SAP - Lock User (Agentless Basic)
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook locks an SAP user when triggered by a Microsoft Sentinel incident. It dynamically finds SAP-specific alert details across all alerts in the incident, supporting complex multi-alert incidents from Defender XDR.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | SAP |
| Source | View on GitHub |
⚠️ Not listed in Solution JSON: This content item was discovered by scanning the solution folder but is not included in the official Solution JSON file. It may be a legacy item, under development, or excluded from the official solution package.
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 3 |
teams |
Managed | 1 | 9 |
http |
Built-in | 0 | 4 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_no_SAP_alert | post | /Incidents/Comment |
— |
| Close_Sentinel_incident | put | /Incidents |
— |
| Close_incident_false_positive | put | /Incidents |
— |
teams (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Reply_success_in_channel | post | /v1.0/teams/conversation/replyWithMessage/poster/Flow bot/location/@{encodeURIComponent('Channel')} |
— |
| Reply_unblock_success_in_channel | post | /v1.0/teams/conversation/replyWithMessage/poster/Flow bot/location/@{encodeURIComponent('Channel')} |
— |
| Reply_unblock_error_in_channel | post | /v1.0/teams/conversation/replyWithMessage/poster/Flow bot/location/@{encodeURIComponent('Channel')} |
— |
| Reply_error_in_channel | post | /v1.0/teams/conversation/replyWithMessage/poster/Flow bot/location/@{encodeURIComponent('Channel')} |
— |
| Reply_AAD_placeholder | post | /v1.0/teams/conversation/replyWithMessage/poster/Flow bot/location/@{encodeURIComponent('Channel')} |
— |
| Reply_BTP_placeholder | post | /v1.0/teams/conversation/replyWithMessage/poster/Flow bot/location/@{encodeURIComponent('Channel')} |
— |
| Post_timeout_message | post | /beta/teams/conversation/message/poster/Flow bot/location/@{encodeURIComponent('Channel')} |
— |
| Notify_admin_on_extraction_error | post | /beta/teams/conversation/message/poster/Flow bot/location/@{encodeURIComponent('Chat with Flow bot')} |
— |
| Notify_admin_on_processing_error | post | /beta/teams/conversation/message/poster/Flow bot/location/@{encodeURIComponent('Chat with Flow bot')} |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_OAuth_token_for_SAP | POST | @{parameters('SAPOAuthTokenEndpoint')} |
— |
| Block_User_via_SAP | POST | @{variables('AgentGuid')}/http/community/sentinel/sap-user-block |
— |
| Get_OAuth_token_for_SAP_unblock | POST | @{parameters('SAPOAuthTokenEndpoint')} |
— |
| Unblock_User_via_SAP | POST | @{variables('AgentGuid')}/http/community/sentinel/sap-user-block |
— |
Additional Documentation
📄 Source: Basic-SAPLockUser/readme.md
Lock SAP User from Teams - Basic (Consumption)
This playbook locks an SAP ERP user when triggered by a Microsoft Sentinel incident leveraging the SAP Integration Suite. It posts an adaptive card to a Teams channel, letting an analyst choose to block the user on SAP ERP (or flag as false positive).
Unlike a static approach that assumes the SAP alert is always the first alert, this playbook dynamically searches all alerts in the incident for SAP-specific Custom Details (SAP_User, SidGuid, AgentGuid). This makes it compatible with complex, multi-alert incidents from Defender XDR.
Overview
| Item | Detail |
|---|---|
| Logic App type | Consumption |
| Trigger | Microsoft Sentinel incident |
| Connectors | Microsoft Sentinel (Managed Identity), Microsoft Teams |
| SAP integration | SAP Integration Suite (CPI) iFlow via OAuth2 client credentials |
Flow summary
Incident trigger
├─ Filter all alerts → find SAP alert with Custom Details containing SAP_User
├─ No SAP alert found? → add incident comment, exit gracefully
├─ Post adaptive card to Teams (incident info + SAP user + block/flag)
├─ Block path:
│ ├─ SAP ERP → OAuth token → lock user via Integration Suite → notify + close incident
│ ├─ Entra ID → placeholder (extend with Entra ID connector)
│ └─ SAP BTP → placeholder (extend with IAS/XSUAA REST call)
├─ Flag path: close incident as false positive
└─ Error handlers: notify admin via Teams bot chat
Prerequisites
- SAP Integration Suite with the community user lock/unlock iFlow deployed.
- OAuth2 client credentials (client ID + secret) from the SAP Process Integration runtime.
- Microsoft Teams channel for incident notifications (you'll need the Team ID and Channel ID).
- Microsoft Sentinel Responder role assigned to the Logic App's managed identity on the Sentinel workspace.
Deployment parameters
| Parameter | Description | Example |
|---|---|---|
PlaybookName |
Name of the Logic App resource | SAPLockUser-Basic |
DefaultAdminEmail |
Admin UPN for error notifications via Teams bot | admin@contoso.com |
SAPOAuthTokenEndpoint |
OAuth2 token URL for SAP BTP | https://<sub>.authentication.<region>.hana.ondemand.com/oauth/token |
SAPOAuthClientId |
OAuth2 client ID (securestring) | — |
SAPOAuthClientSecret |
OAuth2 client secret (securestring) | — |
SAPClientId |
SAP MANDT / client number | 100 |
TeamsTeamId |
Teams Team ID | 626751d1-... |
TeamsChannelId |
Teams Channel ID | 19:abc123...@thread.tacv2 |
Tip: If you don't have the Teams IDs at deployment time, leave them empty and configure the
TeamsChannelworkflow parameter in the Logic App designer after deployment.
Post-deployment steps
- Authorize the Teams connection — open the Logic App in the Azure portal → API connections →
teams-*→ Edit API connection → Authorize. - Assign Sentinel Responder role — grant the Logic App's managed identity the Microsoft Sentinel Responder role on the Log Analytics workspace.
- Verify Teams channel — ensure the
TeamsChannelparameter has validteamIDandchannelIDvalues. - Test — create a test incident with SAP Custom Details (
SAP_User,SidGuid,AgentGuid) and verify the adaptive card appears in Teams.
Key differences from the Standard (STD) version
| Aspect | This playbook (Consumption) | STD version |
|---|---|---|
| Logic App type | Consumption (pay-per-execution) | Standard (dedicated hosting) |
| VNet injection | Not supported | Supported |
| Alert handling | Dynamic — filters all alerts for SAP details | Static — uses alerts[0] |
| Defender XDR | ✅ Complex multi-alert incidents | ⚠️ Assumes SAP alert is first |
| SAP username | Dynamic from Custom Details | Hardcoded demo value |
| Unlock flow | Not included (add separately) | Included with timeout auto-unlock |
| Deployment | ARM template with Deploy to Azure button | ARM template for Standard + storage |
Extending the playbook
- Entra ID lock — add the Microsoft Entra ID connector with a "Disable user" action in the
Case_AADbranch. - BTP/IAS lock — add an HTTP action calling SAP Cloud Identity Services SCIM API to set
active: falsein theCase_BTPbranch.
[Content truncated...]
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