The CloudQuery Microsoft Entra ID (Azure AD) source plugin extracts your Microsoft Entra ID information and loads it into any supported CloudQuery destination
Publisher
cloudquery
Latest version
v3.6.0
Type
Source
Platforms
Date Published
Loading plugin documentation
We use tracking cookies to understand how you use the product and help us improve it. Please accept cookies to help us improve. You can always opt out later via the link in the footer.
az).az login
az ad sp create-for-rbac contains credentials that you must protect - Make sure to handle with appropriate care.
This example uses bash - The commands for CMD and PowerShell are similar.az ad sp create-for-rbac --name CloudQuerySP
You can choose any name you'd like for your service-principal,CloudQuerySPis an example. If the service principal doesn't exist it will create a new one, otherwise it will update the existing one
{
"appId": "YOUR AZURE_CLIENT_ID",
"displayName": "CloudQuerySP",
"password": "YOUR AZURE_CLIENT_SECRET",
"tenant": "YOUR AZURE_TENANT_ID"
}
az ad sp create-for-rbac.
The example shows how to export environment variables for Linux - exporting for CMD and PowerShell is similar.AZURE_TENANT_ID is tenant in the JSON.AZURE_CLIENT_ID is appId in the JSON.AZURE_CLIENT_SECRET is password in the JSON.export AZURE_TENANT_ID=<YOUR AZURE_TENANT_ID>
export AZURE_CLIENT_ID=<YOUR AZURE_CLIENT_ID>
export AZURE_CLIENT_SECRET=<YOUR AZURE_CLIENT_SECRET>
Global Reader role, but some tables require additional roles.
Below is a list of permissions required for each table (some permissions cover more than one table).Microsoft Entra ID and click the Microsoft Entra ID service to open the overview page.
Then, click on Roles and administrators as shown in the image below.
Roles and administrators, search for the Global Reader role and click on it.
Global Reader role, under the Manage->Assignments sidebar location, click on Add assignments.
Add assignments, click no members selected to open a search box for members.
App registrations from the Microsoft Entra ID overview page and click on the service principal you created earlier.
manage->API permissions click on Add a permission.
Microsoft Graph.
Application permissions.
AuditLog.Read.All, select it and click on Add permissions.
Grant admin consent for <your tenant> to finalize the process.
kind: source
# Common source-plugin configuration
spec:
name: entraid
path: cloudquery/entraid
registry: cloudquery
version: "v3.6.0"
tables: ["*"]
destinations: ["postgresql"]
# Entra ID specific configuration
# Learn more about the configuration options at https://cql.ink/entraid_source
spec:
# Optional parameters
# concurrency: 50000
# http_client_timeout: 100s
# retry_max_attempts: 3
# retry_delay_seconds: 3
concurrency (integer) (optional) (default: 50000)scheduler (string) (optional) (default: dfs)dfs (depth-first search), round-robin, shuffle and shuffle-queue.http_client_timeout (duration) (optional) (default: 100s)retry_max_attempts (integer) (optional) (default: 3)retry_delay_seconds (integer) (optional) (default: 3)table_options (Table Options spec) (optional)entraid_groupsfilter (string) (optional)filter represents a filter query to apply when syncing the table. The value is passed directly to the Microsoft Graph API. For example, to filter groups by name, you can use the following filter query: startswith(displayName, 'CloudQuery'). For more information on filter queries, see the Microsoft Graph documentation.entraid_auditlogs_signinsfilter (string) (optional)filter represents a filter query to apply when syncing the table. The value is passed directly to the Microsoft Graph API. For example, to filter sign-ins by date range, you can use the following filter query: createdDateTime ge 2025-01-20T00:00:00Z and createdDateTime le 2025-01-25T23:59:59Z. For more information on filter queries, see the Microsoft Graph documentation.entraid_usersinclude_signin_activity (boolean) (optional) (default: false)true, the signInActivity field will be included in the sync. Please note this requires a Microsoft Entra ID P1 or P2 license, the AuditLog.Read.All permission and reduces the max page size to 120 resulting in a potentially slower sync.entraid_applications using https://learn.microsoft.com/en-us/graph/api/application-deltaentraid_directoryroles using https://learn.microsoft.com/en-us/graph/api/directoryrole-deltaentraid_groups using https://learn.microsoft.com/en-us/graph/api/group-deltaentraid_serviceprincipals using https://learn.microsoft.com/en-us/graph/api/serviceprincipal-deltaentraid_users using https://learn.microsoft.com/en-us/graph/api/user-deltabackend_options configuration as shown in the example below. This is documented in the Managing Incremental Tables section.kind: source
spec:
name: "entraid"
path: "cloudquery/entraid"
version: "v3.6.0"
destinations: ["postgresql"]
tables: ["entraid_applications", "entraid_directoryroles", "entraid_groups", "entraid_serviceprincipals", "entraid_users"]
backend_options:
table_name: "cq_state_entraid"
connection: "@@plugins.postgresql.connection"
---
kind: destination
spec:
name: "postgresql"
path: "cloudquery/postgresql"
version: "v8.12.1"
spec:
connection_string: "postgresql://postgres:pass@localhost:5432/postgres?sslmode=disable"