Microsoft Azure AD
Configuring the Veza integration for Microsoft Azure AD (Entra ID).
Veza discovers Authorization metadata for Azure Active Directory, including roles, groups, users, and service principals, for any Microsoft Azure tenant integrated with Veza.
Enabling this integration can help:
Identify privileged access paths, including time-bound and just-in-time assignments
Track group-based inheritance of privileged roles
Conduct access reviews direct and group-based assignments
If your organization only utilizes Azure AD, and doesn't require Veza discovery of entities such as storage resources, virtual machines, or SQL databases, you can disable those services and data sources when editing or adding an Azure integration.
Custom Security Attributes
Veza can optionally gather and show custom security attributes on Azure AD objects. To enable this, the Enterprise Application used by Veza to connect must have the CustomSecAttributeAssignment.Read.All Microsoft Graph permission. Attributes to gather must be specified in the Azure integration configuration.
Privileged Identity Management (PIM)
Microsoft Entra Privileged Identity Management (PIM) is a service for managing and monitoring access to important resources within an organization. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions.
To support PIM discovery, the Veza Enterprise Application in Azure AD requires the following Microsoft Graph API permissions:
RoleManagement.Read.AllPrivilegedAccess.Read.AzureADGroup.Read.All
When available, Veza can provide visibility into both direct assignments and group-based assignments:
PIM for Roles: Just-in-time access to Azure AD administrative roles
PIM for Groups: Just-in-time membership and ownership of security groups or Microsoft 365 groups
PIM Assignment Types and Status
In Azure PIM, assignments can be either active (direct access without activation) or eligible (requiring activation when needed). Veza distinguishes between these statuses in the Authorization Graph:
Eligible assignments appear with an
Azure AD Role Eligibility Schedulenode between the user and roleActive assignments (including activated PIM assignments) appear as direct connections without the eligibility schedule node
Understanding this distinction can help identify both current access and potential future access.
Authorization Graph Representation
Veza represents different PIM assignment types in the Authorization Graph with paths between graph nodes:
User assigned (Active) to Role:
Azure AD User → Azure AD Role
User assigned Active to Role User assigned (Active) to Role via Group:
Azure AD User → Azure AD Group → Azure AD Role
User assigned Active to Role via Group.png User Eligible for a Role:
Azure AD User → Azure AD Role Eligibility Schedule → Azure AD Role
User Eligible for a Role User Eligible for a Role via Group:
Azure AD User → Azure AD Group → Azure AD Role Eligibility Schedule → Azure AD Role
User Eligible for a Role via Group User with Activated Eligible Assignment:
Azure AD User → Azure AD Role(temporarily present during activation period)User with Activated Eligible Assignment via Group:
Azure AD User → Azure AD Group → Azure AD Role(temporarily present during activation period)
Note that the queries above require System Query Mode.
When evaluating PIM eligibility, the following conditions apply:
Only assignments that have started (past their start date) and have not expired are shown in the graph
Future assignments and expired assignments are not displayed
When a user activates an eligible assignment, Microsoft creates a temporary active assignment (typically for up to 8 hours). Veza represents this as a direct connection, assuming data source extraction and parsing runs after activation and before expiration.
Groups cannot activate themselves; only individual members of a group can activate their eligible assignments
Permanent assignments (with no end date) are shown as active assignments
Supported Entities and Attributes
Veza discovers and maps Azure AD (Entra ID) entities and their relationships to enable queries based on attributes and relationships in your identity environment.
The integration standardizes Application and Directory role permissions to effective create, read, update, and delete actions, and detects the following relationships between entities:
User and group membership, including nested groups
Service principal assignments to roles and resources
Role eligibility and assignments
Group ownership and management
Conditional access policy application to users and groups
Cross-cloud identity relationships with systems like AWS, GCP, Kubernetes, and databases
Federation and trust relationships with external identity providers
See below for all supported entities and attributes.
Azure AD User
Represents a user identity in Microsoft Entra ID (formerly Azure AD). User objects store authentication and profile information for organizational members, guests, and external identities. Users can sign into Microsoft Entra ID, access protected resources, and be assigned to groups, roles, and applications.
