Collection doc fixes

[martinsohn]

This PR fixes several data collection documentation inaccuracies and aligns collector guidance with current SharpHound behavior.

• Updates SharpHound CE collection method docs in docs/collect-data/ce-collection/sharphound-flags.mdx, adding missing methods and correcting the port check timeout flag example.
• Clarifies SharpHound CE gMSA permission guidance in docs/collect-data/ce-collection/create-gmsa-community-edition.mdx, removing Domain Admin as a recommended path and pointing users toward explicit local admin assignment or least-privilege delegation.
• Fixes gMSA scheduled task examples in docs/collect-data/ce-collection/create-gmsa-community-edition.mdx, including consistent DOMAIN\t0_gMSA_SHS$ placeholder usage and a working Set-ScheduledTask PowerShell example.
• Corrects SharpHound Enterprise collector client wording in docs/collect-data/enterprise-collection/create-collector.mdx to say SharpHound automatically selects a Domain Controller for LDAP queries.
• Clarifies that both SharpHound Enterprise and AzureHound Enterprise collector clients can be used for schedules and on-demand scans in docs/collect-data/enterprise-collection/collection-schedule.mdx and docs/collect-data/enterprise-collection/on-demand-scan.mdx.
• Expands the AzureHound Reader role in docs/assets/azurehound-reader-role.json and the scripted config example in docs/install-data-collector/install-azurehound/azure-configuration.mdx with tenant and subscription read actions. Collection without them will work, but the implicit permissions are undocumented by Microsoft, and they should be explicitly granted for assurance.
• Adds AzureHound permission notes in docs/snippets/hounds/azurehound-entra-id-permissions.mdx and docs/install-data-collector/install-azurehound/azure-configuration.mdx, including the Entra ID P1/P2 license requirement for AuditLog.Read.All.

Summary by CodeRabbit

• Documentation
  • Updated AzureHound reader role to include top-level tenant and subscription read permissions and clarified Azure config notes.
  • Streamlined gMSA setup: require “Log on as a batch job”, clarified least-privilege options (Domain Admin not required), standardized scheduled-task examples and result/log locations.
  • Expanded SharpHound collection methods list and fixed a flag example.
  • Added AzureHound Enterprise to scheduling and on-demand scan docs.

[coderabbitai]

Warning

Review limit reached

@martinsohn, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 50 minutes and 2 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 77d03db9-b905-42bc-bfe6-e01f3ede29d8

📥 Commits

Reviewing files that changed from the base of the PR and between fd1ac28 and 59e71a1.

📒 Files selected for processing (1)

• docs/collect-data/ce-collection/create-gmsa-community-edition.mdx

Walkthrough

This PR updates documentation across the BloodHound docs repository to expand Azure role permissions, clarify AzureHound Enterprise support in multiple workflows, refine SharpHound Community Edition gMSA configuration guidance, and correct collection method flags. All changes are documentation-only.

Changes

Documentation Updates for Azure Permissions, Enterprise Features, and Collection Methods

Layer / File(s)	Summary
Azure permissions and role configuration docs/assets/azurehound-reader-role.json, docs/install-data-collector/install-azurehound/azure-configuration.mdx, docs/snippets/hounds/azurehound-entra-id-permissions.mdx	Added Microsoft.Resources/tenants/read and Microsoft.Resources/subscriptions/read to the AzureHound Reader role's permissions.actions in both the standalone JSON asset and the embedded ARM template. Expanded the AuditLog.Read.All permission comment to document P1/P2 license requirements and adjusted snippet formatting.
AzureHound Enterprise support expansion docs/collect-data/enterprise-collection/collection-schedule.mdx, docs/collect-data/enterprise-collection/on-demand-scan.mdx, docs/collect-data/enterprise-collection/create-collector.mdx	Updated prerequisites and documentation to include AzureHound Enterprise alongside SharpHound Enterprise and reworded Domain Controller selection guidance to describe automatic selection for LDAP queries.
SharpHound Community Edition guidance and flags docs/collect-data/ce-collection/create-gmsa-community-edition.mdx, docs/collect-data/ce-collection/sharphound-flags.mdx	Rewrote gMSA setup guidance to emphasize batch-job user right and direct permission grants (clarifying Domain Admin not required), standardized scheduled-task examples and paths (C:\Program Files\SharpHound), granted ACL guidance for Results/Logs, expanded CollectionMethods enumeration, and corrected --PortCheckTimeout example.

