diff --git a/Playbooks/Restrict-MDEIPAddress/readme.md b/Playbooks/Restrict-MDEIPAddress/readme.md
index d2331c2583d..6adca6c772d 100644
--- a/Playbooks/Restrict-MDEIPAddress/readme.md
+++ b/Playbooks/Restrict-MDEIPAddress/readme.md
@@ -22,18 +22,24 @@ After deployment, you can run this playbook manually on an alert or attach it to
 
 ## Prerequisites
 - **For Gov Only** You will need to update the HTTP action URL to the correct URL documented [here](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/gov?view=o365-worldwide#api)
-- You will need to grant Ti.ReadWrite permissions to the managed identity.  Run the following code replacing the managed identity object id.  You find the managed identity object id on the Identity blade under Settings for the Logic App.
+- You will need to grant Ti.ReadWrite permissions and assign Microsoft Seninel Reader to the resource group for the managed identity.  Run the following code replacing the managed identity object id, subscrptiptionid and resource group.  You find the managed identity object id on the Identity blade under Settings for the Logic App.
 ```powershell
+
 $MIGuid = "<Enter your managed identity guid here>"
+$SubscriptionId = "<Enter your subsciption id here>"
+$ResourceGroup = "<Enter your resource group here>"
 $MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
 
 $MDEAppId = "fc780465-2017-40d4-a0c5-307022471b92"
 $PermissionName = "Ti.ReadWrite" 
+$RoleName = "Microsoft Sentinel Reader"
 
 $MDEServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$MDEAppId'"
 $AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
 New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
 -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id
+
+New-AzRoleAssignment -ObjectId $MIGuid -RoleDefinitionName $RoleName -Scope /subscriptions/$SubscriptionId/resourcegroups/$ResourceGroup
 ```
 
 ## Screenshots