{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "logicAppName": { "defaultValue": "UserEnrichment", "type": "string", "metadata": { "description": "The name of the logic app to create." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Location for all resources." } }, "servicePrincipal-tenantId": { "type": "string" }, "servicePrincipal-clientId": { "type": "string" }, "servicePrincipal-clientSecret": { "type": "securestring" }, "mcas-apiToken": { "type": "securestring" }, "mcas-tenantUrl": { "type": "string" } }, "variables": {}, "resources": [ { "type": "Microsoft.Logic/workflows", "apiVersion": "2017-07-01", "name": "[parameters('logicAppName')]", "location": "[parameters('location')]", "tags": { "Owner": "Automation" }, "properties": { "state": "Disabled", "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "contentVersion": "1.0.0.0", "parameters": { "servicePrincipal-tenantId": { "type": "string", "defaultValue": "[parameters('servicePrincipal-tenantId')]" }, "servicePrincipal-clientSecret": { "type": "securestring", "defaultValue": "[parameters('servicePrincipal-clientSecret')]" }, "servicePrincipal-clientId": { "type": "string", "defaultValue": "[parameters('servicePrincipal-clientId')]" }, "mcas-apiToken": { "defaultValue": "[parameters('mcas-apiToken')]", "type": "securestring" }, "mcas-tenantUrl": { "defaultValue": "[parameters('mcas-tenantUrl')]", "type": "string" } }, "triggers": { "manual": { "type": "Request", "kind": "Http", "inputs": { "schema": { "properties": { "userPrincipalName": { "type": "string" } }, "type": "object" } } } }, "actions": { "Parse_trigger": { "runAfter": {}, "type": "ParseJson", "inputs": { "content": "@triggerBody()", "schema": { "properties": { "userPrincipalName": { "type": "string" } }, "type": "object" } } }, "Initialize_userMcasId": { "runAfter": { "Parse_trigger": [ "Succeeded" ] }, "type": "InitializeVariable", "inputs": { "variables": [ { "name": "userMcasId", "type": "string" } ] } }, "Initialize_devices": { "runAfter": { "Initialize_userMcasId": [ "Succeeded" ] }, "type": "InitializeVariable", "inputs": { "variables": [ { "name": "devices", "type": "array" } ] } }, "Initialize_locationsTotalActivities": { "runAfter": { "Initialize_devices": [ "Succeeded" ] }, "type": "InitializeVariable", "inputs": { "variables": [ { "name": "locationsTotalActivities", "type": "integer", "value": 0 } ] } }, "Initialize_locations": { "runAfter": { "Initialize_locationsTotalActivities": [ "Succeeded" ] }, "type": "InitializeVariable", "inputs": { "variables": [ { "name": "locations", "type": "array" } ] } }, "Initialize_inboxRules": { "runAfter": { "Initialize_locations": [ "Succeeded" ] }, "type": "InitializeVariable", "inputs": { "variables": [ { "name": "inboxRules", "type": "array" } ] } }, "Initialize_adminRoles": { "runAfter": { "Initialize_inboxRules": [ "Succeeded" ] }, "type": "InitializeVariable", "inputs": { "variables": [ { "name": "adminRoles", "type": "array" } ] } }, "Initialize_ssprActivities": { "runAfter": { "Initialize_adminRoles": [ "Succeeded" ] }, "type": "InitializeVariable", "inputs": { "variables": [ { "name": "ssprActivities", "type": "array" } ] } }, "Initialize_signins": { "inputs": { "variables": [ { "name": "signins", "type": "array" } ] }, "runAfter": { "Initialize_ssprActivities": [ "Succeeded" ] }, "type": "InitializeVariable" }, "User": { "actions": { "Get_user_details": { "runAfter": {}, "type": "Http", "inputs": { "authentication": { "audience": "https://graph.microsoft.com/", "clientId": "[parameters('servicePrincipal-clientId')]", "secret": "[parameters('servicePrincipal-clientSecret')]", "tenant": "[parameters('servicePrincipal-tenantId')]", "type": "ActiveDirectoryOAuth" }, "method": "GET", "uri": "https://graph.microsoft.com/beta/users/@{body('Parse_trigger')?