Cannot edit API connection -- Paloaltoconnector-PaloAlto-PAN-OS-BlockIP

Question

Cannot edit API connection -- Paloaltoconnector-PaloAlto-PAN-OS-BlockIP

Frank Adams 0

We are using the Palo Alto PAN-OS Solution for Microsoft Sentinel. The solution includes Playbooks which have API connections. The API connections facilitate automation and connect to the Palo Alto Networks security appliance via REST.

Our issue is we cannot edit the API connections to include the necessary credentials to authenticate the REST API connection.

When we attempt to edit the API connection we receive the error: 'Failed to edit API connection Paloaltoconnector-PaloAlto-PAN-OS-BlockIP'

We have verified the Access control (IAM) of the API connection grants us access to the API connection with the roles assigned as 'Owner' and 'Logic App Contributor'. Both roles permit write permission, specifically for category Microsoft.Web permission 'Add or Update Custom API' and globally 'Create API or Update API'

Can anyone help or provide guidance regarding this issue?

Praveen Kumar Gudipudi 170 Reputation points Microsoft External Staff

2025-04-17T20:01:56.3433333+00:00

Hello Frank Adams,

Could you please provide me the screenshot of the error and describe the steps that you're following to edit API connection.

That would help me to understand the issue better.

Please provide required information to proceed further.
Frank Adams 0 Reputation points

2025-04-18T00:25:10.0866667+00:00

Hello,

Per your request. We open the API connection. Click 'Edit API connection'. Fill in the required fields. And click 'Save'
Praveen Kumar Gudipudi 170 Reputation points Microsoft External Staff

2025-04-18T20:19:23.5+00:00

Hello Frank Adams,

Thanks for the details, also, please share me the activity logs details as well.
Frank Adams 0 Reputation points

2025-04-19T03:17:13.56+00:00

QueryResult.txtActivity Log from last week attached.
Sonny Gillissen 3,596 Reputation points

2025-04-19T18:44:34.6166667+00:00

Hi Frank Adams

Thanks for reaching out on Microsoft Q&A!

Some API Connections may need ‘Admin Consent’ for them to get updated, which may be the case here. When looking at the activity logs it bounces on consent.

Could you try to do the same with either Privileged Role Administrator, Cloud Application Administrator or Application Administrator.

Please click ‘Accept answer’ if you think my answer is helpful. Feel free to drop additional queries in the comments below!

Kind regards,

Sonny
Frank Adams 0 Reputation points

2025-04-20T01:27:54.92+00:00

Hi,

I added all the roles mentioned and still receive the same error. Please know these API connections are associated with Logic Apps vs Enterprise Apps or Owned Apps.
Praveen Kumar Gudipudi 170 Reputation points Microsoft External Staff

2025-04-21T22:23:24.45+00:00

Hello Frank Adams,

Are you using Standard Logic App? If yes, please assign the permission Azure built-in roles for Integration - Azure RBAC | Microsoft Learn and see if that helps.

if you can create a new API connection and see if they can succeed. The API connection you are referring to seem to be configured with a Gateway as well. If you have defined a custom role based on Logic App contributor, please include the permissions for Microsoft.Web/connectionGateways/* as well.

If you see this error, try creating the API connection through a Rest API using the following reference - How to create API connection (Logic App consumption) using ARM REST API | Microsoft Community Hub and share the result.
Frank Adams 0 Reputation points

2025-04-22T22:39:47.8266667+00:00

Hi,

These Logic Apps were developed by Microsoft. We are using the API connection with the gateway because our Palo Alto Networks security appliance is on-premises. The non-gateway API connection can be edited with no issues. But it would require us to expose our on-premises management network to the Internet. Does anyone have access to the custom Logic App on the back-end? We are thinking someone within Microsoft will have to grant us permissions explicitly.
Frank Adams 0 Reputation points

2025-04-25T19:31:49.5366667+00:00

Hi , the requested information has been sent via private comment as requested. Thank you for addressing this issue, we really appreciate it.
LeelaRajeshSayana-MSFT 17,676 Reputation points

2025-04-28T19:35:42.95+00:00

@Frank Adams Thank you for sharing the requested information. We will engage with you through an offline support case for additional assistance. Please see the private messages for next steps.

