website logo
HomeGithubSlack
⌘K
Overview
Quick Start
Supported Services
Running CloudGraph in EKS
Compliance
Rules Engine
AWS
Querying AWS Data
AWS Policy Packs
Billing Data
Services
Azure
Querying Azure Data
Azure Policy Packs
Services
GCP
Querying GCP Data
GCP Policy Packs
Services
K8s
Querying Kubernetes Data
Services
Docs powered by
Archbee
Azure
...
Services
Active Directory

AD User

14min

Note: if you are running CloudGraph locally you can view the interactive, automatically generated documentation in either GraphQL Playground or Altair by clicking the docs button on the right-hand side of the screen. After reading the below information we highly suggest you use one of these tools to test your queries as they will autocomplete fields for you and let you know if your queries are valid before you even submit them.

Overview

You can currently query the following attributes and connections on an Azure AD User

GraphQL
|
query {
  queryazureADUser{
    id
    deletedDateTime
    accountEnabled
    ageGroup
    city
    companyName
    country
    createdDateTime
    creationType
    department
    displayName
    employeeHireDate
    employeeId
    employeeType
    externalUserState
    externalUserStateChangeDateTime
    givenName
    isResourceAccount
    lastPasswordChangeDateTime
    mail
    mailNickname
    officeLocation
    onPremisesDistinguishedName
    onPremisesDomainName
    onPremisesImmutableId
    onPremisesLastSyncDateTime
    onPremisesSyncEnabled
    onPremisesUserPrincipalName
    otherMails
    passwordPolicies
    preferredLanguage
    proxyAddresses
    state
    surname
    usageLocation
    userPrincipalName
    userType
    preferredName
    responsibilities
    appOwnerOf{
      id
      # Other fields and connections here...
    }
    appRoleAssignments{
      id
      # Other fields and connections here...
    }
    authRoleAssignments{
      id
      # Other fields and connections here...
    }
  }
}


Filtering

Get data for a single Azure AD User key that you know the ID for:

GraphQL
|
query {
  getazureADUser(id: "12345") {
    id
    # Other fields and connections here...
  }
}


Get data for all of the AD Users with an enabled account across all accounts:

GraphQL
|
query {
  queryazureADUser(filter: { accountEnabled: { eq: true } }) {
    id
    # Other fields and connections here...
  }
}

# Note that in addition to "accountEnabled" you can
# Filter based on any of the following attributes:

# id
# deletedDateTime
# ageGroup
# city
# companyName
# country
# createdDateTime
# creationType
# department
# displayName
# employeeHireDate
# employeeId
# employeeType
# externalUserState
# externalUserStateChangeDateTime
# givenName
# isResourceAccount
# lastPasswordChangeDateTime
# mail
# mailNickname
# officeLocation
# onPremisesDistinguishedName
# onPremisesDomainName
# onPremisesImmutableId
# onPremisesLastSyncDateTime
# onPremisesSyncEnabled
# onPremisesUserPrincipalName
# otherMails
# passwordPolicies
# preferredLanguage
# proxyAddresses
# state
# surname
# usageLocation
# userPrincipalName
# userType
# preferredName
# responsibilities

# And the following Dgraph filters can also be applied:

# has
# and
# or
# not
# regexp (regular expressions)

# fulltext filters
# alloftext
# anyoftext


Advanced Filtering

Get data for all of the AD Users that are connected to an appRoleAssignment:

GraphQL
|
query {
  queryazureADUser(filter: { has: appRoleAssignments }) {
    id
    # Other fields and connections here...
  }
}

# Note that in addition to "appRoleAssignments" you can filter
# Using "has" based on any of the following attributes:

# appOwnerOf
# authRoleAssignments


Ordering

You can order the results you get back either asc or desc depending on your preference:

GraphQL
|
query {
  queryazureADUser(order: { desc: surname }) {
    id
    # Other fields and connections here...
  }
}

# Note that in addition to "surname" you can filter
# Using "asc" or "desc" based on any of the following attributes:

# id
# deletedDateTime
# accountEnabled
# ageGroup
# city
# companyName
# country
# createdDateTime
# creationType
# department
# displayName
# employeeHireDate
# employeeId
# employeeType
# externalUserState
# externalUserStateChangeDateTime
# givenName
# isResourceAccount
# lastPasswordChangeDateTime
# mail
# mailNickname
# officeLocation
# onPremisesDistinguishedName
# onPremisesDomainName
# onPremisesImmutableId
# onPremisesLastSyncDateTime
# onPremisesSyncEnabled
# onPremisesUserPrincipalName
# preferredLanguage
# state
# usageLocation
# userPrincipalName
# userType
# preferredName