['userPrincipalName']}" } }, "Switch": { "runAfter": { "Get_user_details": [ "Failed", "Succeeded" ] }, "cases": { "Case_200_OK": { "case": 200, "actions": { "Parse_user_details": { "runAfter": {}, "type": "ParseJson", "inputs": { "content": "@body('Get_user_details')", "schema": { "properties": { "@@odata.context": {}, "accountEnabled": { "type": "boolean" }, "ageGroup": {}, "businessPhones": { "items": {}, "type": "array" }, "city": {}, "companyName": {}, "consentProvidedForMinor": {}, "country": {}, "createdDateTime": {}, "creationType": {}, "deletedDateTime": {}, "department": {}, "deviceKeys": { "type": "array" }, "displayName": {}, "employeeId": {}, "externalUserState": {}, "externalUserStateChangeDateTime": {}, "faxNumber": {}, "givenName": {}, "id": {}, "identities": { "items": { "properties": { "issuer": {}, "issuerAssignedId": {}, "signInType": {} }, "required": [], "type": "object" }, "type": "array" }, "imAddresses": { "items": {}, "type": "array" }, "isResourceAccount": {}, "jobTitle": {}, "legalAgeGroupClassification": {}, "mail": {}, "mailNickname": {}, "mobilePhone": {}, "officeLocation": {}, "onPremisesDistinguishedName": {}, "onPremisesDomainName": {}, "onPremisesImmutableId": {}, "onPremisesLastSyncDateTime": {}, "onPremisesSamAccountName": {}, "onPremisesSecurityIdentifier": {}, "onPremisesSyncEnabled": {}, "onPremisesUserPrincipalName": {}, "otherMails": { "items": {}, "type": "array" }, "passwordPolicies": {}, "passwordProfile": {}, "postalCode": {}, "preferredDataLocation": {}, "preferredLanguage": {}, "proxyAddresses": { "items": {}, "type": "array" }, "refreshTokensValidFromDateTime": {}, "showInAddressList": {}, "signInSessionsValidFromDateTime": {}, "state": {}, "streetAddress": {}, "surname": {}, "usageLocation": {}, "userPrincipalName": {}, "userType": {} }, "type": "object" } } }, "Get_user_manager": { "runAfter": { "Parse_user_details": [ "Succeeded" ] }, "type": "Http", "inputs": { "authentication": { "audience": "https://graph.microsoft.com/", "clientId": "[parameters('servicePrincipal-clientId')]", "secret": "[parameters('servicePrincipal-clientSecret')]", "tenant": "[parameters('servicePrincipal-tenantId')]", "type": "ActiveDirectoryOAuth" }, "method": "GET", "uri": "https://graph.microsoft.com/beta/users/@{body('Parse_trigger')?['userPrincipalName']}/manager" } }, "Get_user_MFA-SSPR_status": { "runAfter": { "Get_user_manager": [ "Succeeded", "Failed" ] }, "type": "Http", "inputs": { "authentication": { "audience": "https://graph.microsoft.com/", "clientId": "[parameters('servicePrincipal-clientId')]", "secret": "[parameters('servicePrincipal-clientSecret')]", "tenant": "[parameters('servicePrincipal-tenantId')]", "type": "ActiveDirectoryOAuth" }, "method": "GET", "uri": "https://graph.microsoft.com/beta/reports/credentialUserRegistrationDetails?$filter=userPrincipalName eq '@{body('Get_user_details')?['userPrincipalName']}'" } }, "Parse_MFA-SSPR": { "runAfter": { "Get_user_MFA-SSPR_status": [ "Succeeded" ] }, "type": "ParseJson", "inputs": { "content": "@body('Get_user_MFA-SSPR_status')", "schema": { "properties": { "@@odata.context": { "type": "string" }, "value": { "items": { "properties": { "authMethods": { "items": { "type": "string" }, "type": "array" }, "id": { "type": "string" }, "isCapable": { "type": "boolean" }, "isEnabled": { "type": "boolean" }, "isMfaRegistered": { "type": "boolean" }, "isRegistered": { "type": "boolean" }, "userDisplayName": { "type": "string" }, "userPrincipalName": { "type": "string" } }, "required": [], "type": "object" }, "type": "array" } }, "type": "object" } } }, "Get_user_AAD_risk_status": { "runAfter": { "Parse_MFA-SSPR": [ "Succeeded" ] }, "type": "Http", "inputs": { "authentication": { "audience": "https://graph.microsoft.com/", "clientId": "[parameters('servicePrincipal-clientId')]", "secret": "[parameters('servicePrincipal-clientSecret')]", "tenant": "[parameters('servicePrincipal-tenantId')]", "type": "ActiveDirectoryOAuth" }, "method": "GET", "uri": "https://graph.microsoft.com/beta/riskyUsers/@{body('Parse_user_details')?['id']}/" } }, "Compose_riskStatus": { "inputs": "@outputs('Get_user_AAD_risk_status')['statusCode']", "runAfter": { "Get_user_AAD_risk_status": [ "Succeeded", "Failed" ] }, "type": "Compose" } } } }, "default": { "actions": { "Response_user_unknown": { "runAfter": {}, "type": "Response", "kind": "Http", "inputs": { "body": "@body('Get_user_details')", "statusCode": "@outputs('Get_user_details')['statusCode']" } }, "Terminate": { "runAfter": { "Response_user_unknown": [ "Succeeded" ] }, "type": "Terminate", "inputs": { "runStatus": "Succeeded" } } } }, "expression": "@outputs('Get_user_details')['statusCode']", "type": "Switch" } }, "runAfter": { "Initialize_signins": [ "Succeeded" ] }, "type": "Scope" }, "User_signins": { "actions": { "Compose_filter": { "description": "Get signings from the last 7 days", "inputs": "(userPrincipalName eq '@{body('Get_user_details')?