Disclaimer: This issue was identified and written by Claude Code (model: claude-opus-4-6-1m) during an automated code review, and has had a cursory review by a human before submission.
Summary
The Invoke-AzureRoleProcessing function references $GLOBALImpactScore["AzureRoleTier?Privileged"] for unknown Azure roles that have IsPrivileged = $true, but this key does not exist in the $GLOBALImpactScore hashtable. The lookup silently returns $null, which PowerShell treats as 0 in arithmetic. This means unknown privileged Azure roles contribute 0 to the impact score instead of the intended non-zero value.
The analogous Entra key EntraRoleTier?Privileged IS correctly defined (value: 100).
Affected file
modules/shared_Functions.psm1
Evidence
Hashtable definition (lines 4048-4059)
$global:GLOBALImpactScore = @{
"EntraRoleTier0" = 2000
"EntraRoleTier1" = 400
"EntraRoleTier2" = 80
"EntraRoleTier?Privileged" = 100 # <-- Entra version EXISTS
"EntraRoleTier?" = 80
"AzureRoleTier0" = 200
"AzureRoleTier1" = 70
"AzureRoleTier2" = 50
"AzureRoleTier3" = 10
"AzureRoleTier?" = 50
# "AzureRoleTier?Privileged" is NOT defined
}Usage in Invoke-AzureRoleProcessing (line 4331)
# Lines 4326-4334 (inside the "?" tier branch)
default {
if ($Role.IsPrivileged -eq $true) {
$RoleImpact = $GLOBALImpactScore["AzureRoleTier?Privileged"] # returns $null
} else {
$RoleImpact = $GLOBALImpactScore["AzureRoleTier?"] # returns 50
}
}Comparison with Entra equivalent (line 4263)
The Entra role processing correctly handles this case:
# Line 4263 (inside Invoke-EntraRoleProcessing)
if ($Role.IsPrivileged -eq $true) {
$RoleImpact = $GLOBALImpactScore["EntraRoleTier?Privileged"] # returns 100
}Impact
Any Azure role not in the $GLOBALAzureRoleRating lookup table (lines 4020-4046) that has IsPrivileged = $true will contribute 0 to the impact score instead of a non-zero value. Microsoft regularly adds new Azure RBAC roles, so this affects any privileged Azure role added after the tool's role list was last updated.
Non-privileged unknown roles correctly fall through to AzureRoleTier? (value: 50), meaning a non-privileged unknown role actually scores higher than a privileged one.
Suggested fix
Add the missing key to $GLOBALImpactScore:
$global:GLOBALImpactScore = @{
...
"AzureRoleTier?" = 50
"AzureRoleTier?Privileged" = 100 # Add this line
}Version
V20260316
Summary
The
Invoke-AzureRoleProcessingfunction references$GLOBALImpactScore["AzureRoleTier?Privileged"]for unknown Azure roles that haveIsPrivileged = $true, but this key does not exist in the$GLOBALImpactScorehashtable. The lookup silently returns$null, which PowerShell treats as0in arithmetic. This means unknown privileged Azure roles contribute 0 to the impact score instead of the intended non-zero value.The analogous Entra key
EntraRoleTier?PrivilegedIS correctly defined (value: 100).Affected file
modules/shared_Functions.psm1Evidence
Hashtable definition (lines 4048-4059)
Usage in
Invoke-AzureRoleProcessing(line 4331)Comparison with Entra equivalent (line 4263)
The Entra role processing correctly handles this case:
Impact
Any Azure role not in the
$GLOBALAzureRoleRatinglookup table (lines 4020-4046) that hasIsPrivileged = $truewill contribute 0 to the impact score instead of a non-zero value. Microsoft regularly adds new Azure RBAC roles, so this affects any privileged Azure role added after the tool's role list was last updated.Non-privileged unknown roles correctly fall through to
AzureRoleTier?(value: 50), meaning a non-privileged unknown role actually scores higher than a privileged one.Suggested fix
Add the missing key to
$GLOBALImpactScore:Version
V20260316