Azure - Privileged Identity Management (PIM) Eligible Assignments are ignored, which leads to missing paths
EnriqueHernandezL opened this issue · comments
Describe the bug
When AzureAD roles are set as Eligible over PIM, they get ignored by Bloodhound. In the standard configuration, a user with an eligible PIM assignment can activate it by himself whenever he needs it. This means that edges originating from PIM Eligible assignments (which in a typical enterprise tenant are a lot!) are missed by Bloodhound.
To Reproduce
Steps to reproduce the behavior:
- Get a tenant with PIM
- Give a user an eligible Global Admin assignment
- Bloodhound thinks this is a standard user with no outbound object control, although he is GA!
Expected behavior
PIM Eligible roles should be considered. Note that PIM also supports eligible group memberships and eligible infrastructure-related roles, which as of right now are probaby not considered either.
Hey there - PIM roles aren't currently covered by BloodHound, but are something we're tracking for future inclusion. I tagged this as an enhancement request accordingly.