We use tracking cookies to understand how you use the product and help us improve it. Please accept cookies to help us improve. You can always opt out later via the link in the footer.
az
).az login
az ad sp create-for-rbac
contains credentials that you must protect - Make sure to handle with appropriate care.
This example uses bash - The commands for CMD and PowerShell are similar.az ad sp create-for-rbac --name CloudQuerySP
You can choose any name you'd like for your service-principal,CloudQuerySP
is an example. If the service principal doesn't exist it will create a new one, otherwise it will update the existing one
{
"appId": "YOUR AZURE_CLIENT_ID",
"displayName": "CloudQuerySP",
"password": "YOUR AZURE_CLIENT_SECRET",
"tenant": "YOUR AZURE_TENANT_ID"
}
az ad sp create-for-rbac
.
The example shows how to export environment variables for Linux - exporting for CMD and PowerShell is similar.AZURE_TENANT_ID
is tenant
in the JSON.AZURE_CLIENT_ID
is appId
in the JSON.AZURE_CLIENT_SECRET
is password
in the JSON.export AZURE_TENANT_ID=<YOUR AZURE_TENANT_ID>
export AZURE_CLIENT_ID=<YOUR AZURE_CLIENT_ID>
export AZURE_CLIENT_SECRET=<YOUR AZURE_CLIENT_SECRET>
Global Reader
role, but some tables require additional roles.
Below is a list of permissions required for each table (some permissions cover more than one table).Microsoft Entra ID
and click the Microsoft Entra ID
service to open the overview page.
Then, click on Roles and administrators
as shown in the image below.
Roles and administrators
, search for the Global Reader
role and click on it.
Global Reader
role, under the Manage->Assignments
sidebar location, click on Add assignments
.
Add assignments
, click no members selected
to open a search box for members.
App registrations
from the Microsoft Entra ID
overview page and click on the service principal you created earlier.
manage->API permissions
click on Add a permission
.
Microsoft Graph
.
Application permissions
.
AuditLog.Read.All
, select it and click on Add permissions
.
Grant admin consent for <your tenant>
to finalize the process.
kind: source
# Common source-plugin configuration
spec:
name: entraid
path: cloudquery/entraid
registry: cloudquery
version: "v3.3.3"
tables: ["*"]
destinations: ["postgresql"]
# Entra ID specific configuration
# Learn more about the configuration options at https://cql.ink/entraid_source
spec:
# Optional parameters
# concurrency: 50000
concurrency
(integer
) (optional) (default: 50000
)scheduler
(string
) (optional) (default: dfs
)dfs
(depth-first search), round-robin
, shuffle
and shuffle-queue
.table_options
(Table Options spec) (optional)entraid_groups
filter
(string
) (optional)filter
represents a filter query to apply when syncing the table. The value is passed directly to the Microsoft Graph API. For example, to filter groups by name, you can use the following filter query: startswith(displayName, 'CloudQuery')
. For more information on filter queries, see the Microsoft Graph documentation.entraid_auditlogs_signins
filter
(string
) (optional)filter
represents a filter query to apply when syncing the table. The value is passed directly to the Microsoft Graph API. For example, to filter sign-ins by date range, you can use the following filter query: createdDateTime ge 2025-01-20T00:00:00Z and createdDateTime le 2025-01-25T23:59:59Z
. For more information on filter queries, see the Microsoft Graph documentation.entraid_users
include_signin_activity
(boolean
) (optional) (default: false
)true
, the signInActivity
field will be included in the sync. Please note this requires a Microsoft Entra ID P1 or P2 license, the AuditLog.Read.All
permission and reduces the max page size to 120
resulting in a potentially slower sync.entraid_applications
using https://learn.microsoft.com/en-us/graph/api/application-deltaentraid_directoryroles
using https://learn.microsoft.com/en-us/graph/api/directoryrole-deltaentraid_groups
using https://learn.microsoft.com/en-us/graph/api/group-deltaentraid_serviceprincipals
using https://learn.microsoft.com/en-us/graph/api/serviceprincipal-deltaentraid_users
using https://learn.microsoft.com/en-us/graph/api/user-deltabackend_options
configuration as shown in the example below. This is documented in the Managing Incremental Tables section.kind: source
spec:
name: "entraid"
path: "cloudquery/entraid"
version: "v3.3.3"
destinations: ["postgresql"]
tables: ["entraid_applications", "entraid_directoryroles", "entraid_groups", "entraid_serviceprincipals", "entraid_users"]
backend_options:
table_name: "cq_state_entraid"
connection: "@@plugins.postgresql.connection"
---
kind: destination
spec:
name: "postgresql"
path: "cloudquery/postgresql"
version: "v8.8.13"
spec:
connection_string: "postgresql://postgres:pass@localhost:5432/postgres?sslmode=disable"