[Query Issue]: All members of high privileged roles missing role

[rtfmkiesel]

Query GUID

3df24d92-dd12-4125-811b-e696b098f60e

Query content

MATCH p=(t:AZRole)<-[:AZHasRole|AZMemberOf*1..2]-(:AZBase)
WHERE t.name =~ '(?i)Global Administrator|User Administrator|Cloud Application Administrator|Authentication Policy Administrator|Exchange Administrator|Helpdesk Administrator|Privileged Authentication Administrator'
RETURN p
LIMIT 1000

Issue description

Is there a specific reason this list is missing Privileged Role Administrator or was it simply forgotten?

The Privileged Role Admin role can grant any other admin role to another principal at the tenant level.

I personally would use the system_tags here:

MATCH p=(t:AZRole)<-[:AZHasRole|AZMemberOf*1..2]-(:AZBase)
WHERE "admin_tier_0" IN split(t.system_tags, " ")
RETURN p
LIMIT 1000

BloodHound version

CE 8.2.0

BloodHound DB

Neo4j

[rtfmkiesel]

The role would also be missing in:

• Shortest paths to privileged roles (3dc73dd8-4873-4aeb-a88f-56a58c77f512)
• Shortest paths from Entra Users to Tier Zero / High Value targets (58089b28-54e0-4fd2-bf66-3db480b00e2f)
• All members of high privileged roles (3df24d92-dd12-4125-811b-e696b098f60e)

[martinsohn]

Hi @rtfmkiesel, nice find! Thank you.

Privileged Role Administrator is indeed a Tier Zero role. This is because this role grants the ability to promote any principal to any role, including Global Administrator.

I agree Shortest paths from Entra Users to Tier Zero / High Value targets should not check for roles. However, the two other queries are behaving as described for now.

I have created #32 and will make sure it gets merged into BloodHound.