Merge pull request #163 from Mayyhem/BP-491

BED-7248: Resolves BP-491 Request for Entra ID User Last Logon Timestamp AZUser Node Property

Author: zinic

cmd/list-users.go

@@ -21,6 +21,7 @@ import (
 	"context"
 	"os"
 	"os/signal"
+	"strings"
 	"time"
 
 	"github.com/bloodhoundad/azurehound/v2/client"
@@ -61,29 +62,36 @@ func listUsersCmdImpl(cmd *cobra.Command, _ []string) {
 func listUsers(ctx context.Context, client client.AzureClient) <-chan interface{} {
 	out := make(chan interface{})
 
-	params := query.GraphParams{Select: []string{
-		"accountEnabled",
-		"createdDateTime",
-		"displayName",
-		"jobTitle",
-		"lastPasswordChangeDateTime",
-		"mail",
-		"onPremisesSecurityIdentifier",
-		"onPremisesSyncEnabled",
-		"userPrincipalName",
-		"userType",
-		"id",
-	}}
+	makeParams := func(includeSignInActivity bool) query.GraphParams {
+		selectCols := []string{
+			"accountEnabled",
+			"createdDateTime",
+			"displayName",
+			"jobTitle",
+			"lastPasswordChangeDateTime",
+			"mail",
+			"onPremisesSecurityIdentifier",
+			"onPremisesSyncEnabled",
+			"userPrincipalName",
+			"userType",
+			"id",
+		}
+		if includeSignInActivity {
+			selectCols = append(selectCols, "signInActivity")
+		}
+		return query.GraphParams{Select: selectCols}
+	}
 
 	go func() {
 		defer panicrecovery.PanicRecovery()
 		defer close(out)
-		count := 0
-		for item := range client.ListAzureADUsers(ctx, params) {
-			if item.Error != nil {
-				log.Error(item.Error, "unable to continue processing users")
-				return
-			} else {
+
+		streamOnce := func(params query.GraphParams) (int, error) {
+			count := 0
+			for item := range client.ListAzureADUsers(ctx, params) {
+				if item.Error != nil {
+					return count, item.Error
+				}
 				log.V(2).Info("found user", "id", item.Ok.Id)
 				count++
 				user := models.User{
@@ -95,12 +103,36 @@ func listUsers(ctx context.Context, client client.AzureClient) <-chan interface{
 					Kind: enums.KindAZUser,
 					Data: user,
 				}); !ok {
-					return
+					return count, nil
 				}
 			}
+			return count, nil
+		}
+
+		includeSignInActivity := true
+		params := makeParams(true)
+		count, err := streamOnce(params)
+		if err != nil && includeSignInActivity && count == 0 && isGraphAuthorizationDenied(err) {
+			log.Info("warning: authorization denied when requesting signInActivity for users (missing AuditLog.Read.All API permission); retrying without signInActivity")
+			includeSignInActivity = false
+			params = makeParams(false)
+			count, err = streamOnce(params)
+		}
+		if err != nil {
+			log.Error(err, "unable to continue processing users")
+			return
 		}
 		log.Info("finished listing all users", "count", count)
 	}()
 
 	return out
 }
+
+func isGraphAuthorizationDenied(err error) bool {
+	if err == nil {
+		return false
+	}
+	msg := err.Error()
+	msgLower := strings.ToLower(msg)
+	return strings.Contains(msg, "Authentication_MSGraphPermissionMissing") && strings.Contains(msgLower, "auditlog.read.all")
+}

cmd/list-users_test.go

@@ -68,3 +68,10 @@ func TestListUsers(t *testing.T) {
 		t.Error("expected channel to close from an error result but it did not")
 	}
 }
+
+func TestIsGraphAuthorizationDenied(t *testing.T) {
+	err := fmt.Errorf("map[error:map[code:Authentication_MSGraphPermissionMissing innerError:map[client-request-id:fac52490-ea06-48f1-941e-5f5bba8e35fc date:2026-01-28T15:29:16 request-id:fac52490-ea06-48f1-941e-5f5bba8e35fc] message:The principal does not have required Microsoft Graph permission(s): AuditLog.Read.All to call this API. For more information about Microsoft Graph permissions, please visit https://learn.microsoft.com/graph/permissions-overview.]]")
+	if !isGraphAuthorizationDenied(err) {
+		t.Errorf("expected true")
+	}
+}