Only select and return the first two AD Users that are found:

GraphQL
|
query {
  queryazureADUser(first: 2, order: { desc: displayName }) {
    id
    # Other fields and connections here...
  }
}


Only select and return the first two AD Users that are found, but offset by one so keys two & three are returned:

GraphQL
|
query {
  queryazureADUser(first: 2, order: { desc: displayName }, offset: 1) {
    id
    # Other fields and connections here...
  }
}


Aggregation

Count the number of AD Users across all scanned Azure subscriptions:

GraphQL
|
query {
  aggregateazureADUser {
    count
    # Other fields and connections here...
  }
}

# Note that in addition to "count" you can request the
# Following min and max values based on attributes of your AD Users:

# idMin
# idMax
# deletedDateTimeMin
# deletedDateTimeMax
# ageGroupMin
# ageGroupMax
# cityMin
# cityMax
# companyNameMin
# companyNameMax
# countryMin
# countryMax
# createdDateTimeMin
# createdDateTimeMax
# creationTypeMin
# creationTypeMax
# departmentMin
# departmentMax
# displayNameMin
# displayNameMax
# employeeHireDateMin
# employeeHireDateMax
# employeeIdMin
# employeeIdMax
# employeeTypeMin
# employeeTypeMax
# externalUserStateMin
# externalUserStateMax
# externalUserStateChangeDateTimeMin
# externalUserStateChangeDateTimeMax
# givenNameMin
# givenNameMax
# lastPasswordChangeDateTimeMin
# lastPasswordChangeDateTimeMax
# mailMin
# mailMax
# mailNicknameMin
# mailNicknameMax
# officeLocationMin
# officeLocationMax
# onPremisesDistinguishedNameMin
# onPremisesDistinguishedNameMax
# onPremisesDomainNameMin
# onPremisesDomainNameMax
# onPremisesImmutableIdMin
# onPremisesImmutableIdMax
# onPremisesLastSyncDateTimeMin
# onPremisesLastSyncDateTimeMax
# onPremisesUserPrincipalNameMin
# onPremisesUserPrincipalNameMax
# passwordPoliciesMin
# passwordPoliciesMax
# preferredLanguageMin
# preferredLanguageMax
# stateMin
# stateMax
# surnameMin
# surnameMax
# usageLocationMin
# usageLocationMax
# userPrincipalNameMin
# userPrincipalNameMax
# userTypeMin
# userTypeMax
# preferredNameMin
# preferredNameMax


Count the number of AD Users with enabled accounts. Note that you can apply all of the same filters that are listed above to aggregate queries:

GraphQL
|
query {
  aggregateazureADUser(filter: { accountEnabled: true }) {
    count
  }
}


Examples

Find all of the AD Users that are in the management department across all your accounts:

GraphQL
|
query {
  queryazureADUser(filter: { department: { eq: "management" } }) {
    id
    # Other fields and connections here...
  }
}


Kitchen Sink

Putting it all together; get all data for all AD Users across all regions for all scanned Azure subscriptions in a single query. For the purposes of this example, we will only get direct children of the keys but if you want to it's easy to go from say, disk -> virtualMachine -> networkInterface ...etc:

GraphQL
|
query {
  queryazureADUser{
    id
    deletedDateTime
    accountEnabled
    ageGroup
    city
    companyName
    country
    createdDateTime
    creationType
    department
    displayName
    employeeHireDate
    employeeId
    employeeType
    externalUserState
    externalUserStateChangeDateTime
    givenName
    isResourceAccount
    lastPasswordChangeDateTime
    mail
    mailNickname
    officeLocation
    onPremisesDistinguishedName
    onPremisesDomainName
    onPremisesImmutableId
    onPremisesLastSyncDateTime
    onPremisesSyncEnabled
    onPremisesUserPrincipalName
    otherMails
    passwordPolicies
    preferredLanguage
    proxyAddresses
    state
    surname
    usageLocation
    userPrincipalName
    userType
    preferredName
    responsibilities
    appOwnerOf{
      id
      # Other fields and connections here...
    }
    appRoleAssignments{
      id
      # Other fields and connections here...
    }
    authRoleAssignments{
      id
      # Other fields and connections here...
    }
  }
}


References

Dgraph documentation on querying

Azure AD User Documentation

Updated 03 Mar 2023
Did this page help you?
PREVIOUS
AD Service Principal
NEXT
AD Security Defaults Policy
Docs powered by
Archbee
TABLE OF CONTENTS
Overview
Filtering
Advanced Filtering
Ordering
Aggregation
Examples
Kitchen Sink
References
Docs powered by
Archbee