Update-VIPUsers-Watchlist-from-AzureAD-Group cannot retrieve the full user list #11394
Assignees
Labels
Playbook
Playbook specialty review needed
Comments
|
Hi @pixel559 , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This refers to the playbook that can be found below:
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Update-VIPUsers-Watchlist-from-AzureAD-Group
https://techcommunity.microsoft.com/blog/microsoftsentinelblog/update-microsoft-sentinel-vip-users-watchlist-from-azure-ad-group-using-playbook/3100184
This playbook is not working correctly for the Entra ID group with more than 100 users.
The VIP users list is not being updated correctly. The VIP group has over 300 members and on the logic app step for 'HTTP - Get VIP Azure AD Group Members' only 100 users is returned.
It looks like the API is returning only 100 results due to paging.
https://learn.microsoft.com/en-us/graph/paging?tabs=http
There is a '@odata.nextLink' in the result of the initial call and the API call needs to keep on being repeated as long as nextlink is available to retrieve all users from the group.
Please update the template to overcome the paging problem that leads to incomplete VIP User List.
The text was updated successfully, but these errors were encountered: