BED-6715: AzureHound managed identity authentication

[jeff-matthews]

Purpose

This pull request (PR) adds documentation for configuring the Azure Managed Identity authentication option for AzureHound data collection (introduced in v8.3.0).

Some end-to-end testing is still required to validate, but I may need some help from Engineering with that (or someone who has configured an AzureHound collector before).

Note

The new section intentionally directs users to the relevant Microsoft docs rather than reproducing that content in our docs because I didn't identify any unique BloodHound nuances that would otherwise require it.

Additional info

• Removed unnecessary screenshots
• Removed the optional branding step (the procedure is already relatively complex)
• Normalized the structure of the procedures using the Step component
• Added a little more context about the certificate and managed ID auth methods

Staging

• Azure configuration
• AzureHound configuration

Summary by CodeRabbit

• Documentation
  • Reorganized Azure configuration guide with clearer workflow diagrams and improved step-by-step instructions
  • Added tabbed authentication options for Azure Managed Identity and certificate-based setup
  • Updated AzureHound version references to v2.8.1
  • Enhanced prerequisites and configuration sections for better clarity

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Documentation for AzureHound installation and configuration restructured to support multi-path authentication (Azure Managed Identity and Certificate-based). Version references updated from v2.0.5 to v2.8.1, prerequisites expanded, and content reorganized with new UI components and managed identity recommendation snippets integrated.

Changes

Cohort / File(s)	Change Summary
Azure Configuration Documentation docs/install-data-collector/install-azurehound/azure-configuration.mdx	Replaced linear step-by-step app registration flow with higher-level introduction and Mermaid workflow diagram. Added import for managed identity recommendation component. Restructured "Create a new app registration," "Assign required API permissions," and "Configure authentication" sections into tab-driven format with dedicated subsections for Managed Identity (recommended) and Certificate options. Updated and reorganized step sequences, frame references, and IAM role assignment guidance. Retained PowerShell scripted app registration section with rewritten flow.
Configuration Setup Documentation docs/install-data-collector/install-azurehound/create-configuration.mdx	Added import of managed identity recommendation component. Expanded prerequisites table to include BloodHound Enterprise URL and explicit Managed Identity/Certificate authentication guidance. Updated version references from v2.0.5 to v2.8.1. Replaced single-path authentication with multi-tab UI (Azure Managed Identity and Certificate tabs). Reoriented recommendation from certificate-based to managed identity-based authentication. Added explicit prompts for identity type selection and client ID entry with guidance. Integrated managed identity recommendation snippet and expanded certificate-based authentication path with dedicated tab and instructions.
Managed Identity Recommendation Snippet docs/snippets/hounds/managed-id-recommendation.mdx	Added clarification sentence emphasizing Microsoft's recommendation for User-Assigned Managed Identity for Microsoft services, noting example demonstrates this type, and included link to Microsoft Docs overview.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Focus areas: Verify version number updates (v2.0.5 → v2.8.1) are applied consistently across all code examples and references
• Confirm import paths for ManagedIdentityRecommendation component resolve correctly across both modified files
• Review tab-based authentication flow structure in create-configuration.mdx for logical coherence and completeness of both Managed Identity and Certificate paths
• Validate that step sequences and UI component references align with actual documentation rendering capabilities

Possibly related PRs

• BED-6715: Prepare AzureHound Enterprise configuration topic for managed identity authentication #100: Modifies create-configuration.mdx with managed identity authentication flow restructuring and multi-path configuration introduction
• Updated Entra ID and Azure configuration guide #50: Makes overlapping edits to Azure/Entra ID configuration docs covering app registration, permissions assignment, certificate authentication, and PowerShell script updates

Suggested reviewers

• StephenHinck
• rtippitt-specterops

Poem

🐰 The auth paths now shimmer in dual-tab delight,
Managed identities gleaming, certificates shining so bright,
From v2.0.5 to v2.8.1 we hop and we bound,
Documentation restructured—best practices found! 🌟
Azure configuration blooms with each careful rearrange,
A rabbit's delight in the docs' welcome change! 🥬

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title directly reflects the main change: adding documentation for AzureHound managed identity authentication. It's concise, specific, and clearly communicates the primary objective of the PR.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch BED-6715-managed-id-auth-method

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

docs/install-data-collector/install-azurehound/azure-configuration.mdx (1)

156-172: Clarify that Microsoft Graph permissions require admin consent.

While the steps correctly guide users through granting admin consent, the learning preferences indicate that documentation should explicitly state that Microsoft Graph application permissions (Directory.Read.All and RoleManagement.Read.All) require admin consent.

