Skip to main content

Hello everyone,

One of our customers is encountering the following error message when accessing SecOps SIEM.

We are using BYOID and following the setup guide from Chris Martin, see: https://medium.com/@thatsiemguy/linking-azure-idp-to-chronicle-secops-platform-ba649660d5fb

 

For this particular customer, there is an added complication: they do not have an Azure Entra ID P1 license and therefore are not allowed to assign a group to the Enterprise Application. They can only authorize individual users for the Enterprise App.

In GCP IAM, I mapped the Chronicle Viewer role to the following principal:

 

 

principalSet://iam.googleapis.com/locations/global/workforcePools/<WORKFORCE_POOL_ID>/attribute.userPrincipalName/<userPrincipalName>

 

 

Unfortunately, this does not seem to be working. Does anyone have any ideas?

Thank you!

If you can change them permission assigned to the pool to chronicle editor or admin do you have different results?  



 

just tested with the customer, the error message is the same.

just tested with the customer, the error message is the same.


I’ll try replicate in my lab.  Assuming in your mappings you’re using a username rather than group? 

I’ll try replicate in my lab.  Assuming in your mappings you’re using a username rather than group? 


yes, that's right.
Because of a missing P1 Entra ID license, the customer is not allowed to map groups.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.