fix: handle additional Microsoft Graph authorization errors for signInActivity retry

[ferreirasc]

AzureHound collects signInActivity for users by including it in the $select parameter
when calling the Microsoft Graph /users endpoint. When the principal lacks the required
AuditLog.Read.All permission, AzureHound is designed to detect the authorization error,
log a warning, and retry the request without signInActivity.

However, this retry logic only covered one specific error code
(Authentication_MSGraphPermissionMissing), leaving other scenarios
unhandled, causing the retry to not trigger and the collection to fail.

When authenticating using a FOCI token (e.g. MSOffice), the Graph API responds to the signInActivity request with
HTTP 403 and error code UnknownError along with a message like:

"Microsoft Office does not have authorization to call this API."

This is semantically the same authorization denial, but the error code differs from the standard Authentication_MSGraphPermissionMissing, so the original check never matched and the retry never happened, resulting in a ERR unable to continue processing users error — even though user enumeration without signInActivity would have succeeded, as the principal has the required User.Read.All permission.

Same happens when the authenticated principal has a role that does not support reading signInActivity
(e.g. a non-privileged role lacking AuditLog.Read.All), the Graph API returns:

code: Authentication_RequestFromUnsupportedUserRole
message: The request is not supported for the current user role.

This error was also not covered, so the retry was never triggered. And this is probably the root cause for the following issue btw: #173.

Changes

The isGraphAuthorizationDenied function in cmd/list-users.go was extended to recognize
all three authorization denial scenarios:

1. Authentication_MSGraphPermissionMissing + auditlog.read.all in the message
   (existing behavior — app registration without the required application permission)

2. UnknownError + does not have authorization in the message
   (new — FOCI/delegated token scenarios; broadened from the Office-specific message to
   cover any client that produces this pattern)

3. Authentication_RequestFromUnsupportedUserRole
   (new — principal role does not support reading signInActivity)

The existing single-case test in TestIsGraphAuthorizationDenied was also refactored into
a table-driven test covering all three positive cases plus an unrelated error and a nil
error, to prevent regressions.

Files changed

• cmd/list-users.go — extended isGraphAuthorizationDenied with two new error cases
• cmd/list-users_test.go — refactored test into table-driven with full coverage

Summary by CodeRabbit

• Bug Fixes

  • Enhanced authorization error detection to recognize additional permission failure scenarios, including Office client delegated-permission failures and role-based access restrictions.

• Tests

  • Expanded test coverage for authorization error handling with comprehensive test scenarios.

[coderabbitai]

Walkthrough

The isGraphAuthorizationDenied function has been enhanced to recognize additional authorization failure patterns beyond the original Graph permission-missing case, now detecting delegated permission failures and role-based access restrictions. Corresponding test coverage has been expanded to validate all recognized patterns.

Changes

Cohort / File(s)	Summary
Authorization Check Enhancement cmd/list-users.go	Extended isGraphAuthorizationDenied() to detect three authorization-denial patterns: the original Authentication_MSGraphPermissionMissing (missing AuditLog.Read.All), delegated permission failures (UnknownError + does not have authorization), and role-based access failures (Authentication_RequestFromUnsupportedUserRole).
Test Coverage Expansion cmd/list-users_test.go	Refactored TestIsGraphAuthorizationDenied from single assertion to table-driven subtests covering all three authorization patterns, plus negative cases (unrelated error, nil) to verify expected false returns.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Hoppy whiskers twitch with glee,
More auth patterns we can see!
Role and delegation dance in place,
Errors checked with newfound grace—
Tests now thorough, structured neat,
Error handling's quite complete! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: extending authorization error handling for Microsoft Graph to support additional error patterns beyond the original single case.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[ferreirasc]

I have read the CLA Document and I hereby sign the CLA

[StranDutton]

Hey @ferreirasc, thank you for the contribution! I have this on my radar and plan to review soon 🙂