Consider adding a clarifying note before this step to emphasize that admin consent is a required next step after adding permissions.

Based on learnings, add an explicit note like:

  <Step title="Grant admin consent">
+
+    The Microsoft Graph API permissions (Directory.Read.All and RoleManagement.Read.All) require admin consent to function correctly.
+
    After adding the required permissions, you must grant admin consent for the application to use them.

docs/install-data-collector/install-azurehound/create-configuration.mdx (1)

2-2: Update title to include "Enterprise" for consistency.

The page title "Create an AzureHound Configuration" should be "Create an AzureHound Enterprise Configuration" to match terminology conventions used elsewhere in the documentation and to be explicit that this is an Enterprise-specific feature.

-title: Create an AzureHound Configuration
+title: Create an AzureHound Enterprise Configuration

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0509532 and 379dffe.

⛔ Files ignored due to path filters (20)

• docs/assets/azurehound-install-app-registrations.png is excluded by !**/*.png
• docs/assets/azurehound-install-branding-result.png is excluded by !**/*.png
• docs/assets/azurehound-install-branding.png is excluded by !**/*.png
• docs/assets/azurehound-install-upload-logo.png is excluded by !**/*.png
• docs/assets/image-103.png is excluded by !**/*.png
• docs/assets/image-106.png is excluded by !**/*.png
• docs/assets/image-108.png is excluded by !**/*.png
• docs/assets/image-110.png is excluded by !**/*.png
• docs/assets/image-111.png is excluded by !**/*.png
• docs/assets/image-113.png is excluded by !**/*.png
• docs/images/data_collectors/azurehound/admin-consent-granted.png is excluded by !**/*.png
• docs/images/data_collectors/azurehound/app-registration-details.png is excluded by !**/*.png
• docs/images/data_collectors/azurehound/directory-read-all.png is excluded by !**/*.png
• docs/images/data_collectors/azurehound/grant-admin-consent.png is excluded by !**/*.png
• docs/images/data_collectors/azurehound/ms-graph-api-permission-type.png is excluded by !**/*.png
• docs/images/data_collectors/azurehound/register-app.png is excluded by !**/*.png
• docs/images/data_collectors/azurehound/remove-default-permission.png is excluded by !**/*.png
• docs/images/data_collectors/azurehound/rolemanagement-read-all.png is excluded by !**/*.png
• docs/images/data_collectors/grant_admin_consent.png is excluded by !**/*.png
• docs/images/data_collectors/rolemanagement_read_all.png is excluded by !**/*.png

📒 Files selected for processing (3)

• docs/install-data-collector/install-azurehound/azure-configuration.mdx (1 hunks)
• docs/install-data-collector/install-azurehound/create-configuration.mdx (4 hunks)
• docs/snippets/hounds/manged-id-recommendation.mdx (1 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: StephenHinck
Repo: SpecterOps/bloodhound-docs PR: 42
File: docs/install-data-collector/install-azurehound/system-requirements.mdx:70-73
Timestamp: 2025-08-08T15:57:55.743Z
Learning: For AzureHound docs (docs/install-data-collector/install-azurehound/system-requirements.mdx), prefer explicitly stating:
- Directory Reader must be permanently active (not PIM-eligible only).
- Microsoft Graph application permissions (Directory.Read.All, RoleManagement.Read.All) require admin consent.
- Azure Reader role phrasing: “on all Azure subscriptions, ideally assigned at the tenant root group (root management group) scope.”

📚 Learning: 2025-08-08T15:57:55.743Z

Learnt from: StephenHinck
Repo: SpecterOps/bloodhound-docs PR: 42
File: docs/install-data-collector/install-azurehound/system-requirements.mdx:70-73
Timestamp: 2025-08-08T15:57:55.743Z
Learning: For AzureHound docs (docs/install-data-collector/install-azurehound/system-requirements.mdx), prefer explicitly stating:
- Directory Reader must be permanently active (not PIM-eligible only).
- Microsoft Graph application permissions (Directory.Read.All, RoleManagement.Read.All) require admin consent.
- Azure Reader role phrasing: “on all Azure subscriptions, ideally assigned at the tenant root group (root management group) scope.”