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly Related PRs

• SpecterOps/bloodhound-docs#245: The standalone Azure role JSON asset update directly overlaps with prior work introducing and defining the AzureHound Reader role's permissions.

Suggested Labels

data-collection

Suggested Reviewers

• jeff-matthews

Poem

🐰 I hopped through docs to tweak a role and more,

Tenants and subs now added to the store,
Enterprise collectors named where once was one,
gMSA tasks standardized, paths set and done,
Flags and snippets polished — off I hop, encore!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title "Collection doc fixes" is vague and generic, using non-descriptive language that does not convey meaningful information about the specific changes made.	Consider a more specific title that highlights the main change, such as "Update collector documentation to correct gMSA guidance and add AzureHound permissions" or "Fix SharpHound CE gMSA requirements and expand AzureHound permissions".

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch collection-doc-fixes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
bloodhound	🟢 Ready	View Preview	May 22, 2026, 2:19 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/collect-data/enterprise-collection/collection-schedule.mdx (1)

3-3: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update description to reflect AzureHound Enterprise support.

The frontmatter description mentions only "SharpHound Enterprise collector client" but the prerequisite (line 20) now includes AzureHound Enterprise. Update the description to be inclusive of both collector types.

📝 Proposed fix

-description: Learn how to configure a SharpHound Enterprise collector client to run data collection on a schedule.
+description: Learn how to configure a SharpHound Enterprise or AzureHound Enterprise collector client to run data collection on a schedule.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/collect-data/enterprise-collection/collection-schedule.mdx` at line 3,
Update the frontmatter "description" value to mention both SharpHound and
AzureHound Enterprise collectors (e.g., "Learn how to configure a SharpHound or
AzureHound Enterprise collector client to run data collection on a schedule.")
so it matches the prerequisite that now references AzureHound Enterprise; modify
the description key in the document frontmatter accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/collect-data/ce-collection/create-gmsa-community-edition.mdx`:
- Line 97: Replace both occurrences of the incorrect logon type by updating the
New-ScheduledTaskPrincipal calls: change each instance of the argument
"-LogonType Password" to "-LogonType ServiceAccount" so the scheduled task
principal uses the ServiceAccount logon method appropriate for gMSA-managed
credentials.

---

Outside diff comments:
In `@docs/collect-data/enterprise-collection/collection-schedule.mdx`:
- Line 3: Update the frontmatter "description" value to mention both SharpHound
and AzureHound Enterprise collectors (e.g., "Learn how to configure a SharpHound
or AzureHound Enterprise collector client to run data collection on a
schedule.") so it matches the prerequisite that now references AzureHound
Enterprise; modify the description key in the document frontmatter accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 65783eae-fb66-4917-acca-469f1d324321

📥 Commits

Reviewing files that changed from the base of the PR and between 833fa22 and 59df956.

📒 Files selected for processing (8)

• docs/assets/azurehound-reader-role.json
• docs/collect-data/ce-collection/create-gmsa-community-edition.mdx
• docs/collect-data/ce-collection/sharphound-flags.mdx
• docs/collect-data/enterprise-collection/collection-schedule.mdx
• docs/collect-data/enterprise-collection/create-collector.mdx
• docs/collect-data/enterprise-collection/on-demand-scan.mdx
• docs/install-data-collector/install-azurehound/azure-configuration.mdx
• docs/snippets/hounds/azurehound-entra-id-permissions.mdx

[coderabbitai]

♻️ Duplicate comments (2)

docs/collect-data/ce-collection/create-gmsa-community-edition.mdx (2)

164-164: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update gMSA scheduled task principal -LogonType.

Change -LogonType Password to -LogonType ServiceAccount to match the correct logon type for gMSA managed credentials.

