# Microsoft Azure AD Veza discovers Authorization metadata for Azure Active Directory, including roles, groups, users, and service principals, for any Microsoft Azure tenant [integrated with Veza](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure.md). {% hint style="info" %} **Native Identity Mapping**: If you also have Active Directory integrated, Veza automatically creates identity relationships between Azure AD users/groups and Active Directory users/groups when the Azure AD entity has the `onPremisesSyncEnabled` flag. Custom identity mapping is only needed for connecting to other systems. See [Custom Identity Mappings](/4yItIzMvkpAvMVFAamTf/integrations/configuration/custom-identity-mappings.md#native-vs-custom-identity-mappings) for details. {% endhint %} Enabling this integration can help: * Identify privileged access paths, including time-bound and just-in-time assignments * Track group-based inheritance of privileged roles * Conduct access reviews direct and group-based assignments If your organization only utilizes Azure AD, and doesn't require Veza discovery of entities such as storage resources, virtual machines, or SQL databases, you can disable those services and data sources when editing or adding an Azure integration. #### Custom Security Attributes Veza can optionally gather and show [custom security attributes](https://learn.microsoft.com/azure/active-directory/fundamentals/custom-security-attributes-overview) on Azure AD objects. To enable this, the Enterprise Application used by Veza to connect must have the `CustomSecAttributeAssignment.Read.All` Microsoft Graph permission. Attributes to gather must be specified in the Azure integration configuration. ### Privileged Identity Management (PIM) Microsoft Entra Privileged Identity Management (PIM) is a service for managing and monitoring access to important resources within an organization. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions. To support PIM discovery, the Veza Enterprise Application in Azure AD requires the following Microsoft Graph API permissions: * `RoleManagement.Read.All` * `PrivilegedAccess.Read.AzureAD` * `Group.Read.All` When available, Veza can provide visibility into both direct assignments and group-based assignments: * **PIM for Roles**: Just-in-time access to Azure AD administrative roles * **PIM for Groups**: Just-in-time membership and ownership of security groups or Microsoft 365 groups #### PIM Assignment Types and Status In Azure PIM, assignments can be either **active** (direct access without activation) or **eligible** (requiring activation when needed). Veza distinguishes between these statuses in the Access Graph: * **Eligible assignments** appear with an `Azure AD Role Eligibility Schedule` node between the user and role * **Active assignments** (including activated PIM assignments) appear as direct connections without the eligibility schedule node Understanding this distinction can help identify both current access and potential future access. #### Access Graph Representation Veza represents different PIM assignment types in the Access Graph with paths between graph nodes: 1. User assigned (Active) to Role: `Azure AD User → Azure AD Role` ![User assigned Active to Role](/files/UGH7iAUS3EspRmynFkCu) 2. User assigned (Active) to Role via Group: `Azure AD User → Azure AD Group → Azure AD Role` ![User assigned Active to Role via Group.png](/files/vUHsyEjBhDv6gLlqbWti) 3. User Eligible for a Role: `Azure AD User → Azure AD Role Eligibility Schedule → Azure AD Role` ![User Eligible for a Role](/files/WuqYgBSbHAZMPJv4p8JI) 4. User Eligible for a Role via Group: `Azure AD User → Azure AD Group → Azure AD Role Eligibility Schedule → Azure AD Role` ![User Eligible for a Role via Group](/files/8pjXLC3cys5B2FWJbMSx) 5. User with Activated Eligible Assignment: `Azure AD User → Azure AD Role` (temporarily present during activation period) 6. User with Activated Eligible Assignment via Group: `Azure AD User → Azure AD Group → Azure AD Role` (temporarily present during activation period) > **Important:** These intermediate entities (Azure AD Role Eligibility Schedule nodes) are filtered out in Effective query mode. To view, search, or create access reviews that include PIM eligibility schedules, you must use [System Query Mode](/4yItIzMvkpAvMVFAamTf/features/search/query-mode.md). When evaluating PIM eligibility, the following conditions apply: * Only assignments that have started (past their start date) and have not