Back to source list
Official
Premium
Microsoft Entra ID (Azure AD)
The CloudQuery Microsoft Entra ID (Azure AD) source plugin extracts your Microsoft Entra ID information and loads it into any supported CloudQuery destination
Publisher
cloudquery
Latest version
v3.3.0
Type
Source
Platforms
Date Published
Overview #
The CloudQuery Microsoft Entra ID (Azure AD) source plugin extracts your Microsoft Entra ID information and loads it into any supported CloudQuery destination (e.g. PostgreSQL, BigQuery, Snowflake, and more).
Authentication #
The Microsoft Entra ID source plugin uses the Microsoft Graph API. Authentication is done using a service principal, you can create one using the Azure CLI.
First, install the Azure CLI (
az).Then, login with the Azure CLI:
az login
Then, create the service principal the plugin will use to access Entra ID. WARNING: The output of
az ad sp create-for-rbac contains credentials that you must protect - Make sure to handle with appropriate care.
This example uses bash - The commands for CMD and PowerShell are similar.az ad sp create-for-rbac --name CloudQuerySP
You can choose any name you'd like for your service-principal,CloudQuerySPis an example. If the service principal doesn't exist it will create a new one, otherwise it will update the existing one
The output of az ad sp create-for-rbac should look like this:
{
"appId": "YOUR AZURE_CLIENT_ID",
"displayName": "CloudQuerySP",
"password": "YOUR AZURE_CLIENT_SECRET",
"tenant": "YOUR AZURE_TENANT_ID"
}
Exporting environment variables #
Next, you need to export the environment variables that the plugin will use to sync Entra ID resources.
Copy them from the output of
az ad sp create-for-rbac.
The example shows how to export environment variables for Linux - exporting for CMD and PowerShell is similar.AZURE_TENANT_IDistenantin the JSON.AZURE_CLIENT_IDisappIdin the JSON.AZURE_CLIENT_SECRETispasswordin the JSON.
export AZURE_TENANT_ID=<YOUR AZURE_TENANT_ID>
export AZURE_CLIENT_ID=<YOUR AZURE_CLIENT_ID>
export AZURE_CLIENT_SECRET=<YOUR AZURE_CLIENT_SECRET>
Adding permissions to the service principal #
The Microsoft Graph API requires the service principal to have specific permissions to access the data.
We can cover most tables in the plugin with the
Global Reader role, but some tables require additional roles.
Below is a list of permissions required for each table (some permissions cover more than one table).To add the permissions open the Azure portal, search for
Microsoft Entra ID and click the Microsoft Entra ID service to open the overview page.
Then, click on Roles and administrators as shown in the image below.
Under
Roles and administrators, search for the Global Reader role and click on it.
Under the
Global Reader role, under the Manage->Assignments sidebar location, click on Add assignments.
Under
Add assignments, click no members selected to open a search box for members.
Search for the service principal you created earlier and click on it.
Approve the next screens to finalize the assignment.
To add specific permissions open
App registrations from the Microsoft Entra ID overview page and click on the service principal you created earlier.
Under
manage->API permissions click on Add a permission.
Chose
Microsoft Graph.
Then click on
Application permissions.
Search for the permission you need to add, for example
AuditLog.Read.All, select it and click on Add permissions.
Repeat the process for all permissions required by the tables you want to sync.
After adding all permissions, click on
Grant admin consent for <your tenant> to finalize the process.
After granting the permissions, you should see a message like the one below.
That is it! You have successfully added the required permissions to the service principal.
Configuration #
This example syncs from Entra ID to a PostgreSQL database destination. The (top level) source spec section is described in the Source Spec Reference.
kind: source
# Common source-plugin configuration
spec:
name: entraid
path: cloudquery/entraid
registry: cloudquery
version: "v3.3.0"
tables: ["*"]
destinations: ["postgresql"]
# Entra ID specific configuration
# Learn more about the configuration options at https://cql.ink/entraid_source
spec:
# Optional parameters
# concurrency: 50000
Entra ID Spec #
concurrency(integer) (optional) (default:50000)A best effort maximum number of Go routines to use. Lower this number to reduce memory usage.scheduler(string) (optional) (default:dfs)The scheduler to use when determining the priority of resources to sync. Supported values aredfs(depth-first search),round-robin,shuffleandshuffle-queue.For more information about this, see performance tuning.table_options(Table Options spec) (optional)Options to apply to specific tables. See [Table Options](#Table Options) for more information.
Entra ID Table Options Spec #
entraid_groupsfilter(string) (optional)filterrepresents a filter query to apply when syncing the table. The value is passed directly to the Microsoft Graph API. For example, to filter groups by name, you can use the following filter query:startswith(displayName, 'CloudQuery'). For more information on filter queries, see the Microsoft Graph documentation.
entraid_auditlogs_signinsfilter(string) (optional)filterrepresents a filter query to apply when syncing the table. The value is passed directly to the Microsoft Graph API. For example, to filter sign-ins by date range, you can use the following filter query:createdDateTime ge 2025-01-20T00:00:00Z and createdDateTime le 2025-01-25T23:59:59Z. For more information on filter queries, see the Microsoft Graph documentation.
entraid_usersinclude_signin_activity(boolean) (optional) (default:false)Iftrue, thesignInActivityfield will be included in the sync. Please note this requires a Microsoft Entra ID P1 or P2 license, theAuditLog.Read.Allpermission and reduces the max page size to120resulting in a potentially slower sync.
Incremental syncing #
The Entra ID plugin support incremental syncing via MS Graph API delta queries.
The following tables support incremental syncing:
entraid_applicationsusing https://learn.microsoft.com/en-us/graph/api/application-deltaentraid_directoryrolesusing https://learn.microsoft.com/en-us/graph/api/directoryrole-deltaentraid_groupsusing https://learn.microsoft.com/en-us/graph/api/group-deltaentraid_serviceprincipalsusing https://learn.microsoft.com/en-us/graph/api/serviceprincipal-deltaentraid_usersusing https://learn.microsoft.com/en-us/graph/api/user-delta
To enable incremental syncing for the above tables, set the
backend_options configuration as shown in the example below. This is documented in the Managing Incremental Tables section.kind: source
spec:
name: "entraid"
path: "cloudquery/entraid"
version: "v3.3.0"
destinations: ["postgresql"]
tables: ["entraid_applications", "entraid_directoryroles", "entraid_groups", "entraid_serviceprincipals", "entraid_users"]
backend_options:
table_name: "cq_state_entraid"
connection: "@@plugins.postgresql.connection"
---
kind: destination
spec:
name: "postgresql"
path: "cloudquery/postgresql"
version: "v8.8.10"
spec:
connection_string: "postgresql://postgres:pass@localhost:5432/postgres?sslmode=disable"