Back to plugin list
azure-ad
Premium

Azure AD

This plugin is in preview.

The CloudQuery Azure AD source plugin extracts Azure information regarding object/user/tenant relationships (i.e. Azure AD or Microsoft Entra ID) and loads it into any supported CloudQuery destination.

Publisher

year-of-the-nimbus

Latest version

v1.0.3

Type

Source

Platforms
Date Published

Price

Free while in preview

Set up process #


brew install cloudquery/tap/cloudquery

1. Download CLI and login

See installation options

2. Create source and destination configs

Plugin configuration

cloudquery sync azure-ad.yml postgresql.yml

3. Run the sync

CloudQuery sync

Overview #

Azure AD Source Plugin

The CloudQuery Azure AD source plugin extracts Azure information regarding object/user/tenant relationships (i.e. Azure AD or Microsoft Entra ID) and loads it into any supported CloudQuery destination (e.g. PostgreSQL, BigQuery, Snowflake, and more).

Authentication #

Authentication with Environment Variables #

You will need to create a service principal for the plugin to use:
Creating a service principal
First, install the Azure CLI (az).
Then, login with the Azure CLI:
az login
Then, create the service principal the plugin will use to access your cloud deployment. WARNING: The output of az ad sp create-for-rbac contains credentials that you must protect - Make sure to handle with appropriate care. This example uses bash - The commands for CMD and PowerShell are similar.
export SUBSCRIPTION_ID=<YOUR_SUBSCRIPTION_ID>
az account set --subscription $SUBSCRIPTION_ID
az provider register --namespace 'Microsoft.Security'

# Create a service-principal for the plugin
az ad sp create-for-rbac --name cloudquery-sp --scopes /subscriptions/$SUBSCRIPTION_ID --role Reader
(you can, of course, choose any name you'd like for your service-principal, cloudquery-sp is just an example. If the service principal doesn't exist it will create a new one, otherwise it will update an existing one)
The output of az ad sp create-for-rbac should look like this:
{
  "appId": "YOUR AZURE_CLIENT_ID",
  "displayName": "cloudquery-sp",
  "password": "YOUR AZURE_CLIENT_SECRET",
  "tenant": "YOUR AZURE_TENANT_ID"
}
Exporting environment variables
Next, you need to export the environment variables that plugin will use to sync your cloud configuration. Copy them from the output of az ad sp create-for-rbac (or, take the opportunity to show off your jq-foo). The example shows how to export environment variables for Linux - exporting for CMD and PowerShell is similar.
  • AZURE_TENANT_ID is tenant in the JSON.
  • AZURE_CLIENT_ID is appId in the JSON.
  • AZURE_CLIENT_SECRET is password in the JSON.
export AZURE_TENANT_ID=<YOUR AZURE_TENANT_ID>
export AZURE_CLIENT_ID=<YOUR AZURE_CLIENT_ID>
export AZURE_CLIENT_SECRET=<YOUR AZURE_CLIENT_SECRET>

Granting AD Permissions #

We need to ensure that our service principal is able to read at a global level and have permissions to access the Microsoft Graph API.
Granting Global Read Access
  1. First we need to go to Microsoft Entra ID (formerly Azure AD) within the Portal Extension.
  2. Then we go to the "Roles and Administrators" tab and add your service principal to the "Global Reader" role
    • It may not show up at first, entering the display name explicitly should resolve this.
Granting API Permissions
  1. This part might be a bit tedioius, depending on how many tables you're using and while it can be done through either the portal extension or the az cli, unless you already have an automation in place, the portal extension will be the faster method.
  2. Go into the service principal's application through the portal extension. You can either search for the name directly or you can search the application ID. The search results should bring up the application and service principal; you will want the application.
  3. Press "add a permission"
  4. Select "Application permissions"
If you plan on using every table, you'll want the full list, if you plan on using one or two, the names of the permissions are accurate to what they allow:
  • AccessReview.Read.All
  • Application.Read.All
  • AppRoleAssignment.ReadWrite.All
  • AttackSimulation.Read.All
  • AuditLog.Read.All
  • Device.Read.All
  • DeviceManagementConfiguration.Read.All
  • DeviceManagementManagedDevices.Read.All
  • Directory.Read.All
  • Domain.Read.All
  • Group.Read.All
  • GroupMember.Read.All
  • IdentityProvider.Read.All
  • IdentityRiskEvent.Read.All
  • IdentityRiskyServicePrincipal.Read.All
  • IdentityRiskyUser.Read.All
  • IdentityUserFlow.Read.All
  • LicenseAssignment.ReadWrite.All
  • Member.Read.Hidden
  • MultiTenantOrganization.Read.All
  • NetworkAccess.Read.All
  • NetworkAccessPolicy.Read.All
  • Organization.Read.All
  • People.Read.All
  • Policy.Read.All
  • Policy.Read.IdentityProtection
  • PrivilegedAccess.Read.AzureAD
  • PrivilegedAccess.Read.AzureADGroup
  • PrivilegedAccess.Read.AzureResources
  • RoleManagement.Read.All
  • User.Read.All
  1. Once all permissions are added, press "Grant admin consent for default directory"
At this point, you should be ready to sync!


Configuration #

CloudQuery Azure AD Source Plugin Configuration Reference

Example #

This example connects the Azure AD of your Service Principal's tenant to a single destination. The (top level) source spec section is described in the Source Spec Reference.
kind: source
spec:
  # Source spec section
  name: "azure-ad"
  path: "year-of-the-nimbus/azure-ad"
  registry: "cloudquery"
  version: "v1.0.2"
  destinations: ["postgresql"]
  tables: ["azure_ad_users"]
  spec:
    # Optional parameters
    # concurrency: 50000

Azure AD Spec #

This is the (nested) spec used by the Azure AD source plugin.
  • concurrency (int) (default: 50000):
    The best effort maximum number of Go routines to use. Lower this number to reduce memory usage.


Join our mailing list

Subscribe to our newsletter to make sure you don't miss any updates.

Legal

© 2024 CloudQuery, Inc. All rights reserved.

We use tracking cookies to understand how you use the product and help us improve it. Please accept cookies to help us improve. You can always opt out later via the link in the footer.