Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix AZResetPassword false positives #637

Merged
merged 1 commit into from
Jan 24, 2023
Merged

Fix AZResetPassword false positives #637

merged 1 commit into from
Jan 24, 2023

Conversation

simondotsh
Copy link
Contributor

Some roles cannot reset the password of users that either own or are members of role-assignable groups. The queries to create AZResetPassword edges have been modified to take this into account for the following roles:

  • Helpdesk Administrator
  • Authentication Administrator
  • Password Administrator
  • User Administrator

@andyrobbins
Copy link
Contributor

Hi @simondotsh

Thank you for this great PR. This false positive was due to an oversight on my part. I created some tests to validate the logic in your PR and I was able to verify that, indeed, Global Admins and Privileged Auth Admins can reset the passwords for members and owners of role-eligible groups while the other password-reset roles do not grant this ability.

I tested this by creating service principals for each default AAD admin role, granting the role to each SP, then having each SP try to reset the passwords for two users: one that owns a role eligible group, and one that is a member of a role eligible group. I also wanted to know whether groups can be owners of groups, and this does not appear to be possible through either the Azure portal GUI nor through the MS Graph API endpoint (so those details are in red:)

Screen Shot 2023-01-24 at 11 34 06 AM

After testing each role's ability to reset the password for each of these users, I found that your report for the false positive is correct, but that we also have a false negative: the Partner Tier2 Support role grants the ability to reset the password for a user that owns a role eligible group, but not to reset the password for a member of a role eligible group:

Screen Shot 2023-01-24 at 11 35 28 AM

I'm not sure if this is intended by Microsoft so I'm going to contact them and see what the deal is there before adding the password reset logic for Partner Tier2 Support into BloodHound.

Thank you again for this great PR

Andy

Copy link
Contributor

@andyrobbins andyrobbins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The logic matches the behavior of Azure, and the build correctly creates AZResetPassword edges

@andyrobbins andyrobbins merged commit ce95073 into BloodHoundAD:master Jan 24, 2023
@github-actions github-actions bot locked and limited conversation to collaborators Jan 24, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants