Add AZAddOwner relationship creation

[cntC0d3]

Add AZAddOwner relationship between users with Hybrid Identity Administrator, Partner Tier1 Support, Partner Tier2 Support, or Directory Synchronization Accounts roles and all Service Principals and Apps within the tenant

Description

Add logic to analysis/azure/post to perform post-processing analysis for AZAddOwner edges in the UserRoleAssignments function. This was completed by adding a new addOwners function that fetches all ServicePrincipals and Apps within the tenant and proceeds to create the edge between users with the following roles:

• Hybrid Identity Administrator
• Partner Tier1 Support
• Partner Tier2 Support
• Directory Synchronization Accounts

Motivation and Context

This PR addresses: Issue #686

Fully implements documented behavior for AZAddOwner relationships per documentation.

How Has This Been Tested?

Verifying issue:

1. Collect Azurehound data for tenant with users assigned with at least one of the above role.s
2. Upload data to bloodhound server and wait for ingestion.
3. Run the following cypher command against data:

MATCH p=()-[r:AZAddOwner]->() RETURN p LIMIT 25

4. verify no relationships exist.

Verifying fix.

1. Rerun steps 1-3 above.
2. Verify expected relationships between known users with role and all apps/service principals within the same tenant.

Screenshots (optional):

Types of changes

• Bug fix (non-breaking change which fixes an issue)

Checklist:

• I have met the contributing prerequisites
  • Assigned myself to this PR
  • Added the appropriate labels
  • Associated an issue: Issues and Pull Requests README #672
  • Read the Contributing guide: https://github.com/SpecterOps/BloodHound/wiki/Contributing
• I have ensured that related documentation is up-to-date
  • Open API docs
  • Code comments (GoDocs / JSDocs)
• I have followed proper test practices
  • Added/updated tests to cover my changes
  • All new and existing tests passed

[github-actions]

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

[cntC0d3]

I have read the CLA Document and I hereby sign the CLA

[cntC0d3]

recheck

[StephenHinck]

Hey, @cntC0d3 - thanks for the PR! We're prepping a release right now and won't be able to get a full review before this one, but we'll be sure to get this reviewed here in the next couple of weeks!

[JonasBK]

Hey @cntC0d3,

Thanks for the PR! It looks good - great job 🙌

We have however started to model the permissions of roles directly out of the AZRole nodes instead of out of the principals with the role assignment. See AZResetPassword as example:

In that way, we reduce the total number of edges created (better performance) and it becomes clear how a given principal has a permission through a role assignment.

Are you up for modifying your AZAddOwner implementation to match that pattern?

The documentation for the AZAddOwner edge has to be updated to match the new pattern. I'll take care of that.

[cntC0d3]

@JonasBK - yeah I can knock that out in the next couple days. 😃

[JonasBK]

Awesome! 🙌

[cntC0d3]

@JonasBK - since Microsoft decided to fix many of the issues associated with this edge I haven't had much motivation to continue working this. Closing PR.

[JonasBK]

Hey @cntC0d3,

Talked with Andy about it. It is only Directory Synchronization Accounts that will loose the ability to add owners to SPs and Apps to our understanding. So your PR is still relevant for the Hybrid Identity Administrator, Partner Tier1 Support, and Partner Tier2 Support roles.

Let me know if you are still interested in fixing up the PR. All cool if not - then we will get it fixed :)