Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix for Azure Service Principals who have no permission to access the Graph API #39

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

SvenTo
Copy link

@SvenTo SvenTo commented May 5, 2023

Data collection with azurehound does not work for Azure Service Principals who have no permission to access the Graph API because calling client.GetAzureADOrganization() fails. However, collecting information from the Azure Resource Manager is still possible.

This pull request implements a bugfix so that you can use commands like list az-rm with those Service Principals.

Sample output:

$ ./azurehound list az-rm -v 2 -a "[REDACTED]" --secret "[REDACTED]" -t "[REDACTED]" -o "az-rm.json" --log-file az-rm.log --json
AzureHound 2379ab55f4a5c12ed2cae977ab33a2d59f5a0192
Created by the BloodHound Enterprise team - https://bloodhoundenterprise.io

No configuration file located at [REDACTED]/.config/azurehound/config.json
{"level":"debug","time":"2023-05-05T16:49:27+02:00","message":"Log File: az-rm.log"}
{"level":"debug","time":"2023-05-05T16:49:27+02:00","message":"testing connections"}
{"level":"debug","time":"2023-05-05T16:49:27+02:00","message":"testing connections"}
{"level":"trace","targetUrl":"https://login.microsoftonline.com","time":"2023-05-05T16:49:27+02:00","message":"dialing..."}
{"level":"trace","targetUrl":"https://graph.microsoft.com","time":"2023-05-05T16:49:27+02:00","message":"dialing..."}
{"level":"trace","targetUrl":"https://management.azure.com","time":"2023-05-05T16:49:27+02:00","message":"dialing..."}
{"level":"error","error":"map[error:map[code:Authorization_RequestDenied innerError:map[client-request-id:[REDACTED] date:2023-05-05T14:49:27 request-id:[REDACTED]] message:Insufficient privileges to complete the operation.]]","time":"2023-05-05T16:49:27+02:00","message":"unable to get Azure AD organization. It is likely that your user don't have directory reader permissions. If you list non AAD objects (e.g., az-rm) this should be okay."}
{"level":"info","time":"2023-05-05T16:49:27+02:00","message":"collecting azure resource management objects..."}
{"level":"info","time":"2023-05-05T16:49:27+02:00","message":"finished listing all subscription user access admins"}
{"level":"info","time":"2023-05-05T16:49:27+02:00","message":"finished listing all container registries"}
{"level":"info","time":"2023-05-05T16:49:27+02:00","message":"finished listing all virtual machine role assignments"}
{"level":"info","time":"2023-05-05T16:49:27+02:00","message":"finished listing all automation accounts"}
[...]

@github-actions
Copy link

github-actions bot commented May 5, 2023

CLA Assistant Lite bot:
Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.


I have read the CLA Document and I hereby sign the CLA


You can retrigger this bot by commenting recheck in this Pull Request

@SvenTo
Copy link
Author

SvenTo commented May 10, 2023

I have read the CLA Document and I hereby sign the CLA

@SvenTo
Copy link
Author

SvenTo commented Aug 21, 2023

recheck

@sven-ernw
Copy link

I have read the CLA Document and I hereby sign the CLA


recheck

@ddlees
Copy link
Contributor

ddlees commented Aug 22, 2023

@SvenTo @sven-ernw

The CLA check is failing because the first signature is only valid for the SvenTo account and the commit in this PR is from sven-ernw. The second signature from the sven-ernw is malformed.

As sven-ernw please add this one-line comment exactly:

I have read the CLA Document and I hereby sign the CLA

@irshadaj irshadaj added the external This pull request is from an external contributor label Sep 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
external This pull request is from an external contributor
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants