Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Get-MtUser -UserType "EmergencyAccess" causes infinite loop in our tenant #503

Open
milanschwartz opened this issue Oct 19, 2024 · 2 comments

Comments

@milanschwartz
Copy link
Contributor

Issue Report

Environment

•	Maester version: 0.3.0

Description

In our tenant, the Get-MtUser -UserType "EmergencyAccess" command results in an infinite loop. This function attempts to select two groups from Entra ID as BreakGlass groups based on exclusion criteria from conditional access policies. In our case, the groups are on-premise synced, not designated as BreakGlass groups, and should not be used as such. Attempting to fetch the members of these groups causes the infinite loop.

Code section

   Write-Verbose "Emergency access group: $EmergencyAccessGroups"
                foreach ( $EmergencyAccessGroup in $EmergencyAccessGroups ) {
                    $TmpUsers = Invoke-MtGraphRequest -RelativeUri "groups/$EmergencyAccessGroup/members" -Select id, userPrincipalName, userType -OutputType Hashtable
                    if ( $TmpUsers.ContainsKey('userType') ) {

Output

VERBOSE: Using graph cache: https://graph.microsoft.com/v1.0/groups/<REDACTED>/members?$select=id%2cuserPrincipalName%2cuserType&$skiptoken=<REDACTED>
(repeated infinitely)

Suggested solutions

1.	Update Get-MtUser to fail gracefully in case of errors.
2.	Allow BreakGlass group IDs to be set as parameters in the following tests:
        - MT.1029-MT.1032
        - BeginDiscovery section in Maester/Entra/Test-ConditionalAccessWhatIf.Tests.ps1
@merill
Copy link
Contributor

merill commented Oct 20, 2024

This is interesting. I wonder why a hybrid group would cause an infinite loop.

Tagging @f-bader

@milanschwartz
Copy link
Contributor Author

milanschwartz commented Oct 21, 2024

This is interesting. I wonder why a hybrid group would cause an infinite loop.

Tagging @f-bader

Thanks Merril for picking this up. To clarify further, I don't know if the inifinite loop is caused by the group being hybrid. I just gave it as background info.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants