Skip to content

feat: add support for Group and User app role assignments in Azure App #2100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
hrcastro wants to merge 3 commits into
base: main
Choose a base branch
from
+52 −1
Open

feat: add support for Group and User app role assignments in Azure App #2100

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ecbaa1d
feat: add support for Group and User app role assignments in Azure App
hrcastro Nov 23, 2025
5982ada
feat: use constant for Group principal type in Azure app role assignm…
hrcastro Nov 23, 2025
61cf2cb
fix: change relationship type from Grant to MemberOf for Azure app ro…
hrcastro Nov 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 18 additions & 1 deletion cmd/api/src/services/graphify/azure_convertors.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ const (
ExtractError = "failed to extract owner id/type from directory object: %v"
PrincipalTypeServicePrincipal = "ServicePrincipal"
PrincipalTypeUser = "User"
PrincipalTypeGroup = "Group"
)

func getKindConverter(kind enums.Kind) func(json.RawMessage, *ConvertedAzureData, time.Time) {
Expand Down Expand Up @@ -212,11 +213,27 @@ func convertAzureAppRoleAssignment(raw json.RawMessage, converted *ConvertedAzur

if err := json.Unmarshal(raw, &data); err != nil {
slog.Error(fmt.Sprintf(SerialError, "app role assignment", err))
} else if data.AppId == azure.MSGraphAppUniversalID && data.PrincipalType == PrincipalTypeServicePrincipal {
return
}

if data.AppId == azure.MSGraphAppUniversalID && data.PrincipalType == PrincipalTypeServicePrincipal {
converted.NodeProps = append(converted.NodeProps, ein.ConvertAzureAppRoleAssignmentToNodes(data)...)
if rel := ein.ConvertAzureAppRoleAssignmentToRel(data); rel.IsValid() {
converted.RelProps = append(converted.RelProps, rel)
}
return
}

if data.PrincipalType == PrincipalTypeGroup {
if rel := ein.ConvertAzureGroupAppRoleAssignmentToRel(data); rel.IsValid() {
converted.RelProps = append(converted.RelProps, rel)
}
}

if data.PrincipalType == PrincipalTypeUser {
if rel := ein.ConvertAzureUserAppRoleAssignmentToRel(data); rel.IsValid() {
converted.RelProps = append(converted.RelProps, rel)
}
}
}

Expand Down
34 changes: 34 additions & 0 deletions packages/go/ein/azure.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -296,6 +296,40 @@ func ConvertAzureAppRoleAssignmentToRel(data models.AppRoleAssignment) Ingestibl
)
}

func ConvertAzureGroupAppRoleAssignmentToRel(data models.AppRoleAssignment) IngestibleRelationship {
return NewIngestibleRelationship(
IngestibleEndpoint{
Value: strings.ToUpper(data.PrincipalId.String()),
Kind: azure.Group,
},
IngestibleEndpoint{
Kind: azure.App,
Value: strings.ToUpper(data.AppId),
},
IngestibleRel{
RelProps: map[string]any{},
RelType: azure.MemberOf,
},
)
}

func ConvertAzureUserAppRoleAssignmentToRel(data models.AppRoleAssignment) IngestibleRelationship {
return NewIngestibleRelationship(
IngestibleEndpoint{
Value: strings.ToUpper(data.PrincipalId.String()),
Kind: azure.User,
},
IngestibleEndpoint{
Kind: azure.App,
Value: strings.ToUpper(data.AppId),
},
IngestibleRel{
RelProps: map[string]any{},
RelType: azure.MemberOf,
},
)
}

func ConvertAzureFunctionAppToNode(data models.FunctionApp, ingestTime time.Time) IngestibleNode {
return IngestibleNode{
ObjectID: strings.ToUpper(data.Id),
Expand Down
Loading