Bug: Azurehound / Bloodhound CE: Administrative Units are not considered leading to wrong edges #942

zh54321 · 2024-11-08T07:53:32Z

Description:

Administrative Units are not considered by Bloodhound / Azurehound and therefore lead to wrong edges.

No

Bloodhound edges where Administrative Units are involved (example AZResetPassword).

Create a new user in Entra ID
Create an administrative unit in Entra ID
Add a role assignment (example Privileged Authentication Administrator) to the user set the scope to the administrative unit
Collect the data with Azurehound and import them
Check if there are any paths between the created user and the Global Admin

The edges should not be created.

Bloodhound CE shows the edge AZResetPassword to the Global Admin:

However, since the role assignment for Normaluser is scoped to an administrative unit, that edge is wrong.

Only one user is a member of the administrative unit:

Therefore, the user can't reset the pw of the global admin:

Change Azurehound to also collect information about administrative units (data is not present in the collected json file)
Change processing to only draw the edges of roles which are scoped to an AU to the members of the AU.

Bloodhound CE: 6.1.0
Neo4j: 4.4.38
PostgreSQL: 16.4 (Debian 16.4-1.pgdg120+2)
GraphDB version: v6.1.0
API Version: v6.1.0
AzureHound: v2.2.1

I have searched the issue tracker to ensure this bug hasn't been reported before or is not already being addressed.
I have provided clear steps to reproduce the issue.
I have included relevant environment information details.
I have attached necessary supporting documents.

zh54321 added bug Something isn't working triage This issue requires triaging labels Nov 8, 2024