Entity Type Group: IDP_USER
account_enabled
BOOLEAN
Optional
Whether the user account is enabled
azure_tenant_id
STRING
Required
The Azure tenant ID associated with the user
country_or_region
STRING
Optional
User's country or region
created_at
TIMESTAMP
Optional
When the user was created
datasource_id
STRING
Optional
ID of the data source
default_mfa_method
STRING
Optional
User's default multi-factor authentication method
deleted_at
TIMESTAMP
Optional
When the user was deleted, if applicable
department
STRING
Optional
User's department
email
STRING
Optional
User's primary email address
employee_id
STRING
Optional
User's employee ID
employee_type
STRING
Optional
Type of employee (e.g., contractor, full-time)
external_user_state
STRING
Optional
State of external user if applicable
first_name
STRING
Optional
User's first name
full_admin
BOOLEAN
Optional
Whether the user has full administrative privileges
guest
BOOLEAN
Optional
Whether the user is a guest account
id
STRING
Required
Unique identifier for the user
identity_type
STRING
Required
Type of identity
idp_unique_id
STRING
Required
Unique identifier from the identity provider
is_active
BOOLEAN
Required
Whether the account is active
is_admin
BOOLEAN
Optional
Whether the user has administrative privileges
is_licensed
BOOLEAN
Optional
Whether the user has any licenses assigned
is_mfa_capable
BOOLEAN
Optional
Whether the user can use MFA for sign-in
is_mfa_registered
BOOLEAN
Optional
Whether the user has registered for MFA
is_passwordless_capable
BOOLEAN
Optional
Whether the user can use passwordless authentication
is_sspr_capable
BOOLEAN
Optional
Whether self-service password reset is available for the user
is_sspr_enabled
BOOLEAN
Optional
Whether SSPR is enabled for the user
is_sspr_registered
BOOLEAN
Optional
Whether the user has registered for SSPR
is_system_preferred_authentication_method_enabled
BOOLEAN
Optional
Whether system-preferred authentication is enabled
job_title
STRING
Optional
User's role or job title
last_login_at
TIMESTAMP
Optional
When the user last logged in
last_name
STRING
Optional
User's last name
last_successful_login_at
TIMESTAMP
Optional
When the user last successfully logged in
licenses
STRING_LIST
Optional
List of licenses assigned to the user
mail_nickname
STRING
Optional
User's mail nickname
manager
STRING
Optional
The user's manager
manager_id
STRING
Optional
ID of the user's manager
manager_principal_name
STRING
Optional
Principal name of the user's manager
methods_registered
STRING_LIST
Optional
Authentication methods registered by the user
name
STRING
Required
Display name of the user
nickname
STRING
Optional
User's nickname
office
STRING
Optional
User's office location
on_premises_distinguished_name
STRING
Optional
Distinguished name from on-premises AD
on_premises_sam_account_name
STRING
Optional
SAM account name from on-premises AD
on_premises_sync
BOOLEAN
Required
Whether the user is synchronized from on-premises AD
on_premises_user_principal_name
STRING
Optional
UPN from on-premises AD
other_mails
STRING_LIST
Optional
Additional email addresses
owners
STRING
Optional
List of user owners
password_policies
STRING_LIST
Required
Password policies applied to the user
password_profile_force_change_password_next_sign_in
BOOLEAN
Optional
Whether password change is required at next sign-in
password_profile_force_change_password_next_sign_in_with_mfa
BOOLEAN
Optional
Whether password change with MFA is required at next sign-in
principal_name
STRING
Required
User principal name (UPN)
provider_id
STRING
Optional
ID of the identity provider
risk_score
NUMBER
Optional
Risk score assigned to the user
street_address
STRING
Optional
User's street address
system_preferred_authentication_methods
STRING_LIST
Optional
System-preferred authentication methods
usage_location
STRING
Optional
User's usage location for licensing
user_preferred_method_for_secondary_authentication
STRING
Optional
User's preferred secondary authentication method
user_type
STRING
Optional
Type of user (Member, Guest, etc.)
Azure AD Group
Represents a collection of users in Microsoft Entra ID used for assigning access rights and permissions. Groups can be security groups (used to manage access to shared resources) or Microsoft 365 groups (providing collaboration opportunities), with support for dynamic membership rules and nested groups.