1 answer

Your answer

Praveen Kumar Gudipudi 170 Reputation points Microsoft External Staff

2025-04-17T20:01:56.3433333+00:00

Hello Frank Adams,

Could you please provide me the screenshot of the error and describe the steps that you're following to edit API connection.

That would help me to understand the issue better.

Please provide required information to proceed further.
Frank Adams 0 Reputation points

2025-04-18T00:25:10.0866667+00:00

Hello,

Per your request. We open the API connection. Click 'Edit API connection'. Fill in the required fields. And click 'Save'
Praveen Kumar Gudipudi 170 Reputation points Microsoft External Staff

2025-04-18T20:19:23.5+00:00

Hello Frank Adams,

Thanks for the details, also, please share me the activity logs details as well.
Frank Adams 0 Reputation points

2025-04-19T03:17:13.56+00:00

QueryResult.txtActivity Log from last week attached.
Sonny Gillissen 3,596 Reputation points

2025-04-19T18:44:34.6166667+00:00

Hi Frank Adams

Thanks for reaching out on Microsoft Q&A!

Some API Connections may need ‘Admin Consent’ for them to get updated, which may be the case here. When looking at the activity logs it bounces on consent.

Could you try to do the same with either Privileged Role Administrator, Cloud Application Administrator or Application Administrator.

Please click ‘Accept answer’ if you think my answer is helpful. Feel free to drop additional queries in the comments below!

Kind regards,

Sonny
Frank Adams 0 Reputation points

2025-04-20T01:27:54.92+00:00

Hi,

I added all the roles mentioned and still receive the same error. Please know these API connections are associated with Logic Apps vs Enterprise Apps or Owned Apps.
Praveen Kumar Gudipudi 170 Reputation points Microsoft External Staff

2025-04-21T22:23:24.45+00:00

Hello Frank Adams,

Are you using Standard Logic App? If yes, please assign the permission Azure built-in roles for Integration - Azure RBAC | Microsoft Learn and see if that helps.

if you can create a new API connection and see if they can succeed. The API connection you are referring to seem to be configured with a Gateway as well. If you have defined a custom role based on Logic App contributor, please include the permissions for Microsoft.Web/connectionGateways/* as well.

If you see this error, try creating the API connection through a Rest API using the following reference - How to create API connection (Logic App consumption) using ARM REST API | Microsoft Community Hub and share the result.
Frank Adams 0 Reputation points

2025-04-22T22:39:47.8266667+00:00

Hi,

These Logic Apps were developed by Microsoft. We are using the API connection with the gateway because our Palo Alto Networks security appliance is on-premises. The non-gateway API connection can be edited with no issues. But it would require us to expose our on-premises management network to the Internet. Does anyone have access to the custom Logic App on the back-end? We are thinking someone within Microsoft will have to grant us permissions explicitly.
Frank Adams 0 Reputation points

2025-04-25T19:31:49.5366667+00:00

Hi , the requested information has been sent via private comment as requested. Thank you for addressing this issue, we really appreciate it.
LeelaRajeshSayana-MSFT 17,676 Reputation points

2025-04-28T19:35:42.95+00:00

@Frank Adams Thank you for sharing the requested information. We will engage with you through an offline support case for additional assistance. Please see the private messages for next steps.

Answer 1

Hi @Frank Adams I have reached out to you through the private comments with next steps on this issue. Please respond to the requested information in the private comments.

Update

Sharing the findings here to help the broader community understand the issue.

We have done some additional investigation on this issue. The Custom Connector could most likely be imported into the instance following the steps outlines in this GitHub repository - Azure-Sentinel/Playbooks/PaloAlto-PAN-OS/readme.md at master · Azure/Azure-Sentinel The authentication method for the connector only works with API Key based authentication. Please find this limitation in the Authentication section The guidance per the customer connector documentation states that the API key connection does not work on on-premises data gateway. Since the connector imported on work with API key authentication and this cannot be changed, enabling the on-premises data gateway operation is throwing an error because of the conflicting authentication support.

See if you create a new custom connector for this by following the steps in Create a custom connector from scratch | Microsoft Learn. This way, you can define your desired way of authentication.

We will continue to work with you through the offline case to help address this issue.

Share via

Cannot edit API connection -- Paloaltoconnector-PaloAlto-PAN-OS-BlockIP

1 answer

Your answer