['userPrincipalName']}' and (createdDateTime ge @{addDays(startOfDay(utcNow()) , -7)}))", "runAfter": {}, "type": "Compose" }, "Get_user_signins": { "inputs": { "authentication": { "audience": "https://graph.microsoft.com/", "clientId": "[parameters('servicePrincipal-clientId')]", "secret": "[parameters('servicePrincipal-clientSecret')]", "tenant": "[parameters('servicePrincipal-tenantId')]", "type": "ActiveDirectoryOAuth" }, "headers": { "Content-Type": "application/json" }, "method": "GET", "uri": "https://graph.microsoft.com/beta/auditLogs/signIns?$filter=@{outputs('Compose_filter')}" }, "runAfter": { "Compose_filter": [ "Succeeded" ] }, "type": "Http" }, "For_each_signin": { "actions": { "Get_applied_CA_policies": { "inputs": { "from": "@items('For_each_signin')?['appliedConditionalAccessPolicies']", "where": "@equals(item()?['result'], 'success')" }, "runAfter": {}, "type": "Query" }, "Compose_Signins": { "inputs": { "authenticationMethodsUsed": "@items('For_each_signin')?['authenticationMethodsUsed']", "authenticationRequirement": "@items('For_each_signin')?['authenticationRequirement']", "authenticationDetails": "@items('For_each_signin')?['authenticationDetails']", "appDisplayName": "@items('For_each_signin')?['appDisplayName']", "appId": "@items('For_each_signin')?['appId']", "appliedConditionalAccessPolicies": "@body('Get_applied_CA_policies')", "ipAddress": "@items('For_each_signin')?['ipAddress']", "clientAppUsed": "@items('For_each_signin')?['clientAppUsed']", "conditionalAccessStatus": "@items('For_each_signin')?['conditionalAccessStatus']", "deviceId": "@items('For_each_signin')?['deviceDetail']?['deviceId']", "deviceName": "@items('For_each_signin')?['deviceDetail']?['displayName']", "deviceIsCompliant": "@items('For_each_signin')?['deviceDetail']?['isCompliant']", "deviceIsManaged": "@items('For_each_signin')?['deviceDetail']?['isManaged']", "deviceTrustType": "@items('For_each_signin')?['deviceDetail']?['trustType']", "isInteractive": "@items('For_each_signin')?['isInteractive']", "location": "@concat(items('For_each_signin')?['location']?['countryOrRegion'], ', ', items('For_each_signin')?['location']?['state'], ', ', items('For_each_signin')?['location']?['city'])", "mfaDetail": "@items('For_each_signin')?['mfaDetail']", "riskDetail": "@items('For_each_signin')?['riskDetail']", "riskLevelAggregated": "@items('For_each_signin')?['riskLevelAggregated']", "riskLevelDuringSignIn": "@items('For_each_signin')?['riskLevelDuringSignIn']", "riskState": "@items('For_each_signin')?['riskState']", "riskEventTypes": "@items('For_each_signin')?['riskEventTypes']", "riskEventTypes_v2": "@items('For_each_signin')?['riskEventTypes_v2']", "resourceDisplayName": "@items('For_each_signin')?['resourceDisplayName']", "resourceId": "@items('For_each_signin')?['resourceId']", "statusAdditionalDetails": "@items('For_each_signin')?['status']?['additionalDetails']", "statusCode": "@items('For_each_signin')?['status']?['errorCode']", "statusFailureReason": "@items('For_each_signin')?['status']?['failureReason']", "userAgent": "@items('For_each_signin')?['userAgent']" }, "runAfter": { "Get_applied_CA_policies": [ "Succeeded" ] }, "type": "Compose" }, "Append_to_signins": { "inputs": { "name": "signins", "value": "@outputs('Compose_Signins')" }, "runAfter": { "Compose_Signins": [ "Succeeded" ] }, "type": "AppendToArrayVariable" } }, "foreach": "@body('Get_user_signins')?['value']", "runAfter": { "Get_user_signins": [ "Succeeded" ] }, "type": "Foreach" }, "Dedup_signins": { "inputs": "@union(variables('signins'), variables('signins'))", "runAfter": { "For_each_signin": [ "Succeeded" ] }, "type": "Compose" }, "Set_signins": { "inputs": { "name": "signins", "value": "@outputs('Dedup_signins')" }, "runAfter": { "Dedup_signins": [ "Succeeded" ] }, "type": "SetVariable" } }, "runAfter": { "User": [ "Succeeded" ] }, "type": "Scope" }, "Devices": { "actions": { "Get_user_owned_devices": { "runAfter": {}, "type": "Http", "inputs": { "authentication": { "audience": "https://graph.microsoft.com/", "clientId": "[parameters('servicePrincipal-clientId')]", "secret": "[parameters('servicePrincipal-clientSecret')]", "tenant": "[parameters('servicePrincipal-tenantId')]", "type": "ActiveDirectoryOAuth" }, "method": "GET", "uri": "https://graph.microsoft.com/beta/users/@{body('Get_user_details')?