User detail section shows GroupOwnership instead of AzureRoles for owned SPs

[StrongWind1]

Disclaimer: This issue was identified and written by Claude Code (model: claude-opus-4-6-1m) during an automated code review, and has had a cursory review by a human before submission.

Summary

In the Users report detail section, the "Owner of Service Principal" table displays $app.GroupOwnership in the AzureRoles column instead of $app.AzureRoles. This causes the Azure Roles column to show the group ownership count.

Affected file

modules/check_Users.psm1

Evidence

Line 1288

# Lines 1283-1291 (inside the "Owner of Service Principal" detail rendering)
$OwnerSPReporting = foreach ($app in $($item.OwnerSPDetails)) {
    [pscustomobject]@{
        "DisplayName" = $app.DisplayName
        "Foreign" = $app.Foreign
        "GroupOwnership" = $app.GroupOwnership
        "AppOwnership" = $app.AppOwnership
        "EntraRoles" = $app.EntraRoles
        "AzureRoles" = $app.GroupOwnership    # <-- BUG: should be $app.AzureRoles
        "APIPermission" = "D:$($app.ApiDangerous) / H:$($app.ApiHigh) / M:$($app.ApiMedium) / L:$($app.ApiLow) / U:$($app.ApiMisc)"
        "Warnings" = $app.Warnings
    }
}

Line 1288 assigns $app.GroupOwnership to the "AzureRoles" key. The EntraRoles line directly above (line 1287) correctly uses $app.EntraRoles, suggesting this is a copy-paste error.

Impact

In the Users HTML and TXT reports, when expanding a user's "Owner of Service Principal" detail section, the "AzureRoles" column shows the group ownership count instead of the Azure role count. This could mislead reviewers into thinking an SP has Azure roles when it actually has group ownerships (or vice versa).

The main user table scoring is not affected — this only impacts the detail view.

Suggested fix

"AzureRoles" = $app.AzureRoles

Version

V20260316

[zh54321]

Thanks for reporting this. Claude was right: the user detail section used the group ownership count for the AzureRoles column. I updated it to use $app.AzureRoles.