models/azure/user-signinactivity.go

@@ -0,0 +1,34 @@
+package azure
+
+import "encoding/json"
+
+type userAlias User
+
+type userUnmarshalJSON struct {
+	*userAlias
+	SignInActivity *SignInActivity `json:"signInActivity,omitempty"`
+}
+
+func (s *User) UnmarshalJSON(data []byte) error {
+	aux := userUnmarshalJSON{userAlias: (*userAlias)(s)}
+
+	if err := json.Unmarshal(data, &aux); err != nil {
+		return err
+	}
+
+	if s.LastSuccessfulSignInDateTime == "" && aux.SignInActivity != nil && aux.SignInActivity.LastSuccessfulSignInDateTime != nil {
+		s.LastSuccessfulSignInDateTime = *aux.SignInActivity.LastSuccessfulSignInDateTime
+	}
+
+	return nil
+}
+
+// SignInActivity represents Microsoft Graph's `signInActivity` object returned on the user entity.
+type SignInActivity struct {
+	LastSignInDateTime                *string `json:"lastSignInDateTime,omitempty"`
+	LastSignInRequestId               *string `json:"lastSignInRequestId,omitempty"`
+	LastNonInteractiveSignInDateTime  *string `json:"lastNonInteractiveSignInDateTime,omitempty"`
+	LastNonInteractiveSignInRequestId *string `json:"lastNonInteractiveSignInRequestId,omitempty"`
+	LastSuccessfulSignInDateTime      *string `json:"lastSuccessfulSignInDateTime,omitempty"`
+	LastSuccessfulSignInRequestId     *string `json:"lastSuccessfulSignInRequestId,omitempty"`
+}

models/azure/user.go

@@ -215,6 +215,12 @@ type User struct {
 	// Returned only on `$select`
 	LastPasswordChangeDateTime string `json:"lastPasswordChangeDateTime,omitempty"`
 
+	// The last time the user successfully signed in, in ISO 8601 format (UTC time).
+	//
+	// This value is sourced from the Microsoft Graph `signInActivity` dictionary.
+	// To populate it, the client must include `signInActivity` in `$select`.
+	LastSuccessfulSignInDateTime string `json:"lastSuccessfulSignInDateTime,omitempty"`
+
 	// Used by enterprise applications to determine the legal age group of the user.
 	//
 	// Returned only on `$select`

models/azure/user_test.go

@@ -0,0 +1,47 @@
+// Copyright (C) 2022 Specter Ops, Inc.
+//
+// This file is part of AzureHound.
+//
+// AzureHound is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// AzureHound is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package azure
+
+import (
+	"encoding/json"
+	"testing"
+)
+
+func TestUserUnmarshal_PopulatesLastSuccessfulSignInDateTimeFromSignInActivity(t *testing.T) {
+	payload := []byte(`{
+		"id":"3fb2a5fc-3a42-4c11-8200-85302657dc1a",
+		"displayName":"test-user",
+		"signInActivity":{
+			"lastSignInDateTime":"2025-01-27T22:20:22Z",
+			"lastSignInRequestId":"af4c2c83-9463-434d-a8e5-fbce099b2600",
+			"lastNonInteractiveSignInDateTime":null,
+			"lastNonInteractiveSignInRequestId":null,
+			"lastSuccessfulSignInDateTime":"2025-01-27T22:20:22Z",
+			"lastSuccessfulSignInRequestId":"af4c2c83-9463-434d-a8e5-fbce099b2600"
+		}
+	}`)
+
+	var u User
+	if err := json.Unmarshal(payload, &u); err != nil {
+		t.Fatalf("unexpected unmarshal error: %v", err)
+	}
+
+	if u.LastSuccessfulSignInDateTime != "2025-01-27T22:20:22Z" {
+		t.Fatalf("expected LastSuccessfulSignInDateTime to be populated, got %q", u.LastSuccessfulSignInDateTime)
+	}
+}