['userPrincipalName']}/ownedDevices " } }, "Parse_user_owned_devices": { "runAfter": { "Get_user_owned_devices": [ "Succeeded" ] }, "type": "ParseJson", "inputs": { "content": "@body('Get_user_owned_devices')", "schema": { "properties": { "@@odata.context": {}, "value": { "items": { "properties": { "@@odata.type": {}, "Manufacturer": {}, "Model": {}, "accountEnabled": { "type": "boolean" }, "alternativeSecurityIds": { "items": { "properties": { "identityProvider": {}, "key": {}, "type": {} }, "required": [], "type": "object" }, "type": "array" }, "approximateLastSignInDateTime": {}, "complianceExpirationDateTime": {}, "deletedDateTime": {}, "deviceId": {}, "deviceMetadata": {}, "deviceVersion": {}, "displayName": {}, "id": {}, "isCompliant": {}, "isManaged": {}, "mdmAppId": {}, "onPremisesLastSyncDateTime": {}, "onPremisesSyncEnabled": {}, "operatingSystem": {}, "operatingSystemVersion": {}, "physicalIds": { "items": {}, "type": "array" }, "profileType": {}, "systemLabels": { "type": "array" }, "trustType": {} }, "required": [], "type": "object" }, "type": "array" } }, "type": "object" } } }, "For_each_device": { "foreach": "@body('Parse_user_owned_devices')?['value']", "actions": { "Append_to_devices": { "runAfter": { "Compose_device": [ "Succeeded" ] }, "type": "AppendToArrayVariable", "inputs": { "name": "devices", "value": "@outputs('Compose_device')" } }, "Compose_device": { "runAfter": {}, "type": "Compose", "inputs": { "Manufacturer": "@items('For_each_device')?['Manufacturer']", "Model": "@items('For_each_device')?['Model']", "accountEnabled": "@items('For_each_device')?['accountEnabled']", "approximateLastSignInDateTime": "@items('For_each_device')?['approximateLastSignInDateTime']", "complianceExpirationDateTime": "@items('For_each_device')?['complianceExpirationDateTime']", "deviceId": "@items('For_each_device')?['deviceId']", "displayName": "@items('For_each_device')?['displayName']", "id": "@items('For_each_device')?['id']", "isCompliant": "@items('For_each_device')?['isCompliant']", "isManaged": "@items('For_each_device')?['isManaged']", "onPremisesLastSyncDateTime": "@items('For_each_device')?['onPremisesLastSyncDateTime']", "onPremisesSyncEnabled": "@items('For_each_device')?['onPremisesSyncEnabled']", "operatingSystem": "@items('For_each_device')?['operatingSystem']", "operatingSystemVersion": "@items('For_each_device')?['operatingSystemVersion']", "profileType": "@items('For_each_device')?['profileType']", "trustType": "@items('For_each_device')?['trustType']" } } }, "runAfter": { "Parse_user_owned_devices": [ "Succeeded" ] }, "type": "Foreach" }, "Compose_samAccountName": { "inputs": "@if(empty(body('Get_user_details')?['onPremisesSamAccountName']), split(body('Get_user_details')?['userPrincipalName'], '@')?[0], body('Get_user_details')?['onPremisesSamAccountName'])", "runAfter": { "For_each_device": [ "Succeeded" ] }, "type": "Compose" }, "Advanced_Hunting": { "runAfter": { "Compose_samAccountName": [ "Succeeded" ] }, "type": "Http", "inputs": { "authentication": { "audience": "https://api.securitycenter.windows.com/", "clientId": "[parameters('servicePrincipal-clientId')]", "secret": "[parameters('servicePrincipal-clientSecret')]", "tenant": "[parameters('servicePrincipal-tenantId')]", "type": "ActiveDirectoryOAuth" }, "body": { "Query": "let timeToSearch = ago(14d); DeviceInfo | where (LoggedOnUsers contains \"@{outputs('Compose_samAccountName')}\") or (LoggedOnUsers contains \"@{body('Get_user_details')?['userPrincipalName']}\") and Timestamp > timeToSearch | distinct DeviceName, DeviceId, PublicIP | summarize IPAddressHistory = make_list(PublicIP) by DeviceName, DeviceId" }, "method": "POST", "uri": "https://api.securitycenter.windows.com/api/advancedqueries/run" } } }, "runAfter": { "User": [ "Succeeded" ] }, "type": "Scope" }, "Group_membership": { "actions": { "Check_group_membership": { "runAfter": { "Groups": [ "Succeeded" ] }, "type": "Http", "inputs": { "authentication": { "audience": "https://graph.microsoft.com/", "clientId": "[parameters('servicePrincipal-clientId')]", "secret": "[parameters('servicePrincipal-clientSecret')]", "tenant": "[parameters('servicePrincipal-tenantId')]", "type": "ActiveDirectoryOAuth" }, "body": "@outputs('Groups')", "headers": { "Content-Type": "application/json" }, "method": "POST", "uri": "https://graph.microsoft.com/beta/users/@{body('Get_user_details')?