AzureHound icon indicating copy to clipboard operation
AzureHound copied to clipboard

Published 20 hours ago verified publisher icon BloodHoundAD

Fix for Azure Service Principals who have no permission to access the Graph API

Open SvenTo opened this issue 1 year ago • 5 comments

Data collection with azurehound does not work for Azure Service Principals who have no permission to access the Graph API because calling client.GetAzureADOrganization() fails. However, collecting information from the Azure Resource Manager is still possible.

This pull request implements a bugfix so that you can use commands like list az-rm with those Service Principals.

Sample output:

$ ./azurehound list az-rm -v 2 -a "[REDACTED]" --secret "[REDACTED]" -t "[REDACTED]" -o "az-rm.json" --log-file az-rm.log --json
AzureHound 2379ab55f4a5c12ed2cae977ab33a2d59f5a0192
Created by the BloodHound Enterprise team - https://bloodhoundenterprise.io

No configuration file located at [REDACTED]/.config/azurehound/config.json
{"level":"debug","time":"2023-05-05T16:49:27+02:00","message":"Log File: az-rm.log"}
{"level":"debug","time":"2023-05-05T16:49:27+02:00","message":"testing connections"}
{"level":"debug","time":"2023-05-05T16:49:27+02:00","message":"testing connections"}
{"level":"trace","targetUrl":"https://login.microsoftonline.com","time":"2023-05-05T16:49:27+02:00","message":"dialing..."}
{"level":"trace","targetUrl":"https://graph.microsoft.com","time":"2023-05-05T16:49:27+02:00","message":"dialing..."}
{"level":"trace","targetUrl":"https://management.azure.com","time":"2023-05-05T16:49:27+02:00","message":"dialing..."}
{"level":"error","error":"map[error:map[code:Authorization_RequestDenied innerError:map[client-request-id:[REDACTED] date:2023-05-05T14:49:27 request-id:[REDACTED]] message:Insufficient privileges to complete the operation.]]","time":"2023-05-05T16:49:27+02:00","message":"unable to get Azure AD organization. It is likely that your user don't have directory reader permissions. If you list non AAD objects (e.g., az-rm) this should be okay."}
{"level":"info","time":"2023-05-05T16:49:27+02:00","message":"collecting azure resource management objects..."}
{"level":"info","time":"2023-05-05T16:49:27+02:00","message":"finished listing all subscription user access admins"}
{"level":"info","time":"2023-05-05T16:49:27+02:00","message":"finished listing all container registries"}
{"level":"info","time":"2023-05-05T16:49:27+02:00","message":"finished listing all virtual machine role assignments"}
{"level":"info","time":"2023-05-05T16:49:27+02:00","message":"finished listing all automation accounts"}
[...]

SvenTo avatar May 05 '23 16:05 SvenTo

CLA Assistant Lite bot:
Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

I have read the CLA Document and I hereby sign the CLA

You can retrigger this bot by commenting recheck in this Pull Request

github-actions[bot] avatar May 05 '23 16:05 github-actions[bot]

I have read the CLA Document and I hereby sign the CLA

SvenTo avatar May 10 '23 16:05 SvenTo

recheck

SvenTo avatar Aug 21 '23 21:08 SvenTo

I have read the CLA Document and I hereby sign the CLA

recheck

sven-ernw avatar Aug 22 '23 10:08 sven-ernw

@SvenTo @sven-ernw

The CLA check is failing because the first signature is only valid for the SvenTo account and the commit in this PR is from sven-ernw. The second signature from the sven-ernw is malformed.

As sven-ernw please add this one-line comment exactly:

I have read the CLA Document and I hereby sign the CLA

ddlees avatar Aug 22 '23 15:08 ddlees