Bug: Azurehound / Bloodhound CE: "App Instance Property Lock" are not considered leading to wrong edges AZAddSecret

[zh54321]

Description:

In September 2023 Microsoft introduced a new feature in Entra: App instance property lock.
Since March 2024 it has been enabled by default for all newly created app registrations.
Source: https://techcommunity.microsoft.com/blog/identity/what%e2%80%99s-new-in-microsoft-entra/3796394

If the App instance property lock is configured on the App Registration, it is not possible anymore to add a secret or cert to the Enterprise Application (still possible on the App registration).

Since this is not yet considered in AzureHound / BloodHound this leads to wrong edges: AZAddSecret --> Enterprise Application

Are you intending to fix this bug?

Partially, I will create a PR to slightly adjust the text for AZAddSecret.
However, it would be nice if the creation of the wrong edges could be prevented.

Component(s) Affected:

Bloodhound Edges

Steps to Reproduce:

1. Create a new App registration
2. Create a new user and assign the role Application Administrator
3. Collect the data with AzureHound and import it
4. Check the path from the user created in step 2 to the enterprise application (not the app registration) created in step 1

Expected Behavior:

• For internal applications (app registration is in the same tenant), the app lock status should be enumerated, and the edge AZAddSecret should only be created if the enterprise application is not protected by it.
• Since it is not possible to enumerate the app registrations in foreign tenant, the AZAddSecret text should be adjusted.

Actual Behavior / Screenshots/Code Snippets/Sample Files:

Bloodhound shows that a user with the role Application Administrator can add a secret to the Enterprise Application:

However, the corresponding App Registrations has the app instance property lock configured:

Therefore, it is not possible to add a secret to the enterprise application:

Environment Information:

Bloodhound CE: 6.1.0
Neo4j: 4.4.38
PostgreSQL: 16.4 (Debian 16.4-1.pgdg120+2)
GraphDB version: v6.1.0
API Version: v6.1.0
AzureHound: v2.2.1

Potential Solution (optional):

If you have any ideas about what might be causing the issue or how it could be fixed, you can share them here.

Contributor Checklist:

• I have searched the issue tracker to ensure this bug hasn't been reported before or is not already being addressed.
• I have provided clear steps to reproduce the issue.
• I have included relevant environment information details.
• I have attached necessary supporting documents.