['userPrincipalName']}/checkMemberGroups" } }, "Foreach_role": { "foreach": "@body('Parse_admin_roles')?['value']", "actions": { "Append_to_adminRoles": { "runAfter": { "Compose_adminRole": [ "Succeeded" ] }, "type": "AppendToArrayVariable", "inputs": { "name": "adminRoles", "value": "@outputs('Compose_adminRole')" } }, "Compose_adminRole": { "runAfter": { "Parse_role_details": [ "Succeeded" ] }, "type": "Compose", "inputs": { "description": "@body('Parse_role_details')?['description']", "displayName": "@body('Parse_role_details')?['displayName']", "id": "@body('Parse_role_details')?['id']", "isBuiltIn": "@body('Parse_role_details')?['isBuiltIn']", "isEnabled": "@body('Parse_role_details')?['isEnabled']", "resourceScopes": "@body('Parse_role_details')?['resourceScopes']" } }, "Get_role_details": { "runAfter": {}, "type": "Http", "inputs": { "authentication": { "audience": "https://graph.microsoft.com/", "clientId": "[parameters('servicePrincipal-clientId')]", "secret": "[parameters('servicePrincipal-clientSecret')]", "tenant": "[parameters('servicePrincipal-tenantId')]", "type": "ActiveDirectoryOAuth" }, "method": "GET", "uri": "https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions/@{items('Foreach_role')?['roleDefinitionId']}" } }, "Parse_role_details": { "runAfter": { "Get_role_details": [ "Succeeded" ] }, "type": "ParseJson", "inputs": { "content": "@body('Get_role_details')", "schema": { "properties": { "@@odata.context": {}, "description": {}, "displayName": {}, "id": {}, "isBuiltIn": {}, "isEnabled": {}, "resourceScopes": { "items": {}, "type": "array" }, "version": {} }, "type": "object" } } } }, "runAfter": { "Parse_admin_roles": [ "Succeeded" ] }, "type": "Foreach" }, "Get_user_admin_roles": { "runAfter": { "Parse_Groups": [ "Succeeded" ] }, "type": "Http", "inputs": { "authentication": { "audience": "https://graph.microsoft.com/", "clientId": "[parameters('servicePrincipal-clientId')]", "secret": "[parameters('servicePrincipal-clientSecret')]", "tenant": "[parameters('servicePrincipal-tenantId')]", "type": "ActiveDirectoryOAuth" }, "headers": { "Content-Type": "application/json" }, "method": "GET", "uri": "https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments?$filter=principalId eq '@{body('Parse_user_details')?['id']}'" } }, "Groups": { "runAfter": {}, "type": "Compose", "inputs": { "groupIds": [ "05795c57-70c0-4363-b55a-6ca803ecbcaa", "ac9b3596-f4bd-407e-acd3-a773bad6a156" ] } }, "Parse_Groups": { "runAfter": { "Check_group_membership": [ "Succeeded" ] }, "type": "ParseJson", "inputs": { "content": "@body('Check_group_membership')", "schema": { "properties": { "@@odata.context": { "type": "string" }, "value": { "items": {}, "type": "array" } }, "type": "object" } } }, "Parse_admin_roles": { "runAfter": { "Get_user_admin_roles": [ "Succeeded" ] }, "type": "ParseJson", "inputs": { "content": "@body('Get_user_admin_roles')", "schema": { "properties": { "@@odata.context": {}, "value": { "items": { "properties": { "id": {}, "principalId": {}, "resourceScope": {}, "roleDefinitionId": {} }, "required": [], "type": "object" }, "type": "array" } }, "type": "object" } } } }, "runAfter": { "User": [ "Succeeded" ] }, "type": "Scope" }, "Mailbox": { "actions": { "Compose_mailboxOofEnabled": { "runAfter": { "Parse_user_OOF": [ "Succeeded" ] }, "type": "Compose", "inputs": "@not(empty(body('Get_user_OOF')?['value']?[0]?['automaticReplies']))" }, "For_each_inbox_rule": { "foreach": "@body('Parse_inbox_rules')?['value']", "actions": { "If_move_to_folder": { "actions": { "Append_to_inboxRules": { "runAfter": { "Compose_inboxRuleUpdated": [ "Succeeded" ] }, "type": "AppendToArrayVariable", "inputs": { "name": "inboxRules", "value": "@outputs('Compose_inboxRuleUpdated')" } }, "Compose_actions": { "runAfter": { "Parse_inbox_folder": [ "Succeeded" ] }, "type": "Compose", "inputs": "@items('For_each_inbox_rule')?['actions']" }, "Compose_actionsUpdated": { "runAfter": { "Compose_actions": [ "Succeeded" ] }, "type": "Compose", "inputs": "@setProperty(outputs('Compose_actions'), 'moveToFolder', body('Get_inbox_folder')?