Note: if you are running CloudGraph locally you can view the interactive, automatically generated documentation in either GraphQL Playground or Altair by clicking the docs button on the right-hand side of the screen. After reading the below information we highly suggest you use one of these tools to test your queries as they will autocomplete fields for you and let you know if your queries are valid before you even submit them.
You can currently query the following attributes and connections on an Azure AD Application
query {
queryazureADApplication{
id
region
appId
applicationTemplateId
apiAcceptMappedClaims
apiKnownClientApplications
apiPreAuthorizedApplications
appRoles{
id
allowedMemberTypes
description
displayName
isEnabled
origin
value
}
createdDateTime
description
disabledByMicrosoftStatus
displayName
groupMembershipClaims
identifierUris
isDeviceOnlyAuthSupported
isFallbackPublicClient
notes
oauth2RequirePostResponse
publicClientRedirectUris
publisherDomain
signInAudience
spaApplicationRedirectUris
webAppHomePageUrl
webAppRedirectUris
tags{
id
key
value
}
authRoleAssignments {
id
}
instancedBy {
id
}
ownerGroups {
id
}
ownerServicePrincipals {
id
}
ownerUsers {
id
}
}
}

Get data for a single Azure AD Application key that you know the ID for:
query {
getazureADApplication(id: "12345") {
id
}
}

Get data for all of the AD Applications in a certain region:
query {
queryazureADApplication(filter: { region: { eq: "eastus" } }) {
id
}
}

Get data for all of the AD Applications that are NOT in a certain region:
query {
queryazureADApplication(filter: { not: { region: { eq: "eastus" } } }) {
id
}
}

Get data for all of the AD Applications that are connected to an authRoleAssignment:
query {
queryazureADApplication(filter: { has: authRoleAssignments }) {
id
}
}

You can order the results you get back either asc or desc depending on your preference:
query {
queryazureADApplication(order: { desc: displayName }) {
id
}
}

Only select and return the first two AD Applications that are found:
query {
queryazureADApplication(first: 2, order: { desc: displayName }) {
id
}
}

Only select and return the first two AD Applications that are found, but offset by one so keys two & three are returned:
query {
queryazureADApplication(first: 2, order: { desc: displayName }, offset: 1) {
id
}
}

Count the number of AD Applications across all scanned Azure subscriptions:
query {
aggregateazureADApplication {
count
}
}

Find all of the AD Applications that are in the eastus region across all your accounts:
query {
queryazureADApplication(filter: { region: { eq: "eastus" } }) {
id
}
}

Find all of the AD Applications that have a tag of Environment:Production for a single Azure Subscription:
query {
queryazureTag(
filter: { key: { eq: "Environment" }, value: { eq: "Production" } }
) {
adApplications{
id
}
}
}

With CloudGraph you can run multiple queries at the same time so you can combine the above two queries if you like:
query {
queryazureADApplication(filter: { region: { eq: "eastus" } }) {
id
}
queryazureTag(
filter: { key: { eq: "Environment" }, value: { eq: "Production" } }
) {
adApplications{
id
}
}
}

Putting it all together; get all data for all AD Applications across all regions for all scanned Azure subscriptions in a single query. For the purposes of this example, we will only get direct children of the keys but if you want to it's easy to go from say, instancedBy -> authRoleAssignment -> authRoleDefinition ...etc:
query {
queryazureADApplication{
id
region
appId
applicationTemplateId
apiAcceptMappedClaims
apiKnownClientApplications
apiPreAuthorizedApplications
appRoles{
id
}
createdDateTime
description
disabledByMicrosoftStatus
displayName
groupMembershipClaims
identifierUris
isDeviceOnlyAuthSupported
isFallbackPublicClient
notes
oauth2RequirePostResponse
publicClientRedirectUris
publisherDomain
signInAudience
spaApplicationRedirectUris
webAppHomePageUrl
webAppRedirectUris
tags{
id
key
value
}
authRoleAssignments{
id
name
type
region
subscriptionId
scope
roleDefinitionId
principalId
principalType
canDelegate
applications{
id
}
groups{
id
}
roleDefinition{
id
}
servicePrincipals{
id
}
users{
id
}
}
instancedBy {
id
deletedDateTime
accountEnabled
alternativeNames
appDescription
appDisplayName
appId
applicationTemplateId
appOwnerOrganizationId
appRoleAssignmentRequired
appRoles{
id
}
description
disabledByMicrosoftStatus
displayName
homepage
loginUrl
logoutUrl
notes
notificationEmailAddresses
preferredSingleSignOnMode
replyUrls
servicePrincipalNames
servicePrincipalType
signInAudience
tokenEncryptionKeyId
appRoleAssignedTo{
id
}
appRoleAssignments{
id
}
endpoints{
id
deletedDateTime
capability
providerId
providerName
providerResourceId
uri
}
tags{
id
key
value
}
appOwnerOf{
id
}
instanceOf{
id
}
authRoleAssignments{
id
}
}
ownerGroups {
id
deletedDateTime
classification
createdDateTime
description
displayName
expirationDateTime
groupTypes
isAssignableToRole
mail
mailEnabled
mailNickname
membershipRule
membershipRuleProcessingState
onPremisesDomainName
onPremisesLastSyncDateTime
onPremisesNetBiosName
onPremisesSamAccountName
onPremisesSecurityIdentifier
onPremisesSyncEnabled
preferredDataLocation
preferredLanguage
proxyAddresses
renewedDateTime
securityEnabled
visibility
allowExternalSenders
isSubscribedByMail
isArchived
appRoleAssignments{
id
}
permissionGrants{
id
clientAppId
clientId
permission
permissionType
resourceAppId
}
settings{
id
deletedDateTime
displayName
templateId
values{
id
name
value
}
}
appOwnerOf{
id
}
authRoleAssignments{
id
}
}
ownerServicePrincipals {
id
deletedDateTime
accountEnabled
alternativeNames
appDescription
appDisplayName
appId
applicationTemplateId
appOwnerOrganizationId
appRoleAssignmentRequired
appRoles{
id
}
description
disabledByMicrosoftStatus
displayName
homepage
loginUrl
logoutUrl
notes
notificationEmailAddresses
preferredSingleSignOnMode
replyUrls
servicePrincipalNames
servicePrincipalType
signInAudience
tokenEncryptionKeyId
appRoleAssignedTo{
id
}
appRoleAssignments{
id
}
endpoints{
id
deletedDateTime
capability
providerId
providerName
providerResourceId
uri
}
tags{
id
key
value
}
appOwnerOf{
id
}
instanceOf{
id
}
authRoleAssignments{
id
}
}
ownerUsers {
id
deletedDateTime
accountEnabled
ageGroup
city
companyName
country
createdDateTime
creationType
department
displayName
employeeHireDate
employeeId
employeeType
externalUserState
externalUserStateChangeDateTime
givenName
isResourceAccount
lastPasswordChangeDateTime
mail
mailNickname
officeLocation
onPremisesDistinguishedName
onPremisesDomainName
onPremisesImmutableId
onPremisesLastSyncDateTime
onPremisesSyncEnabled
onPremisesUserPrincipalName
otherMails
passwordPolicies
preferredLanguage
proxyAddresses
state
surname
usageLocation
userPrincipalName
userType
preferredName
responsibilities
appOwnerOf{
id
}
appRoleAssignments{
id
}
authRoleAssignments{
id
}
}
}
}

