-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple tests fail to run correctly when tenant has a privileged Group with access into the tenant via a GDAP relationship #521
Comments
A test with Global Reader A test with Global Admin @mattcave do you have a few more examples on maybe narrowing down this? |
There's one more key factor that I didn't include in my initial report. Apologies. We are authenticating to Graph using delegated access via GDAP. In the screenshot I shared before, we are Does that make sense? |
Did further testing today, and the way we are accessing the problem tenant is not relevant. I get the same error if I It also seems that the GDAP relationship does not need to include the GA role in order to trigger this issue. I have a GDAP relationship that includes a number of other lesser-privileged roles that still experiences the error. For example running MS.AAD.7.2 on this tenant...
Trying to get group memberships for a group that has delegated access into the tenant from a "parent" tenant will result in a 404, and hence the test will fail. I have reproduced this in a test environment, and can share credentials if it helps understand the issue. |
This definitely makes sense. As that AdminAgents group would be in a distinct tenant. So is the issue the test skips or fails in the report, or is it just for the
As for logging in to tenants interactively over GDAP to run tests, I would definitely avoid that. The recommendation would be to use an Enterprise App in the client tenant that is based on the App Reg in your tenant. The main reasoning is that the GDAP capabilities will vary for each API and SDK. |
The issue is that the test fails as a result of that 404 error I mentioned. The 404 causes the test to throw an exception which results in a "fail". I'm not sure what the correct behaviour should be. Fail with an explanation, because we will never be able to tell if the configuration is "Safe" or not? List the unresolvable groups in the test details?
Yeh, that's what we're doing. I did that interactive login purely for testing purposes in our QA environment, to eliminate any weirdness as a result of how we're generating the token, and ensure I 100% understand the root cause of the issue. |
I am having an AOBO mapping configured for my test environment. Since the issue isn't with GDAP relationships but rather the AOBO group membership enumeration. @mattcave if you have ideas on how to identify and exclude the AOBO groups feel free to work on a PR. Otherwise I will plan to test and try to identify a solution. |
We work with a number of tenants who have GDAP relationships with multiple vendors (e.g. a vendor that they buy MS licences from). If that GDAP relationship includes the role Global Administrator, a number of tests will fail to run correctly. This is because the call to
Get-MtRoleMember
will result in a 404 error - the code tries to make a Graph call to https://graph.microsoft.com/v1.0/groups/<group_id>/members but that call (correctly) returns a 404 as that object is not part of the target tenant.I'm not sure what the correct behaviour is in this scenario.
Perhaps the best course of action is to provide better info about why the test is failing (ie we can't pull all the info we need)?
I believe this affects all MS.AAD.7.x tests
The text was updated successfully, but these errors were encountered: