/RevokeUserSession_Key_Vault_Access_2.png)

-Paste "**AS-Revoke-Azure-AD-User-Session-From-Entity**" into the principal search box and click the option that appears. If the app registration also appears, select the option that does **not** match the Application (client) ID of your app registration. Click "**Next**" towards the bottom of the page.
+Paste "**AS-Revoke-Entra-ID-User-Session-From-Entity**" into the principal search box and click the option that appears. If the app registration also appears, select the option that does **not** match the Application (client) ID of your app registration. Click "**Next**" towards the bottom of the page.

 ![RevokeUserSession_Key_Vault_Access_3](Images/RevokeUserSession_Key_Vault_Access_3.png)

--- a/Playbooks/AS-Revoke-Azure-AD-User-Session-From-Entity/azuredeploy.json
+++ b/Playbooks/AS-Revoke-Azure-AD-User-Session-From-Entity/azuredeploy.json
@ -2,13 +2,13 @@
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "metadata": {
-        "title": "AS-Revoke-Azure-AD-User-Session-From-Entity", 
-        "description": "This playbook is intended to be run from a Microsoft Sentinel Entity. It will look up Azure AD users associated with the account entities and revoke their sessions.",
+        "title": "AS-Revoke-Entra-ID-User-Session-From-Entity", 
+        "description": "This playbook is intended to be run from a Microsoft Sentinel Entity. It will look up Entra ID users associated with the account entities and revoke their sessions.",
        "prerequisites": "1. An App Registration with User.ReadWrite.All permissions granted on Microsoft Graph API. 2. A client secret for the App Registration must be generated. 3. An Azure Key Vault Secret to hold the client secret. Support for the set up and configuration of each of these items can be found here: https://github.com/Accelerynt-Security/AS-Revoke-Azure-AD-User-Session-From-Entity",
        "postDeployment": ["Access to the Azure Key Vault must be granted to the playbook"],
-        "lastUpdateTime": "2023-10-24T3:17:47Z",
+        "lastUpdateTime": "2024-05-22T23:40:50Z",
        "entities": ["Account"], 
-        "tags": ["Microsoft Sentinel", "Entity", "Azure AD", "Revoke User Sessions"], 
+        "tags": ["Microsoft Sentinel", "Entity", "Entra ID", "Revoke User Sessions"], 
        "support": {
            "tier": "partner"
        },
@ -18,7 +18,7 @@
    },
    "parameters": {
        "PlaybookName": {
-            "defaultValue": "AS-Revoke-Azure-AD-User-Session-From-Entity",
+            "defaultValue": "AS-Revoke-Entra-ID-User-Session-From-Entity",
            "type": "string",
            "metadata": {
                "description": "Name of the Logic App resource to be created"
@ -125,6 +125,46 @@
                        }
                    },
                    "actions": {
+                        "Condition": {
+                            "actions": {
+                                "Set_variable_-_Concatenate": {
+                                    "inputs": {
+                                        "name": "UPN",
+                                        "value": "@{concat(triggerBody()?['Entity']?['properties']?['Name'],'@', triggerBody()?['Entity']?['properties']?['UPNSuffix'])}"
+                                    },
+                                    "runAfter": {},
+                                    "type": "SetVariable"
+                                }
+                            },
+                            "else": {
+                                "actions": {
+                                    "Set_variable_-_UID": {
+                                        "inputs": {
+                                            "name": "UPN",
+                                            "value": "@triggerBody()?['Entity']?['properties']?['AadUserId']"
+                                        },
+                                        "runAfter": {},
+                                        "type": "SetVariable"
+                                    }
+                                }
+                            },
+                            "expression": {
+                                "and": [
+                                    {
+                                        "equals": [
+                                            "@triggerBody()?['Entity']?['properties']?['AadUserId']",
+                                            "@null"
+                                        ]
+                                    }
+                                ]
+                            },
+                            "runAfter": {
+                                "Initialize_variable_-_UPN": [
+                                    "Succeeded"
+                                ]
+                            },
+                            "type": "If"
+                        },
                        "Get_Client_Secret": {
                            "runAfter": {},
                            "type": "ApiConnection",
@ -157,7 +197,7 @@
                        },
                        "HTTP_-_Revoke_user_sign_in_sessions": {
                            "runAfter": {
-                                "Parse_JSON_-_Access_token": [
+                                "Condition": [
                                    "Succeeded"
                                ]
                            },
@ -165,12 +205,29 @@
                            "inputs": {
                                "headers": {
                                    "Authorization": "Bearer @{body('Parse_JSON_-_Access_token')?['access_token']}",
+                                    "Content-Type": "application/json",
                                    "Host": "graph.microsoft.com"
                                },
                                "method": "POST",
-                                "uri": "https://graph.microsoft.com/v1.0/users/@{triggerBody()?['Entity']?['properties']?['AadUserId']}/revokeSignInSessions"
+                                "uri": "https://graph.microsoft.com/v1.0/users/@{variables('UPN')}/revokeSignInSessions"
                            }
                        },
+                        "Initialize_variable_-_UPN": {
+                            "inputs": {
+                                "variables": [
+                                    {
+                                        "name": "UPN",
+                                        "type": "string"
+                                    }
+                                ]
+                            },
+                            "runAfter": {
+                                "Parse_JSON_-_Access_token": [
+                                    "Succeeded"
+                                ]
+                            },
+                            "type": "InitializeVariable"
+                        },
                        "Parse_JSON_-_Access_token": {
                            "runAfter": {
                                "HTTP_-_Authenticate": [