BED-6542: Only Collect Management Groups from Current Tenant

[StranDutton]

Ticket: BED-6542

Problem: AZContains edges are wrongly created across AZTenant environments, connecting AZManagementGroups of one AZTenant to AZSubscriptions of another AZTenant.

This PR filters out foreign-tenant AZManagementGroups collection.

When AzureHound collects from an account with cross-tenant visibility (like through Azure Lighthouse), the ARM API returns management groups from all accessible tenants. Without AzureHound filtering by tenant, management groups with the same name across tenants produce identical objectId paths, collapsing into a single node in BHE and creating false AZContains edges between tenants. This compares each management group's tenantId against the authenticated tenant and skips any that don't match.

Summary by CodeRabbit

• Bug Fixes

  • Management groups from other tenants are now correctly filtered out and no longer processed.

• Tests

  • Added test coverage for foreign tenant filtering to ensure only home-tenant management groups are emitted.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 27f64378-8bcd-4559-93d6-920a18650e68

📥 Commits

Reviewing files that changed from the base of the PR and between f98e580 and 604b286.

📒 Files selected for processing (2)

• cmd/list-management-groups.go
• cmd/list-management-groups_test.go

---

Walkthrough

The listManagementGroups function now captures the client's home tenant ID and filters out management groups belonging to foreign tenants, logging skipped foreign groups at verbosity level 2. Tests are updated to mock tenant information and verify foreign tenant filtering behavior.

Changes

Cohort / File(s)	Summary
Tenant Filtering Logic cmd/list-management-groups.go	Added home tenant ID capture and comparison logic to skip management groups from foreign tenants with verbosity-level logging.
Test Coverage Updates cmd/list-management-groups_test.go	Updated existing test to stub TenantInfo() with tenant ID properties; added new test TestListManagementGroups_FiltersForeignTenants to verify foreign tenant exclusion.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A rabbit hops through tenant lands,
Home IDs safe in trusty hands,
Foreign groups? We bid adieu—
Only home-dwellers make it through! 🏠✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately and concisely summarizes the main change: filtering management groups to include only those from the current tenant, which directly addresses the core objective of preventing cross-tenant false edges.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch BED-6542-false-edges-across-tenants

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}