Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Azure - Privileged Identity Management (PIM) Eligible Assignments are ignored, which leads to missing paths #678

Open
EnriqueHernandezL opened this issue Jun 20, 2023 · 1 comment
Open

Azure - Privileged Identity Management (PIM) Eligible Assignments are ignored, which leads to missing paths #678

EnriqueHernandezL opened this issue Jun 20, 2023 · 1 comment
Labels
enhancement

Comments

@EnriqueHernandezL
Copy link

Describe the bug
When AzureAD roles are set as Eligible over PIM, they get ignored by Bloodhound. In the standard configuration, a user with an eligible PIM assignment can activate it by himself whenever he needs it. This means that edges originating from PIM Eligible assignments (which in a typical enterprise tenant are a lot!) are missed by Bloodhound.

To Reproduce
Steps to reproduce the behavior:

  1. Get a tenant with PIM
  2. Give a user an eligible Global Admin assignment
  3. Bloodhound thinks this is a standard user with no outbound object control, although he is GA!

Expected behavior
PIM Eligible roles should be considered. Note that PIM also supports eligible group memberships and eligible infrastructure-related roles, which as of right now are probaby not considered either.
@StephenHinck
Copy link

Hey there - PIM roles aren't currently covered by BloodHound, but are something we're tracking for future inclusion. I tagged this as an enhancement request accordingly.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@StephenHinck @EnriqueHernandezL