Azure · v-atulyadav · Dec 29, 2025 · Dec 12, 2025 · Dec 24, 2025
@@ -24,7 +24,9 @@
     "Playbooks/Send-Teams-adaptive-card-on-incident-creation/azuredeploy.json",
     "Playbooks/Http-Trigger-Entity-Analyzer/azuredeploy.json",
     "Playbooks/Incident-Trigger-Entity-Analyzer/azuredeploy.json",
-    "Playbooks/Url-Trigger-Entity-Analyzer/azuredeploy.json"
+    "Playbooks/Url-Trigger-Entity-Analyzer/azuredeploy.json",
+    "Playbooks/Send-Incident-Email-XDRPortal/azuredeploy.json",
+    "Playbooks/Send-Incident-Teams-Adaptive-Card-XDRPortal/azuredeploy.json"
   ],
   "Workbooks": [
     "Workbooks/AutomationHealth.json",

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SentinelSOARessentials/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Microsoft Sentinel SOAR Essentials solution for Microsoft Sentinel contains Playbooks that can help you get started with basic notification and orchestration scenarios for common use cases. These include Playbooks for sending notifications over email and/or collaboration platforms such as MS Teams, Slack, etc.\n\n**Workbooks:** 4, **Playbooks:** 21\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SentinelSOARessentials/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Microsoft Sentinel SOAR Essentials solution for Microsoft Sentinel contains Playbooks that can help you get started with basic notification and orchestration scenarios for common use cases. These include Playbooks for sending notifications over email and/or collaboration platforms such as MS Teams, Slack, etc.\n\n**Workbooks:** 4, **Playbooks:** 23\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",

@@ -0,0 +1,74 @@
+# Send-Incident-Email-XDRPortal
+
+author: Brian Delaney
+
+## Summary
+This playbook sends an email with an incident report including alert details and entity information. Incident and entity links go to the security.microsoft.com portal.  Sentinel must be connected to the XDR portal for this to work on all incidents.
+
+## Prerequisites
+- A Microsoft 365 (M365) account to send email notifications (the user account will be used in the O365 connector for sending emails).
+- Sentinel must be connected to the [XDR Portal](https://learn.microsoft.com/en-us/azure/sentinel/move-to-defender)
+
+## Deployment instructions
+
+1. To deploy the playbook, click the Deploy to Azure button below. This will launch the ARM Template deployment wizard.
+2. Fill in the required parameters:
+    - Playbook Name
+    - Microsoft Graph Endpoint (https://graph.microsoft.com)
+    - Denfeder Portal Endpoint (https://security.microsoft.com)
+    - SOC Phone Number
+    - SOC Email Address
+    - Notification Email Address
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FSentinelSOARessentials%2FPlaybooks%2FSend-Incident-Email-XDRPortal%2Fazuredeploy.json)
+[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FSentinelSOARessentials%2FPlaybooks%2FSend-Incident-Email-XDRPortal%2Fazuredeploy.json)
+<br><br>
+
+## Post-deployment Instructions
+
+### Authorize connections
+Once deployment is complete, authorize the connection.
+
+1. Open the Logic App in the Azure portal.
+2. Click Connections
+3. Expand *Office 365 Outlook*
+4. Click the link to Open Connection, or reassign a new one
+5. Sign in with the account to be used for sending email
+6. Click Save.
+
+### Grant Permissions
+1. Locate and note the Logic App managed identity id (Logic App -> Settings -> Identity)
+2. Locate a note the Entra ID Tenant ID (Entra ID -> Tenant ID)
+3. Update the PowerShell Script below with the IDs from above
+4. Run the PowerShell script to grant API Permissions. This can be run locally or from Cloud Shell
+
+```powershell
+$MIGuid = "<LogicAppManagedIdentityId>"
+$TenantId = "<TenantId>"
+
+Connect-MgGraph -TenantId $TenantId -Scopes AppRoleAssignment.ReadWrite.All, Application.Read.All -NoWelcome -ErrorAction Stop
+$MSI = Get-MgServicePrincipal -ServicePrincipalId $MIGuid
+$AppId = "00000003-0000-0000-c000-000000000000"
+$permissions = @("SecurityAlert.Read.All", "SecurityIncident.Read.All")
+$GraphServicePrincipal = Get-MgServicePrincipal -Filter "appId eq '$AppId'"
+
+foreach ($PermissionName in $permissions) {
+    $AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
+    New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $MSI.Id -PrincipalId $MSI.Id -ResourceId $GraphServicePrincipal.Id -AppRoleId $AppRole.Id
+}
+
+Write-Host "Assigned permissions to Managed Identity Service Principal."
+
+```
+
+### b. Attach the playbook
+1. In Microsoft Sentinel, configure an automation rule to trigger this playbook when an incident is created.
+   - [Learn more about automation rules](https://docs.microsoft.com/azure/sentinel/automate-incident-handling-with-automation-rules#creating-and-managing-automation-rules)
+
+## Screenshots
+
+**Playbook**<br>
+![Playbook](./images/LightPlaybook_SendEmailXDR.png)
+
+**Email**<br>
+![Email](./images/LightEmail_SendEmailXDR.png)