Applied to files:

• docs/install-data-collector/install-azurehound/azure-configuration.mdx
• docs/snippets/hounds/manged-id-recommendation.mdx
• docs/install-data-collector/install-azurehound/create-configuration.mdx

📚 Learning: 2025-10-02T18:01:39.059Z

Learnt from: StephenHinck
Repo: SpecterOps/bloodhound-docs PR: 67
File: docs/collect-data/enterprise-collection/privileged-collection.mdx:7-7
Timestamp: 2025-10-02T18:01:39.059Z
Learning: In the BloodHound documentation repository, "BloodHound" as a standalone name refers to the entire product family and is appropriate to use when content applies to all products in the family (Enterprise and Community Edition). "BloodHound Enterprise" should be used only when referring specifically to Enterprise-only features or capabilities.

Applied to files:

• docs/install-data-collector/install-azurehound/create-configuration.mdx

🔇 Additional comments (5)

docs/install-data-collector/install-azurehound/azure-configuration.mdx (2)

334-334: Excellent explicit coverage of permanent assignment requirement.

Line 334 correctly and explicitly states "Ensure that the Assignment type is Active and the Permanently assigned box is checked." This properly addresses the requirement that Directory Reader must be permanently active (not PIM-eligible only), as noted in prior documentation guidance.

---

197-234: Well-structured Managed Identity configuration section.

The new Managed Identity subsection provides clear step-by-step guidance that:

• References Microsoft documentation for detailed context
• Explicitly recommends User-Assigned Managed Identity (reinforced via imported recommendation component)
• Includes proper links and navigation hints for users

The structure using Steps component makes the flow easy to follow.

docs/install-data-collector/install-azurehound/create-configuration.mdx (3)

10-22: Excellent prerequisites table expansion.

The prerequisites table properly documents all required information for both authentication paths:

• Existing prerequisites are clearly explained with links
• New Managed Identity and Certificate prerequisites are properly scoped (lines 21-22) with accurate field names and references
• Prerequisite descriptions correctly link to their configuration sections

The organization makes it clear which items are conditionally required based on the chosen authentication method.

---

102-201: Excellent dual-path authentication flow with tab interface.

The multi-tab authentication structure (lines 107-201) provides:

• Clear guidance to select between Azure Managed Identity (recommended) and Certificate
• Strong recommendation for Managed Identity at line 105
• Comprehensive step-by-step instructions for each path with expected CLI prompts and outputs
• Proper emphasis on User-Assigned Managed Identity type with helpful note on locating the Client ID (line 140)
• Proper context about certificate characteristics (lines 174-180)
• Consistent structure and formatting within both tabs

The tabbed interface makes both paths equally discoverable while still guiding users toward the recommended Managed Identity approach.

---

67-77: Version references correctly updated.

CLI version references are properly updated from v2.0.5 to v2.8.1 at lines 67 and 77, with consistent formatting throughout the configuration flow examples.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

docs/install-data-collector/install-azurehound/azure-configuration.mdx (2)

334-334: Add explicit clarification that Directory Reader must not be PIM-eligible only.

Line 334 correctly specifies "Permanently assigned" but per learnings from prior reviews, the documentation should explicitly clarify that the Directory Reader role must be permanently active and not assigned as PIM-eligible only. This distinction helps avoid misconfiguration.

Consider adding a note before or after line 334:

    1. Ensure that the Assignment type is **Active** and the **Permanently assigned** box is checked. Enter a justification and click **Assign**.
+
+        <Note>The Directory Reader role must be permanently assigned, not PIM-eligible only. Ensure **Permanently assigned** is selected to avoid authentication failures.</Note>

Based on learnings, this explicit guidance reduces support burden.

---

347-368: Clarify Azure Reader role assignment guidance to align with best practices.

Lines 347–368 guide assigning the Reader role at the Tenant Root Group scope, which aligns with best practices. However, the language could be more explicit about this being the recommended approach, per established guidance. Currently, line 347 says "If you do not have any management groups, you may either create your Tenant Root Group..." which sounds optional rather than recommended.

Consider revising line 347 to explicitly recommend assignment at the tenant root group scope:

-If you do not have any management groups, you may either create your Tenant Root Group following the prompts in the middle of the screen to ensure future visibility if another administrator begins use of subscriptions, or you may skip this section altogether.
+The Reader role should be assigned on all Azure subscriptions, ideally at the Tenant Root Group (root management group) scope to ensure visibility of all current and future subscriptions. If you do not have a Tenant Root Group configured, create one following the prompts in the Azure portal. Skipping this step may result in missing data during collection.

Based on learnings, this guidance is preferred for AzureHound docs.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 379dffe and e238c10.

