You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If the App instance property lock is configured on the App Registration, it is not possible anymore to add a secret or cert to the Enterprise Application (still possible on the App registration).
Since this is not yet considered in AzureHound / BloodHound this leads to wrong edges: AZAddSecret --> Enterprise Application
Are you intending to fix this bug?
Partially, I will create a PR to slightly adjust the text for AZAddSecret.
However, it would be nice if the creation of the wrong edges could be prevented.
Component(s) Affected:
Bloodhound Edges
Steps to Reproduce:
Create a new App registration
Create a new user and assign the role Application Administrator
Collect the data with AzureHound and import it
Check the path from the user created in step 2 to the enterprise application (not the app registration) created in step 1
Expected Behavior:
For internal applications (app registration is in the same tenant), the app lock status should be enumerated, and the edge AZAddSecret should only be created if the enterprise application is not protected by it.
Since it is not possible to enumerate the app registrations in foreign tenant, the AZAddSecret text should be adjusted.
Actual Behavior / Screenshots/Code Snippets/Sample Files:
Bloodhound shows that a user with the role Application Administrator can add a secret to the Enterprise Application:
However, the corresponding App Registrations has the app instance property lock configured:
Therefore, it is not possible to add a secret to the enterprise application:
StephenHinck
changed the title
Bug: Azurehound / Bloodhound CE: "App Instance Property Lock" are not considered leading to wrong edges AZAddSecret
FEAT: Azurehound / Bloodhound CE: "App Instance Property Lock" are not considered leading to wrong edges AZAddSecret
Jan 2, 2025
Description:
In September 2023 Microsoft introduced a new feature in Entra: App instance property lock.
Since March 2024 it has been enabled by default for all newly created app registrations.
Source: https://techcommunity.microsoft.com/blog/identity/what%e2%80%99s-new-in-microsoft-entra/3796394
If the App instance property lock is configured on the App Registration, it is not possible anymore to add a secret or cert to the Enterprise Application (still possible on the App registration).
Since this is not yet considered in AzureHound / BloodHound this leads to wrong edges: AZAddSecret --> Enterprise Application
Are you intending to fix this bug?
Partially, I will create a PR to slightly adjust the text for AZAddSecret.
However, it would be nice if the creation of the wrong edges could be prevented.
Component(s) Affected:
Bloodhound Edges
Steps to Reproduce:
Expected Behavior:
Actual Behavior / Screenshots/Code Snippets/Sample Files:
Bloodhound shows that a user with the role Application Administrator can add a secret to the Enterprise Application:
However, the corresponding App Registrations has the app instance property lock configured:
Therefore, it is not possible to add a secret to the enterprise application:
Environment Information:
Bloodhound CE: 6.1.0
Neo4j: 4.4.38
PostgreSQL: 16.4 (Debian 16.4-1.pgdg120+2)
GraphDB version: v6.1.0
API Version: v6.1.0
AzureHound: v2.2.1
Potential Solution (optional):
If you have any ideas about what might be causing the issue or how it could be fixed, you can share them here.
Contributor Checklist:
The text was updated successfully, but these errors were encountered: