fix backfill run condition

README.md

@@ -99,6 +99,7 @@ python3 sscollector.pyz spn -t <tenant> -c <clientID> -s <clientSecret>
 - **--json**: Convert SQLite output to JSON (**WARNING: STORMSPOTTER ONLY PARSES SQLITE FORMAT** )
   - This option is useful if you want to parse the output for reasons other than Stormspotter.
 - **--ssl-cert**: Specify an SSL cert for Stormcollector to use for requests. Not a common option
+- **--backfill**: Perform AAD enumeration only for object IDs associated with RBAC enumeration. Only applicable when --azure is specified.
 
 **Uploading Results**
 

stormcollector/stormcollector/aad.py

@@ -123,10 +123,13 @@ class AADObject:
                     )
                     next_link = False
 
+        # Finish cleanly
         await self.session.close()
         self._token_event.token_refresh_task.cancel()
 
-        logger.info(f"Finished query for {self.__class__.__name__}")
+        # Prevent logging for each backfill item
+        if not object_id:
+            logger.info(f"Finished query for {self.__class__.__name__}")
 
 
 @dataclass

stormcollector/stormcollector/arm.py

@@ -190,7 +190,8 @@ async def query_arm(ctx: Context, args: argparse.Namespace) -> None:
                         if args.backfill:
                             backfills[role["principal_type"]].add(role["principal_id"])
 
-            if args.backfill:
+            # Only do backfill if azure argument is true (meaning specified on command line)
+            if args.azure and args.backfill:
                 await rbac_backfill(ctx, args, backfills)
 
             # ENUMERATE TENANT DATA