Note: if you are running CloudGraph locally you can view the interactive, automatically generated documentation in either GraphQL Playground or Altair by clicking the docs button on the right-hand side of the screen. After reading the below information we highly suggest you use one of these tools to test your queries as they will autocomplete fields for you and let you know if your queries are valid before you even submit them.
Overview
You can currently query the following attributes and connections on an Azure AD Application
GraphQL
|
query{queryazureADApplication{idregionappIdapplicationTemplateIdapiAcceptMappedClaimsapiKnownClientApplicationsapiPreAuthorizedApplicationsappRoles{idallowedMemberTypesdescriptiondisplayNameisEnabledoriginvalue}createdDateTimedescriptiondisabledByMicrosoftStatusdisplayNamegroupMembershipClaimsidentifierUrisisDeviceOnlyAuthSupportedisFallbackPublicClientnotesoauth2RequirePostResponsepublicClientRedirectUrispublisherDomainsignInAudiencespaApplicationRedirectUriswebAppHomePageUrlwebAppRedirectUristags{idkeyvalue}authRoleAssignments{id# Other fields and connections here...}instancedBy{id# Other fields and connections here...}ownerGroups{id# Other fields and connections here...}ownerServicePrincipals{id# Other fields and connections here...}ownerUsers{id# Other fields and connections here...}}}
Filtering
Get data for a single Azure AD Application key that you know the ID for:
GraphQL
|
query{getazureADApplication(id:"12345"){id# Other fields and connections here...}}
Get data for all of the AD Applications in a certain region:
GraphQL
|
query{queryazureADApplication(filter:{region:{eq:"eastus"}}){id# Other fields and connections here...}}# Note that in addition to "region" you can# Filter based on any of the following attributes:# id# appId# applicationTemplateId# apiAcceptMappedClaims# apiKnownClientApplications# apiPreAuthorizedApplications# createdDateTime# description# disabledByMicrosoftStatus# displayName# groupMembershipClaims# identifierUris# isDeviceOnlyAuthSupported# isFallbackPublicClient# notes# oauth2RequirePostResponse# publicClientRedirectUris# publisherDomain# signInAudience# spaApplicationRedirectUris# webAppHomePageUrl# webAppRedirectUris# And the following Dgraph filters can also be applied:# has# and# or# not# regexp (regular expressions)# fulltext filters# alloftext# anyoftext
Get data for all of the AD Applications that are NOT in a certain region:
GraphQL
|
query{queryazureADApplication(filter:{not:{region:{eq:"eastus"}}}){id# Other fields and connections here...}}
Advanced Filtering
Get data for all of the AD Applications that are connected to an authRoleAssignment:
GraphQL
|
query{queryazureADApplication(filter:{has:authRoleAssignments}){id# Other fields and connections here...}}# Note that in addition to "authRoleAssignments" you can filter# Using "has" based on any of the following attributes:# tags# instancedBy# ownerGroups# ownerServicePrincipals# ownerUsers
Ordering
You can order the results you get back either asc or desc depending on your preference:
GraphQL
|
query{queryazureADApplication(order:{desc:displayName}){id# Other fields and connections here...}}# Note that in addition to "displayName" you can filter# Using "asc" or "desc" based on any of the following attributes:# id# appId# applicationTemplateId# apiAcceptMappedClaims# apiKnownClientApplications# apiPreAuthorizedApplications# createdDateTime# description# disabledByMicrosoftStatus# region# groupMembershipClaims# identifierUris# isDeviceOnlyAuthSupported# isFallbackPublicClient# notes# oauth2RequirePostResponse# publicClientRedirectUris# publisherDomain# signInAudience# spaApplicationRedirectUris# webAppHomePageUrl# webAppRedirectUris
Only select and return the first two AD Applications that are found:
GraphQL
|
query{queryazureADApplication(first:2,order:{desc:displayName}){id# Other fields and connections here...}}
Only select and return the first two AD Applications that are found, but offset by one so keys two & three are returned:
GraphQL
|
query{queryazureADApplication(first:2,order:{desc:displayName},offset:1){id# Other fields and connections here...}}
Aggregation
Count the number of AD Applications across all scanned Azure subscriptions:
GraphQL
|
query{aggregateazureADApplication{count# Other fields and connections here...}}# Note that in addition to "count" you can request the# Following min and max values based on attributes of your AD Applications:# idMin# idMax# regionMin# regionMax# appIdMin# appIdMax# applicationTemplateIdMin# applicationTemplateIdMax# createdDateTimeMin# createdDateTimeMax# descriptionMin# descriptionMax# disabledByMicrosoftStatusMin# disabledByMicrosoftStatusMax# displayNameMin# displayNameMax# groupMembershipClaimsMin# groupMembershipClaimsMax# notesMin# notesMax# publisherDomainMin# publisherDomainMax# signInAudienceMin# signInAudienceMax# webAppHomePageUrlMin# webAppHomePageUrlMax
Examples
Find all of the AD Applications that are in the eastus region across all your accounts:
GraphQL
|
