docs: Update HelpTexts for AZ role edges BED-7061

[martinsohn]

Description

This PR updates the help text and documentation for Azure Entra ID role-related edges to improve consistency, clarity, and accuracy. The changes address terminology updates, add missing references to official Microsoft documentation, and provide more detailed explanations of edge relationships.

1. Lack of Consistency

• Previous state: Mixed terminology using both "AzureAD" and "Entra ID" inconsistently across documentation
• Resolution: Standardized all references to use "Entra ID" terminology, aligning with Microsoft's current branding
• Files affected: AZHasRole, AZGlobalAdmin, AZAppAdmin, AZCloudAppAdmin, and other role edges

2. Vague and Lacking Detail

• Previous state: General descriptions like "Principals with the Application Admin role" without specifying edge semantics
• Resolution: Updated descriptions to clearly state "The principal has the [Role Name] Entra ID role active" for consistency
• Added cross-references:
  • AZRoleEligible now references AZHasRole edge relationship
  • AZRoleApprover now references AZRoleEligible edge relationship
  • AZHasRole now references AZRoleEligible for PIM scenarios

3. Missing Official References

• Previous state: Many edges lacked links to official Microsoft Entra ID role documentation
• Resolution: Added Microsoft documentation links for:
  • Application Administrator
  • Cloud Application Administrator
  • Global Administrator
  • Privileged Authentication Administrator
  • Privileged Role Administrator
  • Privileged Identity Management (PIM) overview

4. Improved Edge Descriptions

Updated descriptions to be more specific and actionable:

AZRoleEligible:

• Before: "The ability to activate or be assigned a privileged role in Entra ID."
• After: "The principal is eligible for assignment to the Entra ID role via Privileged Identity Management (PIM). When the role is active the principal will also have an AZHasRole edge to the role."

AZRoleApprover:

• Before: "The ability to approve role assignments or activations for privileged roles in Entra ID."
• After: "The principal is designated as an approver in the Privileged Identity Management (PIM) policy for the Entra ID role. PIM policies may require principals with the AZRoleEligible edge to get approval from role approvers before activation takes effect."

AZPrivilegedRoleAdmin:

• Moved abuse details from General section to Abuse section for better organization
• General section now states the role assignment clearly
• Abuse section provides the actionable information

AZPrivilegedAuthAdmin:

• Simplified General section to focus on role assignment
• Removed redundant details already covered by related edges (AZAddSecret, AZResetPassword)
• Updated reference links to use proper titles and current Microsoft documentation

Motivation and Context

Resolves BED-7061

Changes required in bloodhound-docs SpecterOps/bloodhound-docs#137

How Has This Been Tested?

Built BH CE locally, verified each edge entity panel showed correct info, and links were clickable.

Screenshots (optional):

Types of changes

• Bug fix (non-breaking change which fixes an issue)

Checklist:

• I have met the contributing prerequisites
  • Assigned myself to this PR
  • Added the appropriate labels
  • Associated an issue: Issues and Pull Requests README #672
  • Read the Contributing guide: https://github.com/SpecterOps/BloodHound/wiki/Contributing
• I have ensured that related documentation is up-to-date
  • Open API docs
  • Code comments (GoDocs / JSDocs)
• I have followed proper test practices
  • Added/updated tests to cover my changes
  • All new and existing tests passed

Summary by CodeRabbit

• Documentation
  • Updated help text to use "Entra ID" terminology and clarified role descriptions and principal permissions.
  • Refined wording for multiple admin roles (Application Administrator, Cloud Application Administrator, Global Administrator, Privileged Authentication Administrator, Privileged Role Administrator, Role Approver, Role Eligible, and related notes).
  • Added or expanded external Microsoft Entra reference links for these roles.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updated help-text UI components across Entra/role-related modules: replaced "Azure AD"/related phrasing with "Entra ID" and clarified principal role wording; added external Microsoft Entra reference links. No logic, exports, or control-flow changes.

Changes

Cohort / File(s)	Summary
Help Text — General components packages/javascript/bh-shared-ui/src/components/HelpTexts/AZAppAdmin/General.tsx, packages/javascript/bh-shared-ui/src/components/HelpTexts/AZCloudAppAdmin/General.tsx, packages/javascript/bh-shared-ui/src/components/HelpTexts/AZGlobalAdmin/General.tsx, packages/javascript/bh-shared-ui/src/components/HelpTexts/AZHasRole/General.tsx, packages/javascript/bh-shared-ui/src/components/HelpTexts/AZPrivilegedAuthAdmin/General.tsx, packages/javascript/bh-shared-ui/src/components/HelpTexts/AZPrivilegedRoleAdmin/General.tsx, packages/javascript/bh-shared-ui/src/components/HelpTexts/AZRoleApprover/General.tsx, packages/javascript/bh-shared-ui/src/components/HelpTexts/AZRoleEligible/General.tsx	Rewrote user-facing help text strings to explicitly reference "Entra ID" and to clarify principal role descriptions; no structural or logic changes.
Help Text — Abuse / Opsec components packages/javascript/bh-shared-ui/src/components/HelpTexts/AZHasRole/Abuse.tsx, packages/javascript/bh-shared-ui/src/components/HelpTexts/AZHasRole/Opsec.tsx, packages/javascript/bh-shared-ui/src/components/HelpTexts/AZPrivilegedRoleAdmin/Abuse.tsx	Updated phrasing (e.g., "AzureAD" → "Entra ID"), fixed punctuation/typography, and added a clarification sentence about role capabilities; UI structure unchanged.
Help Text — References packages/javascript/bh-shared-ui/src/components/HelpTexts/AZAppAdmin/References.tsx, packages/javascript/bh-shared-ui/src/components/HelpTexts/AZCloudAppAdmin/References.tsx, packages/javascript/bh-shared-ui/src/components/HelpTexts/AZGlobalAdmin/References.tsx, packages/javascript/bh-shared-ui/src/components/HelpTexts/AZPrivilegedAuthAdmin/References.tsx, packages/javascript/bh-shared-ui/src/components/HelpTexts/AZPrivilegedRoleAdmin/References.tsx, packages/javascript/bh-shared-ui/src/components/HelpTexts/AZRoleApprover/References.tsx	Added new external links to Microsoft Entra documentation (with target="_blank" and rel="noopener noreferrer"), updated link text/hrefs to reflect Entra branding; rendering only, no API changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Changes are homogeneous (text replacements and added external Link elements) across many files.
• Pay attention to correctness of updated strings and link hrefs in Reference components.

Possibly related PRs

• BED-6054: Edge accordion panel link styling #1848 — similar edits converting plain URLs to clickable external links and adding target/rel attributes across HelpTexts.
• PIM Followup #1650 — touches AZRoleEligible UI; related to the General.tsx wording changes for that component.
• BED-5821: Added AZRoleApprover help texts #1546 — modifies AZRoleApprover help text and References components; overlaps with this PR's edits.

Suggested labels

user interface

Suggested reviewers

• mvlipka
• rvazarkar
• urangel

Poem

🐰
In a hop I changed each helpful line,
"Azure AD" to "Entra ID" — crisp and fine.
Links now open wide, roles clearer in sight,
A tiny carrot-coded gleam of light.
Hooray — the help texts hop just right! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title accurately summarizes the main change—updating help texts for Azure role edges—and includes the associated ticket BED-7061, making it clear and specific.
Description check	✅ Passed	The PR description comprehensively addresses all template sections including a detailed Description with subsections, Motivation/Context with ticket reference, testing details, type of change classification, and a completed checklist.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch BED-7061-AZ-role-edges-docs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

packages/javascript/bh-shared-ui/src/components/HelpTexts/AZPrivilegedRoleAdmin/General.tsx (1)

23-23: Consider retaining capability information.

The updated text standardizes terminology but removes helpful context about what the Privileged Role Administrator can do ("can grant any other admin role to another principal at the tenant level"). This information is valuable for understanding the security implications of this edge.

Consider expanding the text to include both the role status and key capabilities:

-The principal has the Privileged Role Administrator Entra ID role active against the target tenant.
+The principal has the Privileged Role Administrator Entra ID role active against the target tenant and can grant any other admin role to another principal at the tenant level.

packages/javascript/bh-shared-ui/src/components/HelpTexts/AZRoleEligible/General.tsx (1)

23-24: Minor wording improvement for clarity.

The updated text is much clearer and the cross-reference to AZHasRole is helpful. Consider using "activated" instead of "active" in the second sentence for grammatical precision.

-The principal is eligible for assignment to the Entra ID role via Privileged Identity Management (PIM). When the role is active the principal will also have an AZHasRole edge to the role.
+The principal is eligible for assignment to the Entra ID role via Privileged Identity Management (PIM). When the role is activated the principal will also have an AZHasRole edge to the role.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3dd5b3c and fa045e7.