expired are shown in the graph * Future assignments and expired assignments are not displayed * When a user activates an eligible assignment, Microsoft creates a temporary active assignment (typically for up to 8 hours). Veza represents this as a direct connection, assuming data source extraction and parsing runs after activation and before expiration. * Groups cannot activate themselves; only individual members of a group can activate their eligible assignments * Permanent assignments (with no end date) are shown as active assignments ### Supported Entities and Attributes Veza discovers and maps Azure AD (Entra ID) entities and their relationships to enable queries based on attributes and relationships in your identity environment. The integration standardizes Application and Directory role permissions to effective create, read, update, and delete actions, and detects the following relationships between entities: * User and group membership, including nested groups * Service principal assignments to roles and resources * Role eligibility and assignments * Group ownership and management * Conditional access policy application to users and groups * Cross-cloud identity relationships with systems like AWS, GCP, Kubernetes, and databases * Federation and trust relationships with external identity providers See below for all supported entities and attributes. #### Azure AD User Represents a user identity in Microsoft Entra ID (formerly Azure AD). User objects store authentication and profile information for organizational members, guests, and external identities. Users can sign into Microsoft Entra ID, access protected resources, and be assigned to groups, roles, and applications. **Entity Type Group:** IDP\_USER | Attribute | Type | Required | Description | | -------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------- | | `account_enabled` | BOOLEAN | Optional | Whether the user account is enabled | | `azure_tenant_id` | STRING | Required | The Azure tenant ID associated with the user | | `country_or_region` | STRING | Optional | User's country or region | | `created_at` | TIMESTAMP | Optional | When the user was created | | `datasource_id` | STRING | Optional | ID of the data source | | `default_mfa_method` | STRING | Optional | User's default multi-factor authentication method | | `deleted_at` | TIMESTAMP | Optional | When the user was deleted, if applicable | | `department` | STRING | Optional | User's department | | `email` | STRING | Optional | User's primary email address | | `employee_id` | STRING | Optional | User's employee ID | | `employee_type` | STRING | Optional | Type of employee (e.g., contractor, full-time) | | `external_user_state` | STRING | Optional | State of external user if applicable | | `first_name` | STRING | Optional | User's first name | | `full_admin` | BOOLEAN | Optional | Whether the user has full administrative privileges | | `guest` | BOOLEAN | Optional | Whether the user is a guest account | | `id` | STRING | Required | Unique identifier for the user | | `identity_type` | STRING | Required | Type of identity | | `idp_unique_id` | STRING | Required | Unique identifier from the identity provider | | `is_active` | BOOLEAN | Required | A boolean value calculated by Veza. See [User Active Status](#azure-ad-user-active-status) for details. | | `is_admin` | BOOLEAN | Optional | Whether the user has administrative privileges | | `is_licensed` | BOOLEAN | Optional | Whether the user has any licenses assigned | | `is_mfa_capable` | BOOLEAN | Optional | Whether the user can use MFA for sign-in | | `is_mfa_registered` | BOOLEAN | Optional | Whether the user has registered for MFA | | `is_passwordless_capable` | BOOLEAN | Optional | Whether the user can use passwordless authentication | | `is_sspr_capable` | BOOLEAN | Optional | Whether self-service password reset is available for the user | | `is_sspr_enabled` | BOOLEAN | Optional | Whether SSPR is enabled for the user | | `is_sspr_registered` | BOOLEAN | Optional | Whether the user has registered for SSPR | | `is_system_preferred_authentication_method_enabled` | BOOLEAN | Optional | Whether system-preferred authentication is enabled | | `job_title` | STRING | Optional | User's role or job title | | `last_login_at` | TIMESTAMP | Optional | When the user last logged in | | `last_name` | STRING | Optional | User's last name | | `last_successful_login_at` | TIMESTAMP | Optional | When the user last successfully logged in | | `licenses` | STRING\_LIST | Optional | List of licenses assigned to the user | | `mail_nickname` | STRING | Optional | User's mail nickname | | `manager` | STRING | Optional | The user's manager | | `manager_id` | STRING | Optional | ID of the user's manager | | `manager_principal_name` | STRING | Optional | Principal name of the user's manager | | `methods_registered` | STRING\_LIST | Optional | Authentication methods registered by the user | | `name` | STRING | Required | Display name of the user | | `nickname` | STRING | Optional | User's nickname | | `office` | STRING | Optional | User's office location | | `on_premises_distinguished_name` | STRING | Optional | Distinguished name from on-premises AD | | `on_premises_sam_account_name` | STRING | Optional | SAM account name from on-premises AD | | `on_premises_sync` | BOOLEAN | Required | Whether the user is synchronized from on-premises AD | | `on_premises_user_principal_name` | STRING | Optional | UPN from on-premises AD | | `other_mails` | STRING\_LIST | Optional | Additional email addresses | | `owners` | STRING | Optional | List of user owners | | `password_policies` | STRING\_LIST | Required | Password policies applied to the user | | `password_profile_force_change_password_next_sign_in` | BOOLEAN | Optional | Whether password change is required at next sign-in | | `password_profile_force_change_password_next_sign_in_with_mfa` | BOOLEAN | Optional | Whether password change with MFA is required at next sign-in | | `principal_name` | STRING | Required | User principal name (UPN) | | `provider_id` | STRING | Optional | ID of the identity provider | | `risk_score` | NUMBER | Optional | Risk score assigned to the user | | `street_address` | STRING | Optional | User's street address | | `system_preferred_authentication_methods` | STRING\_LIST | Optional | System-preferred authentication methods | | `usage_location` | STRING | Optional | User's usage location for licensing | | `user_preferred_method_for_secondary_authentication` | STRING | Optional | User's preferred secondary authentication method | | `user_type` | STRING | Optional | Type of user (Member, Guest, etc.) | #### Azure AD User Active Status The `Is Active` property for an Azure AD user is determined by the `account_enabled` attribute. If `account_enabled` is `true`, then `Is Active` will be `true`. If `account_enabled` is `false`, then `Is Active` will be `false`. #### Azure AD Group Represents a collection of users in Microsoft Entra ID used for assigning access rights and permissions. Groups can be security groups (used to manage access to shared resources) or Microsoft 365 groups (providing collaboration opportunities), with support for dynamic membership rules and nested groups. **Entity Type Group:** IDP\_GROUP | Attribute | Type | Required | Description | | --------------------------------- | ------------ | -------- | --------------------------------------------------------- | | `allow_external_senders` | BOOLEAN | Optional | Whether external senders can send to this group | | `azure_tenant_id` | STRING | Required | The Azure tenant ID associated with the group | | `classification` | STRING | Optional | Sensitivity classification of the group | | `created_at` | TIMESTAMP | Optional | When the group was created | | `datasource_id` | STRING | Optional | ID of the data source | | `deleted_at` | TIMESTAMP | Optional | When the group was deleted, if applicable | | `description` | STRING | Optional | Description of the group | | `expires_at` | TIMESTAMP | Optional | When the group expires, if applicable | | `group_types` | STRING\_LIST | Optional | Types of the group (e.g., "Unified" for M365 groups) | | `has_member_with_license_errors` | BOOLEAN | Optional | Whether any members have license errors | | `hide_from_address_lists` | BOOLEAN | Optional | Whether the group is hidden from address lists | | `hide_from_outlook_clients` | BOOLEAN | Optional | Whether the group is hidden from Outlook clients | | `hierarchical_in_cycle` | BOOLEAN | Optional | Whether the group is part of a circular reference | | `hierarchical_level` | NUMBER | Required | Depth in the nested group hierarchy | | `id` | STRING | Required | Unique identifier for the group | | `idp_unique_id` | STRING | Required | Unique identifier from the identity provider | | `is_assignable_to_role` | BOOLEAN | Optional | Whether the group can be assigned to roles | | `is_owner_group` | BOOLEAN | Optional | Whether the group is used for ownership assignments | | `is_security_group` | BOOLEAN | Optional | Whether the group is a security group | | `mail_enabled` | BOOLEAN | Optional | Whether the group can receive emails | | `managed_by` | STRING\_LIST | Optional | List of entities that manage this group | | `name` | STRING | Required | Display name of the group | | `on_premises_distinguished_name` | STRING | Optional | Distinguished name from on-premises AD | | `on_premises_last_sync_date_time` | TIMESTAMP | Optional | Last synchronization time from on-premises AD | | `on_premises_sam_account_name` | STRING | Optional | SAM account name from on-premises AD | | `on_premises_sync` | BOOLEAN | Required | Whether the group is synchronized from on-premises AD | | `owners` | STRING | Optional | List of group owners | | `preffered_data_location` | STRING | Optional | Preferred data location for the group | | `preffered_language` | STRING | Optional | Preferred language for the group | | `principal_name` | STRING | Required | Principal name of the group | | `provider_id` | STRING | Optional | ID of the identity provider | | `renewed_at` | TIMESTAMP | Optional | When the group was last renewed | | `risk_score` | NUMBER | Optional | Risk score assigned to the group | | `visibility` | STRING | Optional | Visibility setting (Public, Private, or HiddenMembership) | > **Note:** Some group attributes are only collected when specific configuration options are enabled during Azure integration setup: > > * `allow_external_senders`, `hide_from_address_lists`, and `hide_from_outlook_clients` require the "Gather Group Extra Information" option > * `owners` requires the "Gather Group Owner Details" option > > These options require additional API calls that can significantly increase extraction time. See the [Azure integration setup guide](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure.md#limit-services) for configuration details and performance considerations. #### Azure AD Role Represents administrative roles within Microsoft Entra ID that define permissions for managing tenant resources. Roles can be built-in (predefined by Microsoft) or custom roles created by administrators, and are assigned to users, groups, or service principals to delegate identity management tasks. **Entity Type Group:** ROLE | Attribute | Type | Required | Description | | ----------------- | ------------ | -------- | --------------------------------------------- | | `azure_tenant_id` | STRING | Required | The Azure tenant ID associated with the role | | `builtin` | BOOLEAN | Optional | Whether the role is a built-in Microsoft role | | `datasource_id` | STRING | Optional | ID of the data source | | `description` | STRING | Optional | Description of the role | | `enabled` | BOOLEAN | Optional | Whether the role is currently enabled | | `id` | STRING | Required | Unique identifier for the role | | `is_privileged` | BOOLEAN | Optional | Whether the role grants privileged access | | `name` | STRING | Required | Display name of the role | | `owners` | STRING | Optional | List of role owners | | `permissions` | STRING\_LIST | Optional | List of permissions granted by the role | | `provider_id` | STRING | Optional | ID of the identity provider | | `risk_score` | NUMBER | Optional | Risk score assigned to the role | #### Azure AD Enterprise Application Represents a service principal in Microsoft Entra ID, which is the local representation of an application in a specific tenant. Service principals define what an application can do within your tenant, including what resources it can access and what authentication methods it uses. They serve as the security identity for applications accessing resources secured by Microsoft Entra ID. **Entity Type Group:** SERVICE\_ACCOUNT | Attribute | Type | Required | Description | | ------------------------------------ | ------------ | -------- | ----------------------------------------------------- | | `app_role_assignment_required` | BOOLEAN | Optional | Whether users need explicit assignment to use the app | | `application_id` | STRING | Required | Unique application identifier | | `application_owners` | STRING\_LIST | Optional | List of users/groups designated as application owners | | `application_template` | STRING | Required | Template used to create the application | | `application_template_id` | STRING | Optional | ID of the template used to create the application | | `application_type` | STRING | Optional | Type of application | | `azure_tenant_id` | STRING | Required | The Azure tenant ID associated with the application | | `datasource_id` | STRING | Optional | ID of the data source | | `domain_service_now` | STRING | Optional | ServiceNow domain if applicable | | `enabled` | BOOLEAN | Optional | Whether the service principal is enabled | | `github_enterprise_cloud_enterprise` | STRING | Optional | GitHub Enterprise Cloud organization if applicable | | `github_enterprise_server_domain` | STRING | Optional | GitHub Enterprise Server domain if applicable | | `id` | STRING | Required | Unique identifier for the service principal | | `identity_type` | STRING | Required | Type of identity | | `is_active` | BOOLEAN | Required | Whether the service principal is active | | `name` | STRING | Required | Display name of the service principal | | `owners` | STRING | Optional | List of service principal owners | | `permissions` | STRING\_LIST | Optional | List of permissions granted to the application | | `provider_id` | STRING | Optional | ID of the identity provider | | `risk_score` | NUMBER | Optional | Risk score assigned to the service principal | | `snowflake_domain` | STRING | Optional | Snowflake domain if applicable | #### Azure AD Device Represents a device registered or joined to Microsoft Entra ID. Devices can be Azure AD joined, hybrid joined, or registered, and are used in conditional access policies and device-based access controls. Device objects store information about platform, compliance state, and management status for making authentication and authorization decisions. **Entity Type Group:** SERVICE\_ACCOUNT | Attribute | Type | Required | Description | | ------------------------------- | --------- | -------- | ------------------------------------------------------ | | `approximate_last_signed_in_at` | TIMESTAMP | Optional | Most recent sign-in from this device | | `azure_tenant_id` | STRING | Required | The Azure tenant ID associated with the device | | `compliance_expires_at` | TIMESTAMP | Optional | When device compliance status expires | | `datasource_id` | STRING | Optional | ID of the data source | | `device_category` | STRING | Optional | Category of the device | | `device_id` | STRING | Required | Unique device identifier | | `device_ownership` | STRING | Optional | Ownership type of the device | | `enrollment_profile_name` | STRING | Optional | Name of the enrollment profile | | `enrollment_type` | STRING | Optional | Type of enrollment | | `id` | STRING | Required | Unique identifier for the device | | `identity_type` | STRING | Required | Type of identity | | `is_active` | BOOLEAN | Required | Whether the device is active | | `is_compliant` | BOOLEAN | Optional | Whether the device meets compliance policies | | `is_managed` | BOOLEAN | Optional | Whether the device is managed by Intune or another MDM | | `is_rooted` | BOOLEAN | Optional | Whether the device is rooted/jailbroken | | `management_type` | STRING | Optional | Type of management for the device | | `manufacturer` | STRING | Optional | Device manufacturer | | `mdm_app_id` | STRING | Optional | ID of the MDM application managing the device | | `model` | STRING | Optional | Device model | | `name` | STRING | Required | Display name of the device | | `operating_system` | STRING | Optional | Device operating system | | `operating_system_version` | STRING | Optional | Version of the operating system | | `owners` | STRING | Optional | List of device owners | | `profile_type` | STRING | Optional | Type of device profile | | `provider_id` | STRING | Optional | ID of the identity provider | | `registered_at` | TIMESTAMP | Optional | When the device was registered | | `risk_score` | NUMBER | Optional | Risk score assigned to the device | | `trust_type` | STRING | Optional | Azure AD Joined, Hybrid Joined, or Registered | #### Azure AD App Role Represents roles defined within applications for role-based access control (RBAC). App roles allow developers to define authorization parameters within their applications and enable administrators to assign these roles to users, groups, or service principals. When a user signs in, Microsoft Entra ID emits a roles claim for each assigned role, which applications can use for authorization decisions. **Entity Type Group:** APPLICATION\_ROLE | Attribute | Type | Required | Description | | ------------------- | ------ | -------- | ------------------------------------------------ | | `aws_iam_role_arn` | STRING | Optional | AWS IAM role ARN if applicable | | `azure_tenant_id` | STRING | Required | The Azure tenant ID