['displayName'])" }, "Compose_inboxRuleUpdated": { "runAfter": { "Compose_actionsUpdated": [ "Succeeded" ] }, "type": "Compose", "inputs": "@setProperty(items('For_each_inbox_rule'), 'actions', outputs('Compose_actionsUpdated'))" }, "Get_inbox_folder": { "runAfter": {}, "type": "Http", "inputs": { "authentication": { "audience": "https://graph.microsoft.com/", "clientId": "[parameters('servicePrincipal-clientId')]", "secret": "[parameters('servicePrincipal-clientSecret')]", "tenant": "[parameters('servicePrincipal-tenantId')]", "type": "ActiveDirectoryOAuth" }, "method": "GET", "uri": "https://graph.microsoft.com/beta/users/@{body('Get_user_details')?['userPrincipalName']}/mailFolders/@{items('For_each_inbox_rule')?['actions']?['moveToFolder']}" } }, "Parse_inbox_folder": { "runAfter": { "Get_inbox_folder": [ "Succeeded" ] }, "type": "ParseJson", "inputs": { "content": "@body('Get_inbox_folder')", "schema": { "properties": { "@@odata.context": { "type": "string" }, "childFolderCount": { "type": "integer" }, "displayName": { "type": "string" }, "id": { "type": "string" }, "parentFolderId": { "type": "string" }, "totalItemCount": { "type": "integer" }, "unreadItemCount": { "type": "integer" }, "wellKnownName": {} }, "type": "object" } } } }, "runAfter": {}, "else": { "actions": { "Append_to_inboxRules_false": { "runAfter": {}, "type": "AppendToArrayVariable", "inputs": { "name": "inboxRules", "value": "@items('For_each_inbox_rule')" } } } }, "expression": { "and": [ { "equals": [ "@contains(items('For_each_inbox_rule')?['actions'], 'moveToFolder')", true ] } ] }, "type": "If" } }, "runAfter": { "Parse_inbox_rules": [ "Succeeded" ] }, "type": "Foreach", "description": "Change inbox rules \"moveToFolder\" folder id to folder \"displayName\"" }, "Get_user_OOF": { "runAfter": { "For_each_inbox_rule": [ "Succeeded" ] }, "type": "Http", "inputs": { "authentication": { "audience": "https://graph.microsoft.com/", "clientId": "[parameters('servicePrincipal-clientId')]", "secret": "[parameters('servicePrincipal-clientSecret')]", "tenant": "[parameters('servicePrincipal-tenantId')]", "type": "ActiveDirectoryOAuth" }, "body": { "EmailAddresses": [ "@{body('Parse_user_details')?['mail']}" ], "MailTipsOptions": "automaticReplies" }, "method": "POST", "uri": "https://graph.microsoft.com/beta/users/@{body('Get_user_details')?['userPrincipalName']}/getMailTips" } }, "Get_user_inbox_rules": { "runAfter": {}, "type": "Http", "inputs": { "authentication": { "audience": "https://graph.microsoft.com/", "clientId": "[parameters('servicePrincipal-clientId')]", "secret": "[parameters('servicePrincipal-clientSecret')]", "tenant": "[parameters('servicePrincipal-tenantId')]", "type": "ActiveDirectoryOAuth" }, "method": "GET", "uri": "https://graph.microsoft.com/beta/users/@{body('Get_user_details')?['userPrincipalName']}/mailFolders/inbox/messageRules" } }, "Parse_inbox_rules": { "runAfter": { "Get_user_inbox_rules": [ "Succeeded" ] }, "type": "ParseJson", "inputs": { "content": "@body('Get_user_inbox_rules')", "schema": { "properties": { "@@odata.context": {}, "value": { "items": { "properties": { "actions": { "properties": { "forwardTo": { "items": { "properties": { "emailAddress": { "properties": { "address": {}, "name": {} }, "type": "object" } }, "required": [], "type": "object" }, "type": "array" }, "moveToFolder": {}, "stopProcessingRules": {} }, "type": "object" }, "conditions": { "properties": { "bodyOrSubjectContains": { "items": {}, "type": "array" } }, "type": "object" }, "displayName": {}, "hasError": {}, "id": {}, "isEnabled": {}, "isReadOnly": {}, "sequence": {} }, "required": [], "type": "object" }, "type": "array" } }, "type": "object" } } }, "Parse_user_OOF": { "runAfter": { "Get_user_OOF": [ "Succeeded" ] }, "type": "ParseJson", "inputs": { "content": "@body('Get_user_OOF')", "schema": { "properties": { "@@odata.context": {}, "value": { "items": { "properties": { "automaticReplies": { "properties": { "message": {}, "messageLanguage": { "properties": { "displayName": {}, "locale": {} }, "type": "object" } }, "type": "object" }, "emailAddress": { "properties": { "address": {}, "name": {} }, "type": "object" } }, "required": [], "type": "object" }, "type": "array" } }, "type": "object" } } } }, "runAfter": { "User": [ "Succeeded" ] }, "type": "Scope" }, "User_changes": { "actions": { "Foreach_SSPR_activity": { "foreach": "@body('Parse_SSPR')?['value']", "actions": { "Append_to_ssprActivities": { "runAfter": { "Compose_ssprActivity": [ "Succeeded" ] }, "type": "AppendToArrayVariable", "inputs": { "name": "ssprActivities", "value": "@outputs('Compose_ssprActivity')" } }, "Compose_ssprActivity": { "runAfter": {}, "type": "Compose", "inputs": { "authMethod": "@items('Foreach_SSPR_activity')?