BloodHoundAD / BloodHound

Six Degrees of Domain Admin

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Azure - Privileged Identity Management (PIM) Eligible Assignments are ignored, which leads to missing paths

EnriqueHernandezL opened this issue · comments

Describe the bug
When AzureAD roles are set as Eligible over PIM, they get ignored by Bloodhound. In the standard configuration, a user with an eligible PIM assignment can activate it by himself whenever he needs it. This means that edges originating from PIM Eligible assignments (which in a typical enterprise tenant are a lot!) are missed by Bloodhound.

To Reproduce
Steps to reproduce the behavior:

  1. Get a tenant with PIM
  2. Give a user an eligible Global Admin assignment
  3. Bloodhound thinks this is a standard user with no outbound object control, although he is GA!

Expected behavior
PIM Eligible roles should be considered. Note that PIM also supports eligible group memberships and eligible infrastructure-related roles, which as of right now are probaby not considered either.

Hey there - PIM roles aren't currently covered by BloodHound, but are something we're tracking for future inclusion. I tagged this as an enhancement request accordingly.