Bug: Bloodhound CE: Edge AZAddSecret to Managed Identities

[zh54321]

Description:

Bloodhound creates the edge AZAddSecret to Managed Identities

Are you intending to fix this bug?

No

Component(s) Affected:

Bloodhound Edges

Steps to Reproduce:

1. Create a new user in Entra ID
2. Assign the role Application Administrator to the user (scoped to the whole tenant)
3. Create an Azure resource with a managed identity (exampel VM)
4. Collect the data with AzureHound and import them
5. Check if there are any paths between the user and the managed identity

Expected Behavior:

The edge AZAddSecret should no be created for Managed Identities

Actual Behavior /Screenshots/Code Snippets/Sample Files:

The user test.fec has the role Application Administrator and therefore can add secrets to app registrations and enterprise applications.
However, BloodHound create the edge AZAddSecrets for Managed Identities as well:

While it is possible to add secrets to enterprise applications, it is not possible to manage the secrets of managed identities:

Environment Information:

Bloodhound CE: 6.1.0
Neo4j: 4.4.38
PostgreSQL: 16.4 (Debian 16.4-1.pgdg120+2)
GraphDB version: v6.1.0
API Version: v6.1.0
AzureHound: v2.2.1

Potential Solution:

Check if the service principal is a managed identity and do not create the edge. The information if the service principal is a Managed Identity is already present at the node.

Contributor Checklist:

• I have searched the issue tracker to ensure this bug hasn't been reported before or is not already being addressed.
• I have provided clear steps to reproduce the issue.
• I have included relevant environment information details.
• I have attached necessary supporting documents.