query{queryazureADApplication(filter:{region:{eq:"eastus"}}){id# Other fields and connections here...}}
Find all of the AD Applications that have a tag of Environment:Production for a single Azure Subscription:
GraphQL
|
query{queryazureTag(filter:{key:{eq:"Environment"},value:{eq:"Production"}}){adApplications{id# Other fields and connections here...}}}
With CloudGraph you can run multiple queries at the same time so you can combine the above two queries if you like:
GraphQL
|
query{queryazureADApplication(filter:{region:{eq:"eastus"}}){id# Other fields and connections here...}queryazureTag(filter:{key:{eq:"Environment"},value:{eq:"Production"}}){adApplications{id# Other fields and connections here...}}}
Kitchen Sink
Putting it all together; get all data for all AD Applications across all regions for all scanned Azure subscriptions in a single query. For the purposes of this example, we will only get direct children of the keys but if you want to it's easy to go from say, instancedBy -> authRoleAssignment -> authRoleDefinition ...etc:
GraphQL
|
query{queryazureADApplication{idregionappIdapplicationTemplateIdapiAcceptMappedClaimsapiKnownClientApplicationsapiPreAuthorizedApplicationsappRoles{id# Other fields and connections here...}createdDateTimedescriptiondisabledByMicrosoftStatusdisplayNamegroupMembershipClaimsidentifierUrisisDeviceOnlyAuthSupportedisFallbackPublicClientnotesoauth2RequirePostResponsepublicClientRedirectUrispublisherDomainsignInAudiencespaApplicationRedirectUriswebAppHomePageUrlwebAppRedirectUristags{idkeyvalue}authRoleAssignments{idnametyperegionsubscriptionIdscoperoleDefinitionIdprincipalIdprincipalTypecanDelegateapplications{id# Other fields and connections here...}groups{id# Other fields and connections here...}roleDefinition{id# Other fields and connections here...}servicePrincipals{id# Other fields and connections here...}users{id# Other fields and connections here...}}instancedBy{iddeletedDateTimeaccountEnabledalternativeNamesappDescriptionappDisplayNameappIdapplicationTemplateIdappOwnerOrganizationIdappRoleAssignmentRequiredappRoles{id# Other fields and connections here...}descriptiondisabledByMicrosoftStatusdisplayNamehomepageloginUrllogoutUrlnotesnotificationEmailAddressespreferredSingleSignOnModereplyUrlsservicePrincipalNamesservicePrincipalTypesignInAudiencetokenEncryptionKeyIdappRoleAssignedTo{id# Other fields and connections here...}appRoleAssignments{id# Other fields and connections here...}endpoints{iddeletedDateTimecapabilityproviderIdproviderNameproviderResourceIduri}tags{idkeyvalue}appOwnerOf{id# Other fields and connections here...}instanceOf{id# Other fields and connections here...}authRoleAssignments{id# Other fields and connections here...}}ownerGroups{iddeletedDateTimeclassificationcreatedDateTimedescriptiondisplayNameexpirationDateTimegroupTypesisAssignableToRolemailmailEnabledmailNicknamemembershipRulemembershipRuleProcessingStateonPremisesDomainNameonPremisesLastSyncDateTimeonPremisesNetBiosNameonPremisesSamAccountNameonPremisesSecurityIdentifieronPremisesSyncEnabledpreferredDataLocationpreferredLanguageproxyAddressesrenewedDateTimesecurityEnabledvisibilityallowExternalSendersisSubscribedByMailisArchivedappRoleAssignments{id# Other fields and connections here...}permissionGrants{idclientAppIdclientIdpermissionpermissionTyperesourceAppId}settings{iddeletedDateTimedisplayNametemplateIdvalues{idnamevalue}}appOwnerOf{id# Other fields and connections here...}authRoleAssignments{id# Other fields and connections here...}}ownerServicePrincipals{iddeletedDateTimeaccountEnabledalternativeNamesappDescriptionappDisplayNameappIdapplicationTemplateIdappOwnerOrganizationIdappRoleAssignmentRequiredappRoles{id# Other fields and connections here...}descriptiondisabledByMicrosoftStatusdisplayNamehomepageloginUrllogoutUrlnotesnotificationEmailAddressespreferredSingleSignOnModereplyUrlsservicePrincipalNamesservicePrincipalTypesignInAudiencetokenEncryptionKeyIdappRoleAssignedTo{id# Other fields and connections here...}appRoleAssignments{id# Other fields and connections here...}endpoints{iddeletedDateTimecapabilityproviderIdproviderNameproviderResourceIduri}tags{idkeyvalue}appOwnerOf{id# Other fields and connections here...}instanceOf{id# Other fields and connections here...}authRoleAssignments{id# Other fields and connections here...}}ownerUsers{iddeletedDateTimeaccountEnabledageGroupcitycompanyNamecountrycreatedDateTimecreationTypedepartmentdisplayNameemployeeHireDateemployeeIdemployeeTypeexternalUserStateexternalUserStateChangeDateTimegivenNameisResourceAccountlastPasswordChangeDateTimemailmailNicknameofficeLocationonPremisesDistinguishedNameonPremisesDomainNameonPremisesImmutableIdonPremisesLastSyncDateTimeonPremisesSyncEnabledonPremisesUserPrincipalNameotherMailspasswordPoliciespreferredLanguageproxyAddressesstatesurnameusageLocationuserPrincipalNameuserTypepreferredNameresponsibilitiesappOwnerOf{id# Other fields and connections here...}appRoleAssignments{id# Other fields and connections here...}authRoleAssignments{id# Other fields and connections here...}}}}