['authMethod']", "eventDateTime": "@items('Foreach_SSPR_activity')?['eventDateTime']", "failureReason": "@items('Foreach_SSPR_activity')?['failureReason']", "feature": "@items('Foreach_SSPR_activity')?['feature']", "id": "@items('Foreach_SSPR_activity')?['id']", "isSuccess": "@items('Foreach_SSPR_activity')?['isSuccess']" } } }, "runAfter": { "Parse_SSPR": [ "Succeeded" ] }, "type": "Foreach" }, "Get_user_password_reset_activities": { "runAfter": {}, "type": "Http", "inputs": { "authentication": { "audience": "https://graph.microsoft.com/", "clientId": "[parameters('servicePrincipal-clientId')]", "secret": "[parameters('servicePrincipal-clientSecret')]", "tenant": "[parameters('servicePrincipal-tenantId')]", "type": "ActiveDirectoryOAuth" }, "method": "GET", "uri": "https://graph.microsoft.com/beta/reports/userCredentialUsageDetails?$filter=userPrincipalName eq '@{body('Get_user_details')?['userPrincipalName']}'" } }, "Parse_SSPR": { "runAfter": { "Get_user_password_reset_activities": [ "Succeeded" ] }, "type": "ParseJson", "inputs": { "content": "@body('Get_user_password_reset_activities')", "schema": { "properties": { "@@odata.context": {}, "value": { "items": { "properties": { "authMethod": {}, "eventDateTime": {}, "failureReason": {}, "feature": {}, "id": {}, "isSuccess": { "type": "boolean" }, "userDisplayName": {}, "userPrincipalName": {} }, "required": [], "type": "object" }, "type": "array" } }, "type": "object" } } } }, "runAfter": { "Group_membership": [ "Succeeded" ] }, "type": "Scope" }, "Mcas_Profile": { "actions": { "Compose_userMcasId": { "description": "Calculate MCAS user id based on AAD object id", "inputs": "@concat('{\"id\":\"',body('Get_user_details')?['id'],'\",\"saas\":11161,\"inst\":0}')", "type": "Compose", "runAfter": {} }, "Set_userMcasId": { "description": "convert the value to base64 - this value will be used in API calls", "inputs": { "name": "userMcasId", "value": "@{base64(outputs('Compose_userMcasId'))}" }, "type": "SetVariable", "runAfter": { "Compose_userMcasId": [ "Succeeded" ] } }, "Get_user_locations_habits": { "description": "Collect user locations habits from MCAS", "runAfter": { "Set_userMcasId": [ "Succeeded" ] }, "type": "Http", "inputs": { "headers": { "Authorization": "[concat('token ',parameters('mcas-apiToken'))]", "Content-Type": "application/json" }, "method": "GET", "uri": "@{parameters('mcas-tenantUrl')}/cas/api/v1/activities_locations/by_user/?username=@{variables('userMcasId')}/" } }, "Get_total_activities": { "actions": { "Increment_locationsTotalActivities": { "inputs": { "name": "locationsTotalActivities", "value": "@items('Get_total_activities')[1]" }, "runAfter": {}, "type": "IncrementVariable" } }, "foreach": "@body('Get_user_locations_habits')?['data']", "runAfter": { "Get_user_locations_habits": [ "Succeeded" ] }, "type": "Foreach" }, "For_each_location": { "actions": { "Compose_location_percentage": { "inputs": "@div(mul(items('For_each_location')[1], 100), variables('locationsTotalActivities'))", "runAfter": {}, "type": "Compose" }, "Compose_location": { "inputs": { "activities": "@{items('For_each_location')?[1]}", "country": "@{items('For_each_location')?[0]}", "lastActivity": "@{items('For_each_location')?[2]}", "percentageTotalActivities": "@{outputs('Compose_location_percentage')}" }, "runAfter": { "Compose_location_percentage": [ "Succeeded" ] }, "type": "Compose" }, "Append_to_locations": { "inputs": { "name": "locations", "value": "@outputs('Compose_location')" }, "runAfter": { "Compose_location": [ "Succeeded" ] }, "type": "AppendToArrayVariable" } }, "foreach": "@body('Get_user_locations_habits')?['data']", "runAfter": { "Get_total_activities": [ "Succeeded" ] }, "type": "Foreach" }, "Get_mcas_user_profile": { "description": "Collect user locations habits from MCAS", "runAfter": { "For_each_location": [ "Succeeded" ] }, "type": "Http", "inputs": { "headers": { "Authorization": "[concat('token ',parameters('mcas-apiToken'))]", "Content-Type": "application/json" }, "method": "GET", "uri": "@{parameters('mcas-tenantUrl')}/cas/api/v1/entities/@{variables('userMcasId')}/" } }, "Select_threatScore_properties": { "inputs": { "from": "@body('Get_mcas_user_profile')?['threatScoreHistory']", "select": { "date": "@item()?