Update-VIPUsers-Watchlist-from-AzureAD-Group cannot retrieve the full user list

[pixel559]

This refers to the playbook that can be found below:
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Update-VIPUsers-Watchlist-from-AzureAD-Group
https://techcommunity.microsoft.com/blog/microsoftsentinelblog/update-microsoft-sentinel-vip-users-watchlist-from-azure-ad-group-using-playbook/3100184

This playbook is not working correctly for the Entra ID group with more than 100 users.
The VIP users list is not being updated correctly. The VIP group has over 300 members and on the logic app step for 'HTTP - Get VIP Azure AD Group Members' only 100 users is returned.

It looks like the API is returning only 100 results due to paging.
https://learn.microsoft.com/en-us/graph/paging?tabs=http
There is a '@odata.nextLink' in the result of the initial call and the API call needs to keep on being repeated as long as nextlink is available to retrieve all users from the group.

Please update the template to overcome the paging problem that leads to incomplete VIP User List.

[v-rusraut]

Hi @pixel559 , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

[v-shukore]

Hi @pixel559, we are working on this issue will update on this soon. Thanks!!

[v-shukore]

Hi @pixel559, could you please provide more information regarding this issue? Clarifying more details will help us to resolve it more effectively. Thanks!!

[v-shukore]

Hi @pixel559, we are waiting for your valuable feedback. Please Provide update on the same. Thanks!!

[pixel559]

Hi @v-shukore , could you please elaborate as to which details you need?
The playbook does not retrieve all the group members if there are more than 100 users. This is how the API works and there is a link to documentation in original description.

"HTTP_-Get_VIP_Azure_AD_Group_Members": {
"runAfter": {
"HTTP-_Get_Group_details": [
"Succeeded"
]
},
"type": "Http",
"inputs": {
"authentication": {
"audience": "https://graph.microsoft.com/",
"type": "ManagedServiceIdentity"
},
"method": "GET",
"uri": "https://graph.microsoft.com/v1.0/groups/@{variables('VIP Group ID')}/members"
}
}
This step, would only retrieve 100 results due to paging, therefore the watchlist would not be complete (if there are more than 100 members in the group).
In order to get the complete results, the step needs to keep on repeating as long as response returns '@odata.nextLink' with the link for the next batch of users that members of the group.

This and later steps need to be updated for the logic app to work correctly.

Please note, this request is open for over 2 month now, and only at this point the additional information is requested.

[v-shukore]

Hi @pixel559,
Thanks for your response.
We will investigate this issue and get back to you ASAP. Thanks!!

[pixel559]

Hello @v-shukore ,
Are there any updates?

[v-shukore]

Hi @pixel559,
Thanks for your response,
As discussed with concern team, we found that the default result limit in the playbook is set to 100, which is why you are only receiving 100 users as a result. If you need to retrieve more than 100 users, you will need to update the query parameter ?$top=(number), with a maximum limit of 999 based on the API. For further understanding, please refer to the documentation below.
https://learn.microsoft.com/en-us/graph/api/group-list-members?view=graph-rest-1.0&tabs=http#optional-query-parameters

[pixel559]

Hello @v-shukore ,
I do not think you understand the request.
Request is to UPDATE playbook to retrieve all group members.
Also, the playbook does not limit the number of group members returned. Please point to explicit line in the playbook which limits the result to 100. (and yes, I understand that the 100 is default number of group members returned, as well as @odata.nextLink should be returned)
The request is to UPDATE the playbook, so it is agnostic to number of members in the group. So the list would return whatever is the number of the group members.
Checking the count of the number of users in the group breaks the idea of automatic updates of the watchlist. And this is centered with the default limit and paging

Please update the automation template supplied by microsoft to retrieve the full list of group members regardless of the count of group members.

[pixel559]

@v-shukore , please let me know when updates to play book are expected

[v-shukore]

Hi @pixel559,
We have shared this feature request with our concern team, and our concerned team will take this request into their queue and update the playbook as they currently do not have a definite ETA. We will notify you once the request has been completed.
Therefore, we are closing this issue on GitHub. If you still need support for this issue, feel free to re-open it at any time. Thank you for your cooperation.

[pixel559]

Hey @v-shukore ,
Thank you! I would appreciate a response here with no reactivation.
There would be no notification to me specifically on the playbook update I am supposed to monitor for updates on the playbook template?

[v-shukore]

Hi @pixel559, once the PR is raised by the playbook author, our team will link it with this issue and will also notify you via GitHub. Thanks!!