📒 Files selected for processing (17)

• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZAppAdmin/General.tsx (1 hunks)
• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZAppAdmin/References.tsx (1 hunks)
• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZCloudAppAdmin/General.tsx (1 hunks)
• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZCloudAppAdmin/References.tsx (1 hunks)
• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZGlobalAdmin/General.tsx (1 hunks)
• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZGlobalAdmin/References.tsx (1 hunks)
• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZHasRole/Abuse.tsx (1 hunks)
• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZHasRole/General.tsx (1 hunks)
• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZHasRole/Opsec.tsx (1 hunks)
• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZPrivilegedAuthAdmin/General.tsx (1 hunks)
• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZPrivilegedAuthAdmin/References.tsx (1 hunks)
• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZPrivilegedRoleAdmin/Abuse.tsx (1 hunks)
• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZPrivilegedRoleAdmin/General.tsx (1 hunks)
• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZPrivilegedRoleAdmin/References.tsx (1 hunks)
• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZRoleApprover/General.tsx (1 hunks)
• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZRoleApprover/References.tsx (1 hunks)
• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZRoleEligible/General.tsx (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-11-06T21:35:02.751Z

Learnt from: dcairnsspecterops
Repo: SpecterOps/BloodHound PR: 2010
File: packages/javascript/bh-shared-ui/src/components/Navigation/AppLink.tsx:30-30
Timestamp: 2025-11-06T21:35:02.751Z
Learning: In AppLink component (packages/javascript/bh-shared-ui/src/components/Navigation/AppLink.tsx), the aria-label="Navigate to ${path}" is added as a fallback for cases where children may be non-string content (icons, JSX elements) rather than readable text.

Applied to files:

• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZCloudAppAdmin/References.tsx
• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZPrivilegedRoleAdmin/References.tsx
• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZPrivilegedAuthAdmin/References.tsx
• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZRoleApprover/References.tsx
• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZAppAdmin/References.tsx

📚 Learning: 2025-08-06T20:45:32.705Z

Learnt from: JimSycurity
Repo: SpecterOps/BloodHound PR: 1761
File: packages/javascript/bh-shared-ui/src/components/HelpTexts/ProtectAdminGroups/References.tsx:22-43
Timestamp: 2025-08-06T20:45:32.705Z
Learning: The SpecterOps URL https://specterops.io/resources/adminsdholder in the ProtectAdminGroups References.tsx component is a placeholder link created by marketing that will become active when JimSycurity's AdminSDHolder whitepaper is published. This is intentional and should not be flagged as a broken link.

Applied to files:

• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZGlobalAdmin/References.tsx

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Build BloodHound Container Image / Build and Package Container
• GitHub Check: build-ui
• GitHub Check: run-tests
• GitHub Check: run-analysis

🔇 Additional comments (14)

packages/javascript/bh-shared-ui/src/components/HelpTexts/AZHasRole/Abuse.tsx (1)

24-25: LGTM! Terminology correctly updated.

The text properly reflects Microsoft's rebranding from Azure AD to Entra ID, and the help text clearly communicates the edge semantics.

packages/javascript/bh-shared-ui/src/components/HelpTexts/AZPrivilegedRoleAdmin/Abuse.tsx (1)

23-23: LGTM – Clear abuse vector description.

The added sentence effectively communicates the core privilege escalation risk of the Privileged Role Administrator role. The documentation improvement aligns well with the PR's goal of clarifying edge semantics.

Since this describes Entra ID role permissions, consider verifying the statement accuracy against the official Microsoft Entra Privileged Role Administrator documentation (which the PR adds references to).

packages/javascript/bh-shared-ui/src/components/HelpTexts/AZRoleApprover/General.tsx (1)

23-25: LGTM! Clear and accurate PIM approver documentation.

The updated help text effectively clarifies the approver role in the PIM policy workflow and appropriately references the AZRoleEligible edge for cross-context. The terminology standardization to "Entra ID" aligns with the PR objectives.

packages/javascript/bh-shared-ui/src/components/HelpTexts/AZPrivilegedRoleAdmin/References.tsx (1)

23-29: LGTM! Link to Microsoft Entra documentation is correct and properly implemented with security attributes.

The implementation correctly adds a reference to Microsoft Entra built-in roles documentation, with proper security attributes (rel='noopener noreferrer'), descriptive link text, and consistent structure with other reference links in the component.

packages/javascript/bh-shared-ui/src/components/HelpTexts/AZCloudAppAdmin/References.tsx (1)

23-29: Link implementation is correct and properly configured.

