BED-7248: Resolves BP-491 Request for Entra ID User Last Logon Timestamp AZUser Node Property

[Mayyhem]

https://specterops.atlassian.net/browse/BED-7248

Will be paired with a PR to BloodHound to display the data in the entity panel.

Tested by pointing BloodHound to my local copy of AzureHound

replace github.com/bloodhoundad/azurehound/v2 => ./work/azurehound

Summary by CodeRabbit

• New Features

  • Users may now show a Last Successful Sign‑In timestamp sourced from sign‑in activity when available.

• Bug Fixes / Resiliency

  • Listing users now falls back and continues returning results if sign‑in permission is unavailable, avoiding complete failures.

• Tests

  • Added tests validating sign‑in activity unmarshalling and detection of authorization-denied errors.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Refactors user-listing to optionally request Graph signInActivity, streams results with per-item error handling, detects Graph authorization-denied errors, retries without signInActivity when denied, and extends the Azure User model + tests to surface nested sign-in activity and populate LastSuccessfulSignInDateTime.

Changes

Cohort / File(s)	Summary
Command updates cmd/list-users.go, cmd/list-users_test.go	Constructs GraphParams via makeParams to optionally include signInActivity; adds streamOnce wrapper that accumulates users and reports per-item errors; introduces retry path when Graph returns an authorization-denied error for signInActivity and adds isGraphAuthorizationDenied with unit test.
Model definitions models/azure/user.go, models/azure/user-signinactivity.go	Adds LastSuccessfulSignInDateTime to User; introduces SignInActivity struct with optional fields; implements User.UnmarshalJSON to populate LastSuccessfulSignInDateTime from nested signInActivity.
Tests models/azure/user_test.go	Adds a unit test that unmarshals a payload containing signInActivity and asserts LastSuccessfulSignInDateTime is populated.

Sequence Diagram(s)

sequenceDiagram
  participant CLI as CLI (list-users)
  participant Params as makeParams
  participant Graph as Microsoft Graph
  participant Stream as streamOnce (accumulator)
  participant Logger as Logger

  CLI->>Params: build params (include signInActivity)
  CLI->>Graph: request users with params
  Graph-->>CLI: response / error
  alt response OK
    CLI->>Stream: stream items -> accumulate users
    Stream-->>CLI: items + per-item errors
  else authorization-denied for signInActivity
    CLI->>Logger: warn about missing AuditLog.Read.All
    CLI->>Params: build params (without signInActivity)
    CLI->>Graph: retry request
    Graph-->>CLI: response
    CLI->>Stream: stream items -> accumulate users
    Stream-->>CLI: items + per-item errors
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I nibble JSON, hop through fields so bright,
I fetch last-success signs from Graph's night,
If permissions close a door, I try anew,
I stream, I gather, and log each cue —
A rabbit code-review dance, light and spry.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding LastSuccessfulSignInDateTime (last logon timestamp) to AZUser nodes, matching the file changes (new field in User struct, unmarshalling logic, and collection logic updates).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

cmd/list-users.go (1)

64-74: Requesting signInActivity requires AuditLog.Read.All permission and Entra ID P1/P2 licensing.

Adding signInActivity to $select requires the AuditLog.Read.All Microsoft Graph permission (admin consent) and Microsoft Entra ID P1 or P2 licensing on the tenant. Without either, the Graph request fails with a permission error (403) and the user listing exits early (lines 84–86) with no retry or fallback. Consider making this field opt-in, retrying without it on permission failure, or documenting this prerequisite clearly.

[Mayyhem]

Updated docs as well: SpecterOps/bloodhound-docs#170

[zinic]

Rest of the code looks good but the unmarshal function for the User type has some ergonomic friction that I'd like addressed.

[zinic]

lgtm