Note: if you are running CloudGraph locally you can view the interactive, automatically generated documentation in either GraphQL Playground or Altair by clicking the docs button on the right-hand side of the screen. After reading the below information we highly suggest you use one of these tools to test your queries as they will autocomplete fields for you and let you know if your queries are valid before you even submit them.
You can currently query the following attributes on an Authorization Role Assignment
query {
queryazureAuthRoleAssignment{
id
name
type
region
subscriptionId
scope
roleDefinitionId
principalId
principalType
canDelegate
applications {
id
}
groups {
id
}
roleDefinition {
id
}
servicePrincipals {
id
}
users {
id
}
}
}
Get data for a single Authorization Role Assignment key that you know the ID for:
query {
getazureAuthRoleAssignment(id: "12345") {
id
}
}
Get data for all of the Authorization Role Assignments in a certain Azure subscription:
query {
queryazureAuthRoleAssignment(filter: { subscriptionId: { eq: "12345" } }) {
id
}
}
Get data for all of the Authorization Role Assignments that are NOT in a certain Azure subscription:
query {
queryazureAuthRoleAssignment(filter: { not: { subscriptionId: { eq: "12345" } } }) {
id
}
}
Get data for all of the Authorization Role Assignments that are connected to an application:
query {
queryazureAuthRoleAssignment(filter: { has: applications } ) {
id
}
}
You can order the results you get back either asc or desc depending on your preference:
query {
queryazureAuthRoleAssignment(order: { desc: name }) {
id
}
}
Only select and return the first two Azure Authorization Role Assignments that are found:
query {
queryazureAuthRoleAssignment(first: 2, order: { desc: name }) {
id
}
}
Only select and return the first two Authorization Role Assignments that are found, but offset by one so keys two & three are returned:
query {
queryazureAuthRoleAssignment(first: 2, order: { desc: name }, offset: 1) {
id
}
}
Count the number of Authorization Role Assignments across all scanned Azure subscriptions:
query {
aggregateazureAuthRoleAssignment {
count
}
}
Count the number of Authorization Role Assignments in a single account. Note that you can apply all of the same filters that are listed above to aggregate queries:
query {
aggregateazureAuthRoleAssignment(filter: { subscriptionId: { eq: "12345" } }) {
count
}
}
Find all of the Authorization Role Assignments that are in the eastus region across all your accounts:
query {
queryazureAuthRoleAssignment(filter: { region: { eq: "eastus" } }) {
id
}
}
Putting it all together; get all data for all Authorization Role Assignments across all regions for all scanned Azure subscriptions in a single query:
query {
queryazureAuthRoleAssignment{
id
name
type
region
subscriptionId
scope
roleDefinitionId
principalId
principalType
canDelegate
applications {
id
region
appId
applicationTemplateId
apiAcceptMappedClaims
apiKnownClientApplications
apiPreAuthorizedApplications
appRoles{
id
allowedMemberTypes
description
displayName
isEnabled
origin
value
}
createdDateTime
description
disabledByMicrosoftStatus
displayName
groupMembershipClaims
identifierUris
isDeviceOnlyAuthSupported
isFallbackPublicClient
notes
oauth2RequirePostResponse
publicClientRedirectUris
publisherDomain
signInAudience
spaApplicationRedirectUris
webAppHomePageUrl
webAppRedirectUris
tags{
id
key
value
}
authRoleAssignments {
id
}
instancedBy {
id
}
ownerGroups {
id
}
ownerServicePrincipals {
id
}
ownerUsers {
id
}
}
groups {
id
deletedDateTime
classification
createdDateTime
description
displayName
expirationDateTime
groupTypes
isAssignableToRole
mail
mailEnabled
mailNickname
membershipRule
membershipRuleProcessingState
onPremisesDomainName
onPremisesLastSyncDateTime
onPremisesNetBiosName
onPremisesSamAccountName
onPremisesSecurityIdentifier
onPremisesSyncEnabled
preferredDataLocation
preferredLanguage
proxyAddresses
renewedDateTime
securityEnabled
visibility
allowExternalSenders
isSubscribedByMail
isArchived
permissionGrants {
id
clientAppId
clientId
permission
permissionType
resourceAppId
}
settings {
id
deletedDateTime
displayName
templateId
values {
id
name
value
}
}
appOwnerOf {
id
}
authRoleAssignments {
id
}
}
roleDefinition {
id
name
type
region
subscriptionId
roleName
description
roleType
permissions {
id
actions
notActions
dataActions
notDataActions
}
assignableScopes
}
servicePrincipals {
id
deletedDateTime
accountEnabled
alternativeNames
appDescription
appDisplayName
appId
applicationTemplateId
appOwnerOrganizationId
appRoleAssignmentRequired
appRoles {
id
}
description
disabledByMicrosoftStatus
displayName
homepage
loginUrl
logoutUrl
notes
notificationEmailAddresses
preferredSingleSignOnMode
replyUrls
servicePrincipalNames
servicePrincipalType
signInAudience
tokenEncryptionKeyId
appRoleAssignedTo {
id
}
appRoleAssignments {
id
}
endpoints{
id
deletedDateTime
capability
providerId
providerName
providerResourceId
uri
}
tags {
id
key
value
}
appOwnerOf {
id
}
instanceOf {
id
}
authRoleAssignments {
id
}
}
users {
id
deletedDateTime
accountEnabled
ageGroup
city
companyName
country
createdDateTime
creationType
department
displayName
employeeHireDate
employeeId
employeeType
externalUserState
externalUserStateChangeDateTime
givenName
isResourceAccount
lastPasswordChangeDateTime
mail
mailNickname
officeLocation
onPremisesDistinguishedName
onPremisesDomainName
onPremisesImmutableId
onPremisesLastSyncDateTime
onPremisesSyncEnabled
onPremisesUserPrincipalName
otherMails
passwordPolicies
preferredLanguage
proxyAddresses
state
surname
usageLocation
userPrincipalName
userType
preferredName
responsibilities
appOwnerOf{
id
}
appRoleAssignments{
id
}
authRoleAssignments{
id
}
}
}
}