Entity Type Group: IDP_GROUP
allow_external_senders
BOOLEAN
Optional
Whether external senders can send to this group
azure_tenant_id
STRING
Required
The Azure tenant ID associated with the group
classification
STRING
Optional
Sensitivity classification of the group
created_at
TIMESTAMP
Optional
When the group was created
datasource_id
STRING
Optional
ID of the data source
deleted_at
TIMESTAMP
Optional
When the group was deleted, if applicable
description
STRING
Optional
Description of the group
expires_at
TIMESTAMP
Optional
When the group expires, if applicable
group_types
STRING_LIST
Optional
Types of the group (e.g., "Unified" for M365 groups)
has_member_with_license_errors
BOOLEAN
Optional
Whether any members have license errors
hide_from_address_lists
BOOLEAN
Optional
Whether the group is hidden from address lists
hide_from_outlook_clients
BOOLEAN
Optional
Whether the group is hidden from Outlook clients
hierarchical_in_cycle
BOOLEAN
Optional
Whether the group is part of a circular reference
hierarchical_level
NUMBER
Required
Depth in the nested group hierarchy
id
STRING
Required
Unique identifier for the group
idp_unique_id
STRING
Required
Unique identifier from the identity provider
is_assignable_to_role
BOOLEAN
Optional
Whether the group can be assigned to roles
is_owner_group
BOOLEAN
Optional
Whether the group is used for ownership assignments
is_security_group
BOOLEAN
Optional
Whether the group is a security group
mail_enabled
BOOLEAN
Optional
Whether the group can receive emails
managed_by
STRING_LIST
Optional
List of entities that manage this group
name
STRING
Required
Display name of the group
on_premises_distinguished_name
STRING
Optional
Distinguished name from on-premises AD
on_premises_last_sync_date_time
TIMESTAMP
Optional
Last synchronization time from on-premises AD
on_premises_sam_account_name
STRING
Optional
SAM account name from on-premises AD
on_premises_sync
BOOLEAN
Required
Whether the group is synchronized from on-premises AD
owners
STRING
Optional
List of group owners
preffered_data_location
STRING
Optional
Preferred data location for the group
preffered_language
STRING
Optional
Preferred language for the group
principal_name
STRING
Required
Principal name of the group
provider_id
STRING
Optional
ID of the identity provider
renewed_at
TIMESTAMP
Optional
When the group was last renewed
risk_score
NUMBER
Optional
Risk score assigned to the group
visibility
STRING
Optional
Visibility setting (Public, Private, or HiddenMembership)
Azure AD Role
Represents administrative roles within Microsoft Entra ID that define permissions for managing tenant resources. Roles can be built-in (predefined by Microsoft) or custom roles created by administrators, and are assigned to users, groups, or service principals to delegate identity management tasks.
Entity Type Group: ROLE
azure_tenant_id
STRING
Required
The Azure tenant ID associated with the role
builtin
BOOLEAN
Optional
Whether the role is a built-in Microsoft role
datasource_id
STRING
Optional
ID of the data source
description
STRING
Optional
Description of the role
enabled
BOOLEAN
Optional
Whether the role is currently enabled
id
STRING
Required
Unique identifier for the role
is_privileged
BOOLEAN
Optional
Whether the role grants privileged access
name
STRING
Required
Display name of the role
owners
STRING
Optional
List of role owners
permissions
STRING_LIST
Optional
List of permissions granted by the role
provider_id
STRING
Optional
ID of the identity provider
risk_score
NUMBER
Optional
Risk score assigned to the role
Azure AD Enterprise Application
Represents a service principal in Microsoft Entra ID, which is the local representation of an application in a specific tenant. Service principals define what an application can do within your tenant, including what resources it can access and what authentication methods it uses. They serve as the security identity for applications accessing resources secured by Microsoft Entra ID.
Entity Type Group: SERVICE_ACCOUNT
app_role_assignment_required
BOOLEAN
Optional
Whether users need explicit assignment to use the app
application_id
STRING
Required
Unique application identifier
application_owners
STRING_LIST
Optional
List of users/groups designated as application owners
application_template
STRING
Required
Template used to create the application
application_template_id
STRING
Optional
ID of the template used to create the application
application_type
STRING
Optional
Type of application
azure_tenant_id
STRING
Required
The Azure tenant ID associated with the application
datasource_id
STRING
Optional
ID of the data source
domain_service_now
STRING
Optional
ServiceNow domain if applicable
enabled
BOOLEAN
Optional
Whether the service principal is enabled
github_enterprise_cloud_enterprise
STRING
Optional
GitHub Enterprise Cloud organization if applicable
github_enterprise_server_domain
STRING
Optional
GitHub Enterprise Server domain if applicable
id
STRING
Required
Unique identifier for the service principal
identity_type
STRING
Required
Type of identity
is_active
BOOLEAN
Required
Whether the service principal is active
name
STRING
Required
Display name of the service principal
owners
STRING
Optional
List of service principal owners
permissions
STRING_LIST
Optional
List of permissions granted to the application
provider_id
STRING
Optional
ID of the identity provider
risk_score
NUMBER
Optional
Risk score assigned to the service principal
snowflake_domain
STRING
Optional
Snowflake domain if applicable
Azure AD Device
Represents a device registered or joined to Microsoft Entra ID. Devices can be Azure AD joined, hybrid joined, or registered, and are used in conditional access policies and device-based access controls. Device objects store information about platform, compliance state, and management status for making authentication and authorization decisions.