['dateFormatted']", "percentile": "@item()?['percentile']", "score": "@item()?['score']" } }, "runAfter": { "Get_mcas_user_profile": [ "Succeeded" ] }, "type": "Select" } }, "runAfter": { "User": [ "Succeeded" ] }, "type": "Scope" }, "Compose_JSON": { "actions": { "Compose_user_json": { "runAfter": {}, "type": "Compose", "inputs": { "accountEnabled": "@body('Get_user_details')?['accountEnabled']", "adminRoles": "@variables('adminRoles')", "authMethodsMfa": "@body('Get_user_MFA-SSPR_status')?['value']?[0]?['authMethods']", "businessPhones": "@body('Get_user_details')?['businessPhones']?[0]", "city": "@body('Get_user_details')?['city']", "companyName": "@body('Get_user_details')?['companyName']", "country": "@body('Get_user_details')?['country']", "createdDateTime": "@body('Get_user_details')?['createdDateTime']", "department": "@body('Get_user_details')?['department']", "devices": { "aadDevices": "@variables('devices')", "mdatpDevices": "@body('Advanced_Hunting')?['Results']" }, "displayName": "@body('Get_user_details')?['displayName']", "employeeId": "@body('Get_user_details')?['employeeId']", "givenName": "@body('Get_user_details')?['givenName']", "id": "@body('Get_user_details')?['id']", "isMfaRegistered": "@body('Get_user_MFA-SSPR_status')?['value']?[0]?['isMfaRegistered']", "isSsprRegistered": "@body('Get_user_MFA-SSPR_status')?['value']?[0]?['isRegistered']", "jobTitle": "@body('Get_user_details')?['jobTitle']", "locationsUsage": "@variables('locations')", "mail": "@body('Get_user_details')?['mail']", "mailboxInboxRules": "@variables('inboxRules')", "mailboxOofEnabled": "@outputs('Compose_mailboxOofEnabled')", "mailboxOofMessage": "@body('Get_user_OOF')?['value']?[0]?['automaticReplies']?['message']", "manager": { "displayName": "@body('Get_user_manager')?['displayName']", "id": "@body('Get_user_manager')?['id']", "jobTitle": "@body('Get_user_manager')?['jobTitle']", "mail": "@body('Get_user_manager')?['mail']", "mobilePhone": "@body('Get_user_manager')?['mobilePhone']", "userPrincipalName": "@body('Get_user_manager')?['userPrincipalName']" }, "mobilePhone": "@body('Get_user_details')?['mobilePhone']", "officeLocation": "@body('Get_user_details')?['officeLocation']", "onPremisesDistinguishedName": "@body('Get_user_details')?['onPremisesDistinguishedName']", "onPremisesDomainName": "@body('Get_user_details')?['onPremisesDomainName']", "onPremisesLastSyncDateTime": "@body('Get_user_details')?['onPremisesLastSyncDateTime']", "onPremisesSamAccountName": "@body('Get_user_details')?['onPremisesSamAccountName']", "onPremisesSecurityIdentifier": "@body('Get_user_details')?['onPremisesSecurityIdentifier']", "onPremisesSyncEnabled": "@body('Get_user_details')?['onPremisesSyncEnabled']", "postalCode": "@body('Get_user_details')?['postalCode']", "preferredLanguage": "@body('Get_user_details')?['preferredLanguage']", "refreshTokensValidFromDateTime": "@body('Get_user_details')?['refreshTokensValidFromDateTime']", "riskLevel": "@body('Get_user_AAD_risk_status')?['riskLevel']", "riskState": "@body('Get_user_AAD_risk_status')?['riskState']", "riskDetail": "@body('Get_user_AAD_risk_status')?['riskDetail']", "riskLastUpdatedDateTime": "@body('Get_user_AAD_risk_status')?['riskLastUpdatedDateTime']", "signinsLast7days": "@variables('signins')", "ssprActivities": "@variables('ssprActivities')", "state": "@body('Get_user_details')?['state']", "streetAddress": "@body('Get_user_details')?['streetAddress']", "surname": "@body('Get_user_details')?['surname']", "threatScore": "@body('Get_mcas_user_profile')?['threatScore']", "threatScoreHistory": "@outputs('Select_threatScore_properties')", "userPrincipalName": "@body('Get_user_details')?['userPrincipalName']" } } }, "runAfter": { "Devices": [ "Succeeded", "Failed" ], "Mailbox": [ "Succeeded", "Failed" ], "User_changes": [ "Succeeded" ], "Mcas_profile": [ "Succeeded", "Failed" ], "User_signins": [ "Succeeded", "Failed" ] }, "type": "Scope" }, "Response": { "runAfter": { "Compose_JSON": [ "Succeeded" ] }, "type": "Response", "kind": "Http", "inputs": { "body": "@outputs('Compose_user_json')", "statusCode": 200 } } }, "outputs": {} }, "parameters": { } } } ], "outputs": { "logicAppUrl": { "type": "string", "value": "[listCallbackURL(concat(resourceId('Microsoft.Logic/workflows/', parameters('logicAppName')), '/triggers/manual'), '2016-06-01').value]" } } }