📒 Files selected for processing (3)

• docs/install-data-collector/install-azurehound/azure-configuration.mdx (1 hunks)
• docs/install-data-collector/install-azurehound/create-configuration.mdx (4 hunks)
• docs/snippets/hounds/managed-id-recommendation.mdx (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• docs/snippets/hounds/managed-id-recommendation.mdx

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: StephenHinck
Repo: SpecterOps/bloodhound-docs PR: 42
File: docs/install-data-collector/install-azurehound/system-requirements.mdx:70-73
Timestamp: 2025-08-08T15:57:55.743Z
Learning: For AzureHound docs (docs/install-data-collector/install-azurehound/system-requirements.mdx), prefer explicitly stating:
- Directory Reader must be permanently active (not PIM-eligible only).
- Microsoft Graph application permissions (Directory.Read.All, RoleManagement.Read.All) require admin consent.
- Azure Reader role phrasing: “on all Azure subscriptions, ideally assigned at the tenant root group (root management group) scope.”

📚 Learning: 2025-08-08T15:57:55.743Z

Learnt from: StephenHinck
Repo: SpecterOps/bloodhound-docs PR: 42
File: docs/install-data-collector/install-azurehound/system-requirements.mdx:70-73
Timestamp: 2025-08-08T15:57:55.743Z
Learning: For AzureHound docs (docs/install-data-collector/install-azurehound/system-requirements.mdx), prefer explicitly stating:
- Directory Reader must be permanently active (not PIM-eligible only).
- Microsoft Graph application permissions (Directory.Read.All, RoleManagement.Read.All) require admin consent.
- Azure Reader role phrasing: “on all Azure subscriptions, ideally assigned at the tenant root group (root management group) scope.”

Applied to files:

• docs/install-data-collector/install-azurehound/create-configuration.mdx
• docs/install-data-collector/install-azurehound/azure-configuration.mdx

📚 Learning: 2025-10-02T18:01:39.059Z

Learnt from: StephenHinck
Repo: SpecterOps/bloodhound-docs PR: 67
File: docs/collect-data/enterprise-collection/privileged-collection.mdx:7-7
Timestamp: 2025-10-02T18:01:39.059Z
Learning: In the BloodHound documentation repository, "BloodHound" as a standalone name refers to the entire product family and is appropriate to use when content applies to all products in the family (Enterprise and Community Edition). "BloodHound Enterprise" should be used only when referring specifically to Enterprise-only features or capabilities.

Applied to files:

• docs/install-data-collector/install-azurehound/create-configuration.mdx

🔇 Additional comments (5)

docs/install-data-collector/install-azurehound/create-configuration.mdx (2)

102-202: Dual-path authentication flow is well-structured.

The tab-based separation of Managed Identity (recommended, lines 108–153) and Certificate (lines 155–200) authentication methods provides clear guidance. Both paths include:

• Clear prompts showing expected CLI output
• Step-by-step navigation
• Links to supporting documentation (e.g., line 140, 174–180)
• Consistent BloodHound Enterprise URL entry (lines 148–152, 195–199)

The Managed Identity tab appropriately emphasizes that configuration requires prior identity creation (line 112), and both tabs flow naturally into the collector client configuration step that follows.

---

6-6: Import verified and file is correctly available.

The managed identity recommendation snippet at /snippets/hounds/managed-id-recommendation.mdx exists and is properly imported. The component is correctly rendered at line 110 in the Managed Identity tab. No issues found.

docs/install-data-collector/install-azurehound/azure-configuration.mdx (3)

42-51: Strong role-based access guidance for app registration creation.

Lines 42–51 clearly specify required Microsoft Entra admin center roles (Global Administrator, or Privileged Role Administrator + Application Administrator/Cloud Application Administrator) with inline links to Microsoft role definitions. This guidance prevents common permission-related configuration failures.

---

93-184: API permissions assignment section is clear and well-structured.

The steps correctly guide users to:

• Remove the unnecessary default User.Read permission (lines 106–117)
• Add both required Microsoft Graph permissions with visual aids (lines 119–154)
• Grant admin consent and verify completion (lines 156–182)

The guidance aligns with learnings that Microsoft Graph permissions require admin consent, and includes frames showing expected UI state at each step, which reduces configuration errors.

---

6-6: Managed identity recommendation snippet is correctly referenced and rendered.

The import at line 6 correctly references /snippets/hounds/managed-id-recommendation.mdx, the file exists with appropriate content, and the component is properly rendered at line 206 in the Managed Identity subsection. The snippet content aligns with the intended recommendation about User-Assigned Managed Identity.