The Link component uses appropriate security attributes (target="_blank" with rel="noopener noreferrer") and includes descriptive text. The Microsoft Entra documentation URL is valid and accessible.

packages/javascript/bh-shared-ui/src/components/HelpTexts/AZAppAdmin/References.tsx (1)

23-29: Link structure and security attributes are correct. The Material-UI Link component properly uses rel='noopener noreferrer' with target='_blank' when linking to the external Microsoft documentation. The Microsoft Learn documentation URL for Entra Application Administrator roles is valid and accessible. The implementation follows Material-UI's recommended security best practices for external links.

packages/javascript/bh-shared-ui/src/components/HelpTexts/AZRoleApprover/References.tsx (1)

23-29: LGTM! Documentation reference added correctly.

The new Microsoft Entra PIM documentation link is properly formatted with appropriate security attributes (target='_blank', rel='noopener noreferrer') and provides valuable context for users understanding the role approver edge.

packages/javascript/bh-shared-ui/src/components/HelpTexts/AZPrivilegedAuthAdmin/References.tsx (1)

45-53: LGTM! References updated to Microsoft Entra terminology.

The link text and URLs have been correctly updated to reflect Microsoft's rebranding from Azure AD to Microsoft Entra. The changes maintain proper link attributes and improve clarity.

packages/javascript/bh-shared-ui/src/components/HelpTexts/AZGlobalAdmin/References.tsx (1)

23-26: LGTM! Official documentation reference added.

The new Microsoft Entra Global Administrator documentation link is properly formatted with appropriate security attributes and provides valuable reference material for users.

packages/javascript/bh-shared-ui/src/components/HelpTexts/AZAppAdmin/General.tsx (1)

23-23: LGTM! Clear and informative help text.

The updated text successfully standardizes terminology to "Entra ID" while retaining important capability information ("can control tenant-resident apps"). This provides users with both the role status and security implications.

packages/javascript/bh-shared-ui/src/components/HelpTexts/AZCloudAppAdmin/General.tsx (1)

23-23: LGTM! Consistent with other role help texts.

The updated text maintains consistency with the Application Administrator help text while correctly identifying the specific Cloud Application Administrator role. Includes both role status and capability information.

packages/javascript/bh-shared-ui/src/components/HelpTexts/AZHasRole/General.tsx (1)

23-23: LGTM! Improved clarity and terminology.

The updated text is more concise and uses current "Entra ID" terminology. The phrase "active assignment" is clearer than the previous "has been granted" wording and aligns well with the PIM context established in related help texts.

packages/javascript/bh-shared-ui/src/components/HelpTexts/AZGlobalAdmin/General.tsx (1)

23-25: LGTM! Clear and accurate terminology update.

The updated text correctly reflects Microsoft's rebranding to "Entra ID" and maintains clarity about the Global Administrator role's scope and privileges. The phrasing is consistent with the standardization across other role documentation in this PR.

packages/javascript/bh-shared-ui/src/components/HelpTexts/AZPrivilegedAuthAdmin/General.tsx (1)

23-23: LGTM! Concise and consistent.

The updated description is clear and follows the standardized format used across other Entra ID role documentation in this PR. The simplification successfully removes redundancy while maintaining essential information about the role assignment.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

packages/javascript/bh-shared-ui/src/components/HelpTexts/AZHasRole/Opsec.tsx (1)

23-23: LGTM! Terminology update is correct.

The terminology change from "AzureAD" to "Entra ID" aligns with Microsoft's rebranding. The previous punctuation issue with the apostrophe has been correctly addressed.

Optional: Consider minor phrasing improvement.

For slightly more natural reading, you could rephrase "what the action taken is" as "what action is taken":

-            The opsec considerations for a particular action authorized by a principal's active Entra ID role
-            assignment will wholly depend on what the action taken is. This edge does not capture all abusable
+            The opsec considerations for a particular action authorized by a principal's active Entra ID role
+            assignment will wholly depend on what action is taken. This edge does not capture all abusable

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fa045e7 and 3640a85.

📒 Files selected for processing (1)

• packages/javascript/bh-shared-ui/src/components/HelpTexts/AZHasRole/Opsec.tsx (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Build BloodHound Container Image / Build and Package Container
• GitHub Check: run-tests
• GitHub Check: build-ui
• GitHub Check: run-analysis

[rvazarkar]

All looks good to me, and since its all just copy change, easy peasy