🔧 Proposed fix

-$principal = New-ScheduledTaskPrincipal -UserID "$($env:USERDOMAIN)\t0_gMSA_SHS$" -LogonType Password -RunLevel Highest
+$principal = New-ScheduledTaskPrincipal -UserID "$($env:USERDOMAIN)\t0_gMSA_SHS$" -LogonType ServiceAccount -RunLevel Highest

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/collect-data/ce-collection/create-gmsa-community-edition.mdx` at line
164, Update the New-ScheduledTaskPrincipal invocation that sets $principal to
use the correct gMSA logon type: change the -LogonType argument on the
New-ScheduledTaskPrincipal call (where $principal is created) from Password to
ServiceAccount so the scheduled task principal uses the gMSA ServiceAccount
logon type.

---

119-119: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update gMSA scheduled task principal -LogonType.

Change -LogonType Password to -LogonType ServiceAccount. For gMSA accounts, ServiceAccount is the appropriate logon type that Task Scheduler uses for managed credentials, as confirmed by the past review.

🔧 Proposed fix

-    $ap = New-ScheduledTaskPrincipal -UserID "$($env:USERDOMAIN)\t0_gMSA_SHS$" -LogonType Password -RunLevel Highest
+    $ap = New-ScheduledTaskPrincipal -UserID "$($env:USERDOMAIN)\t0_gMSA_SHS$" -LogonType ServiceAccount -RunLevel Highest

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/collect-data/ce-collection/create-gmsa-community-edition.mdx` at line
119, Update the New-ScheduledTaskPrincipal invocation to use the correct logon
type for gMSA by changing the -LogonType value: locate the call to
New-ScheduledTaskPrincipal (the line creating $ap) and replace -LogonType
Password with -LogonType ServiceAccount so the scheduled task uses the
ServiceAccount logon type appropriate for gMSA accounts.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@docs/collect-data/ce-collection/create-gmsa-community-edition.mdx`:
- Line 164: Update the New-ScheduledTaskPrincipal invocation that sets
$principal to use the correct gMSA logon type: change the -LogonType argument on
the New-ScheduledTaskPrincipal call (where $principal is created) from Password
to ServiceAccount so the scheduled task principal uses the gMSA ServiceAccount
logon type.
- Line 119: Update the New-ScheduledTaskPrincipal invocation to use the correct
logon type for gMSA by changing the -LogonType value: locate the call to
New-ScheduledTaskPrincipal (the line creating $ap) and replace -LogonType
Password with -LogonType ServiceAccount so the scheduled task uses the
ServiceAccount logon type appropriate for gMSA accounts.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 10bea64f-3d0f-4323-a9d9-41cd41664c2f

📥 Commits

Reviewing files that changed from the base of the PR and between 59df956 and 7f3dc61.

⛔ Files ignored due to path filters (3)

• docs/assets/sharphound-gmsa-directory-structure.png is excluded by !**/*.png
• docs/assets/sharphound-gmsa-powershell-env-commands.png is excluded by !**/*.png
• docs/assets/sharphound-gmsa-powershell-script.png is excluded by !**/*.png

📒 Files selected for processing (2)

• docs/collect-data/ce-collection/create-gmsa-community-edition.mdx
• docs/collect-data/enterprise-collection/collection-schedule.mdx

✅ Files skipped from review due to trivial changes (1)

• docs/collect-data/enterprise-collection/collection-schedule.mdx

[jeff-matthews]

Thanks for the PR @martinsohn!

Approved, with one tiny punctuation suggestion.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/collect-data/ce-collection/create-gmsa-community-edition.mdx`:
- Around line 155-157: Convert the plain-text line "Modify the scheduled task to
run as the gMSA account with PowerShell" into a proper subsection heading (so it
appears in the TOC and page structure) and replace the awkward phrase "Either
using:" with a tighter phrase such as "Use one of the following methods:" so the
flow is clear; locate these strings in the document to apply the changes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ce2d9b8e-544b-4f0f-ab47-94ee7cc64099

📥 Commits

Reviewing files that changed from the base of the PR and between 7f3dc61 and fd1ac28.

📒 Files selected for processing (1)

• docs/collect-data/ce-collection/create-gmsa-community-edition.mdx