When integrating Microsoft Sentinel with an Azure Logic App to automate workflows—such as creating or syncing incidents to an on-premises ITSM system—you must configure the Sentinel connector authentication method. Microsoft’s official guidance emphasizes using Managed Identity wherever possible because it provides automatic credential management, Azure-native security, and requires no secret rotation or manual key storage, which minimizes administrative effort.

A Managed Identity is the recommended authentication method for Logic Apps and other Azure services connecting to Microsoft Sentinel. It eliminates the need for manually creating and maintaining service principals or user accounts. The managed identity is automatically trusted by Azure AD and can be granted the required role directly in the Sentinel workspace’s resource group or subscription. This aligns with the requirement to minimize administrative effort.

Among the Sentinel-specific roles:

Microsoft Sentinel Reader: Read-only access to view incidents and data.

Microsoft Sentinel Responder: Can view and update incidents, run playbooks on incidents, and close incidents—exactly what’s required to raise or synchronize incidents externally.

Microsoft Sentinel Automation Contributor: Used when the Logic App triggers or manages automations, not when it only updates incidents.

Since the playbook needs to raise incidents (perform incident-level actions) but not configure automation at scale, the least privilege role that satisfies the requirement is Microsoft Sentinel Responder.

✅ Final Configuration:

Connector Authentication: A managed identity (low admin overhead)

Assigned Role: Microsoft Sentinel Responder (least privilege sufficient for incident operations)