AAD provider Get-PrivilegedUser function assigns duplicate role names to a user in the provider JSON in some cases #703
Description
🐛 Summary
The AAD Powershell provider contains a function named Get-PrivilegedUser which creates an hashtable of privileged users and their respective roles. This gets placed into a JSON element named privileged_users. When I ran against Test Tenant 3 (E5) I noticed that a couple of the users in that JSON element had a duplicate role SharePoint Administrator. I would expect to see a specific role listed only once for each user.
There are a couple of cases that seem to cause this to occur:
- The duplicate assignment is being listed in the JSON for the respective users because they are assigned to a privileged role as both Eligible and as Active at the same time.
- The problem also occurs when a user is directly assigned to a role and the user is a member of a group that is assigned to the role at the same time. See Get-PrivilegedUsers in the AAD Provider is collecting duplicate user role values. #221 as previously reported for this scenario.
The problem is not specific to Sharepoint Administrator - the same problem occurs for other roles based on my testing.
Examine the provider settings export JSON file below and observe that some of the users have the Sharepoint Admin role listed twice.
To reproduce
Re-create the conditions which cause the problem as documented above.
- For scenario 1, designate a specific user as the test case and then assign that user to a privileged role (e.g. Sharepoint Administrator) as both Active and Eligible in PIM.
- For scenario 2, assign a user directly to a role and also assign them to a role via group membership (i.e. assign their group to the role).
- Run the AAD provider against the test tenant and you should observe the role listed twice in the privileged_users hashtable.