associated with the app role | | `datasource_id` | STRING | Optional | ID of the data source | | `id` | STRING | Required | Unique identifier for the app role | | `name` | STRING | Required | Display name of the app role | | `provider_id` | STRING | Optional | ID of the identity provider | | `risk_score` | NUMBER | Optional | Risk score assigned to the app role | | `saml_provider_arn` | STRING | Optional | SAML provider ARN if applicable | #### Azure AD Conditional Access Policy Represents Microsoft Entra ID's policy engine for enforcing security controls based on specific conditions. Conditional Access policies function as if-then statements that evaluate signals (like user, device, location, and risk) when authentication occurs and enforce organizational access requirements such as MFA, device compliance, or session controls before granting access to resources. **Entity Type Group:** POLICY | Attribute | Type | Required | Description | | --------------------------------- | ------ | -------- | --------------------------------- | | `conditional_access_policy_state` | STRING | Required | Enabled, Disabled, or Report-only | | `datasource_id` | STRING | Optional | ID of the data source | | `id` | STRING | Required | Unique identifier for the policy | | `name` | STRING | Required | Display name of the policy | | `provider_id` | STRING | Optional | ID of the identity provider | | `risk_score` | NUMBER | Optional | Risk score assigned to the policy | #### Azure AD Domain Represents a DNS domain associated with a Microsoft Entra ID tenant. Domains are used for user principal names (UPNs), email addresses, and application identifiers. Domains can be the initial onmicrosoft.com domain or custom verified domains that prove ownership of the namespace for use with Microsoft Entra ID services. **Entity Type Group:** DOMAIN | Attribute | Type | Required | Description | | ----------------- | ------ | -------- | ---------------------------------------------- | | `azure_tenant_id` | STRING | Required | The Azure tenant ID associated with the domain | | `datasource_id` | STRING | Optional | ID of the data source | | `id` | STRING | Required | Unique identifier for the domain | | `name` | STRING | Required | Domain name | | `provider_id` | STRING | Optional | ID of the identity provider | | `risk_score` | NUMBER | Optional | Risk score assigned to the domain | #### Azure AD License Represents a product license assigned to users in Microsoft Entra ID that grants access to Microsoft cloud services and applications. Licenses determine which features and capabilities are available to users, including Microsoft 365 services, Entra ID Premium features (like Conditional Access), and other Microsoft cloud products. **Entity Type Group:** ROLE | Attribute | Type | Required | Description | | --------------- | ------ | -------- | ---------------------------------- | | `datasource_id` | STRING | Optional | ID of the data source | | `id` | STRING | Required | Unique identifier for the license | | `name` | STRING | Required | Name of the license | | `owners` | STRING | Optional | List of license owners | | `provider_id` | STRING | Optional | ID of the identity provider | | `risk_score` | NUMBER | Optional | Risk score assigned to the license | ### Next Steps: Complete Microsoft 365 Integration {% hint style="warning" %} **Important for Microsoft 365 Users:** If your organization uses Exchange Online for email and collaboration, you should enable the Exchange Online service after completing your Azure AD setup. See the [Exchange Online setup guide](/4yItIzMvkpAvMVFAamTf/integrations/integrations/exchange-online.md) for detailed configuration instructions. {% endhint %} Consider enabling these additional Microsoft 365 services in your Azure integration: * [**Exchange Online**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/exchange-online.md) - Email permissions, distribution groups, and mailbox access * [**SharePoint Online**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/sharepoint.md) - Document and site permissions * [**Microsoft Teams**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure/azure-info.md#microsoft-teams) - Team channels and collaboration access * **Microsoft Intune** - Device management and compliance (see [Azure integration guide](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure.md#enable-microsoft-intune)) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure-ad.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.