Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New-SafeguardAccessRequest fails finding the same account multiple times #473

Open
holger-weihe opened this issue Mar 17, 2023 · 3 comments
Open

New-SafeguardAccessRequest fails finding the same account multiple times #473

holger-weihe opened this issue Mar 17, 2023 · 3 comments

Comments

@holger-weihe
Copy link

Using safeguard-ps version 7.2.96694 the cmdlet New-SafeguardAccessRequest fails with

PS C:\Users\Administrator.ONEIDENTITY> New-SafeguardAccessRequest

cmdlet New-SafeguardAccessRequest at command pipeline position 1
Supply values for the following parameters:
AssetToUse: portal.azure.com
AccessRequestType: Password
AccountToUse: henriettam@pamdorasbox.onmicrosoft.com
Exception: Found 2 requestable accounts matching 'henriettam@pamdorasbox.onmicrosoft.com'

when i check with "Find-SafeguardRequestableAccounts" i get

PS C:\Users\Administrator.ONEIDENTITY> Find-SafeguardRequestableAccount

cmdlet Find-SafeguardRequestableAccount at command pipeline position 1
Supply values for the following parameters:
SearchString: henriettam

AssetId : 125
AssetName : portal.azure.com
NetworkAddress :
PlatformDisplayName : Azure AD 1.0
AccountId : 274
AccountDomainName :
AccountName : HenriettaM@pamdorasbox.onmicrosoft.com
AccessRequestType : Password

AssetId : 125
AssetName : portal.azure.com
NetworkAddress :
PlatformDisplayName : Azure AD 1.0
AccountId : 274
AccountDomainName :
AccountName : HenriettaM@pamdorasbox.onmicrosoft.com
AccessRequestType : RemoteDesktopApplication

AssetId : 125
AssetName : portal.azure.com
NetworkAddress :
PlatformDisplayName : Azure AD 1.0
AccountId : 274
AccountDomainName :
AccountName : HenriettaM@pamdorasbox.onmicrosoft.com
AccessRequestType : Password

AssetId : 125
AssetName : portal.azure.com
NetworkAddress :
PlatformDisplayName : Azure AD 1.0
AccountId : 274
AccountDomainName :
AccountName : HenriettaM@pamdorasbox.onmicrosoft.com
AccessRequestType : RemoteDesktopApplication

which is correct for my environement because the account is enabled for password and RemoteDesktopApplication requests. But the output lists 4 matches but the command complains on 2 entries only.

When i modify the entitlement to remove the "RemoteDesktopApplication" from the account i will get

PS C:\Users\Administrator.ONEIDENTITY> Find-SafeguardRequestableAccount

cmdlet Find-SafeguardRequestableAccount at command pipeline position 1
Supply values for the following parameters:
SearchString: henriettam

AssetId : 125
AssetName : portal.azure.com
NetworkAddress :
PlatformDisplayName : Azure AD 1.0
AccountId : 274
AccountDomainName :
AccountName : HenriettaM@pamdorasbox.onmicrosoft.com
AccessRequestType : Password

AssetId : 125
AssetName : portal.azure.com
NetworkAddress :
PlatformDisplayName : Azure AD 1.0
AccountId : 274
AccountDomainName :
AccountName : HenriettaM@pamdorasbox.onmicrosoft.com
AccessRequestType : Password

and the "New-SafeguardAccessRequest" does not succeed because i got

PS C:\Users\Administrator.ONEIDENTITY> New-SafeguardAccessRequest

cmdlet New-SafeguardAccessRequest at command pipeline position 1
Supply values for the following parameters:
AssetToUse: portal.azure.com
AccessRequestType: Password
AccountToUse: henriettam@pamdorasbox.onmicrosoft.com
Exception: Found 2 requestable accounts matching 'henriettam@pamdorasbox.onmicrosoft.com'

So it looks like it is duplicating the entries found.
@petrsnd
Copy link
Member

petrsnd commented Mar 20, 2023

@holger-weihe There were some changes to this cmdlet to fix another issue that might have caused this problem. We will try to reproduce and get back to you.

@dukkse77
Copy link

dukkse77 commented Apr 19, 2023
edited
Loading

I agree on the behavior, of finding multiple, even worse if you have multiple admin accounts (not to mention if you then have assets too)
Here is how I solved the problem

$accountName = 	Get-SafeguardRequestableAccount | where{$_.AccessRequestType -eq "Password" -and $_.AccountName -like "xxx*"} | select -first 1
$newRequest = New-SafeguardAccessRequest -Appliance $source -insecure -AccountToUse $accountName.AccountId -AssetToUse $accountAsset -AccessRequestType "Password" -ReasonComment "Whatever reason you want in the logs"

Hope this solves your problem until a better solution is provided for you

@azirish1998
Copy link

This is an issue for me as well. Problem seems to be in Resolve-safeguardRequestableAccountId. There is an explicit check for more than 1 account and it throws an exception. My workaround below

    if ($local:Accounts.Count -gt 1)

    {

        #throw "Found $($local:Accounts.Count) requestable accounts matching '$Account'"

        return $local:Accounts[0].Id

    }

    $local:Accounts.Id

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@petrsnd @azirish1998 @holger-weihe @dukkse77