Report an issue
Back to plugin list
entraid
Official
Premium

Microsoft Entra ID (Azure AD)

This plugin is in preview.

The CloudQuery Microsoft Entra ID (Azure AD) source plugin extracts your Microsoft Entra ID information and loads it into any supported CloudQuery destination

Publisher

cloudquery

Latest version

v1.2.1

Type

Source

Platforms
Date Published

Price per 1M rows

Starting from $15

monthly free quota

1M rows

Set up process


brew install cloudquery/tap/cloudquery

1. Download CLI and login

See installation options

2. Create source and destination configs

Plugin configuration

cloudquery sync entraid.yml postgresql.yml

3. Run the sync

CloudQuery sync

Overview

The CloudQuery Microsoft Entra ID (Azure AD) source plugin extracts your Microsoft Entra ID information and loads it into any supported CloudQuery destination (e.g. PostgreSQL, BigQuery, Snowflake, and more).

Authentication

The Microsoft Entra ID source plugin uses the Microsoft Graph API. Authentication is done using a service principal, you can create one using the Azure CLI. First, install the Azure CLI (az).
Then, login with the Azure CLI:
az login
Then, create the service principal the plugin will use to access Entra ID. WARNING: The output of az ad sp create-for-rbac contains credentials that you must protect - Make sure to handle with appropriate care. This example uses bash - The commands for CMD and PowerShell are similar.
az ad sp create-for-rbac --name CloudQuerySP
You can choose any name you'd like for your service-principal, CloudQuerySP is an example. If the service principal doesn't exist it will create a new one, otherwise it will update the existing one
The output of az ad sp create-for-rbac should look like this:
{
  "appId": "YOUR AZURE_CLIENT_ID",
  "displayName": "CloudQuerySP",
  "password": "YOUR AZURE_CLIENT_SECRET",
  "tenant": "YOUR AZURE_TENANT_ID"
}

Exporting environment variables

Next, you need to export the environment variables that the plugin will use to sync Entra ID resources. Copy them from the output of az ad sp create-for-rbac. The example shows how to export environment variables for Linux - exporting for CMD and PowerShell is similar.
  • AZURE_TENANT_ID is tenant in the JSON.
  • AZURE_CLIENT_ID is appId in the JSON.
  • AZURE_CLIENT_SECRET is password in the JSON.
export AZURE_TENANT_ID=<YOUR AZURE_TENANT_ID>
export AZURE_CLIENT_ID=<YOUR AZURE_CLIENT_ID>
export AZURE_CLIENT_SECRET=<YOUR AZURE_CLIENT_SECRET>

Adding permissions to the service principal

The Microsoft Graph API requires the service principal to have specific permissions to access the data. We can cover most tables in the plugin with the Global Reader role, but some tables require additional roles. Below is a list of permissions required for each table (some permissions cover more than one table).
TableRequired Permission
entraid_auditlogs_directoryauditsAuditLog.Read.All
entraid_auditlogs_signinsAuditLog.Read.All
entraid_devicemanagement_configurationsDeviceManagementConfiguration.Read.All
entraid_devicemanagement_manageddevicesDeviceManagementManagedDevices.Read.All
entraid_group_lifecyclepoliciesPolicy.Read.All
entraid_identity_conditional_access_policiesPolicy.Read.All
entraid_identityprotection_riskdetectionsIdentityRiskEvent.Read.All
entraid_identityprotection_riskyserviceprincipalsIdentityRiskyServicePrincipal.Read.All
entraid_identityprotection_riskyusersIdentityRiskyUser.Read.All
entraid_identityprotection_serviceprincipalriskdetectionsIdentityRiskEvent.Read.All
entraid_rolemanagement_roleassignmentscheduleinstancesRoleAssignmentSchedule.Read.Directory
entraid_rolemanagement_roleassignmentschedulerequestsRoleAssignmentSchedule.ReadWrite.Directory
entraid_rolemanagement_roleassignmentschedulesRoleAssignmentSchedule.Read.Directory
To add the permissions open the Azure portal, search for Microsoft Entra ID and click the Microsoft Entra ID service to open the overview page. Then, click on Roles and administrators as shown in the image below.
Roles and administrators
Under Roles and administrators, search for the Global Reader role and click on it.
Global Reader
Under the Global Reader role, under the Manage->Assignments sidebar location, click on Add assignments.
Add assignments
Under Add assignments, click no members selected to open a search box for members.
Service principal
Search for the service principal you created earlier and click on it.
Service principal
Approve the next screens to finalize the assignment.
To add specific permissions open App registrations from the Microsoft Entra ID overview page and click on the service principal you created earlier.
App registrations
Under manage->API permissions click on Add a permission.
API permissions
Chose Microsoft Graph.
Microsoft Graph
Then click on Application permissions.
Application permissions
Search for the permission you need to add, for example AuditLog.Read.All, select it and click on Add permissions.
Add permissions
Repeat the process for all permissions required by the tables you want to sync. After adding all permissions, click on Grant admin consent for <your tenant> to finalize the process.
Grant admin before
After granting the permissions, you should see a message like the one below.
Grant admin after
That is it! You have successfully added the required permissions to the service principal.

Configuration

This example syncs from Entra ID to a PostgreSQL database destination. The (top level) source spec section is described in the Source Spec Reference.
kind: source
# Common source-plugin configuration
spec:
  name: entraid
  path: cloudquery/entraid
  registry: cloudquery
  version: "v1.2.1"
  tables: ["*"]
  destinations: ["postgresql"]

  # Entra ID specific configuration
  spec:
    # Optional parameters
    # concurrency: 50000

Entra ID Spec

  • concurrency (integer) (optional) (default: 50000)
    The best effort maximum number of Go routines to use. Lower this number to reduce memory usage.


Incremental syncing

The Entra ID plugin support incremental syncing via MS Graph API delta queries. The following tables support incremental syncing:
To enable incremental syncing for the above tables, set the backend_options configuration as shown in the example below. This is documented in the Managing Incremental Tables section.
kind: source
spec:
  name: "entraid"
  path: "cloudquery/entraid"
  version: "v1.2.1"
  destinations: ["postgresql"]
  tables: ["entraid_applications", "entraid_directoryroles", "entraid_groups", "entraid_serviceprincipals", "entraid_users"]
  backend_options:
    table_name: "cq_state_entraid"
    connection: "@@plugins.postgresql.connection"
---
kind: destination
spec:
  name: "postgresql"
  path: "cloudquery/postgresql"
  version: "v8.2.1"
  spec:
    connection_string: "postgresql://postgres:pass@localhost:5432/postgres?sslmode=disable"


Subscribe to product updates

Be the first to know about new features.


© 2024 CloudQuery, Inc. All rights reserved.