Entity Type Group: SERVICE_ACCOUNT
approximate_last_signed_in_at
TIMESTAMP
Optional
Most recent sign-in from this device
azure_tenant_id
STRING
Required
The Azure tenant ID associated with the device
compliance_expires_at
TIMESTAMP
Optional
When device compliance status expires
datasource_id
STRING
Optional
ID of the data source
device_category
STRING
Optional
Category of the device
device_id
STRING
Required
Unique device identifier
device_ownership
STRING
Optional
Ownership type of the device
enrollment_profile_name
STRING
Optional
Name of the enrollment profile
enrollment_type
STRING
Optional
Type of enrollment
id
STRING
Required
Unique identifier for the device
identity_type
STRING
Required
Type of identity
is_active
BOOLEAN
Required
Whether the device is active
is_compliant
BOOLEAN
Optional
Whether the device meets compliance policies
is_managed
BOOLEAN
Optional
Whether the device is managed by Intune or another MDM
is_rooted
BOOLEAN
Optional
Whether the device is rooted/jailbroken
management_type
STRING
Optional
Type of management for the device
manufacturer
STRING
Optional
Device manufacturer
mdm_app_id
STRING
Optional
ID of the MDM application managing the device
model
STRING
Optional
Device model
name
STRING
Required
Display name of the device
operating_system
STRING
Optional
Device operating system
operating_system_version
STRING
Optional
Version of the operating system
owners
STRING
Optional
List of device owners
profile_type
STRING
Optional
Type of device profile
provider_id
STRING
Optional
ID of the identity provider
registered_at
TIMESTAMP
Optional
When the device was registered
risk_score
NUMBER
Optional
Risk score assigned to the device
trust_type
STRING
Optional
Azure AD Joined, Hybrid Joined, or Registered
Azure AD App Role
Represents roles defined within applications for role-based access control (RBAC). App roles allow developers to define authorization parameters within their applications and enable administrators to assign these roles to users, groups, or service principals. When a user signs in, Microsoft Entra ID emits a roles claim for each assigned role, which applications can use for authorization decisions.
Entity Type Group: APPLICATION_ROLE
aws_iam_role_arn
STRING
Optional
AWS IAM role ARN if applicable
azure_tenant_id
STRING
Required
The Azure tenant ID associated with the app role
datasource_id
STRING
Optional
ID of the data source
id
STRING
Required
Unique identifier for the app role
name
STRING
Required
Display name of the app role
provider_id
STRING
Optional
ID of the identity provider
risk_score
NUMBER
Optional
Risk score assigned to the app role
saml_provider_arn
STRING
Optional
SAML provider ARN if applicable
Azure AD Conditional Access Policy
Represents Microsoft Entra ID's policy engine for enforcing security controls based on specific conditions. Conditional Access policies function as if-then statements that evaluate signals (like user, device, location, and risk) when authentication occurs and enforce organizational access requirements such as MFA, device compliance, or session controls before granting access to resources.
Entity Type Group: POLICY
conditional_access_policy_state
STRING
Required
Enabled, Disabled, or Report-only
datasource_id
STRING
Optional
ID of the data source
id
STRING
Required
Unique identifier for the policy
name
STRING
Required
Display name of the policy
provider_id
STRING
Optional
ID of the identity provider
risk_score
NUMBER
Optional
Risk score assigned to the policy
Azure AD Domain
Represents a DNS domain associated with a Microsoft Entra ID tenant. Domains are used for user principal names (UPNs), email addresses, and application identifiers. Domains can be the initial onmicrosoft.com domain or custom verified domains that prove ownership of the namespace for use with Microsoft Entra ID services.
Entity Type Group: DOMAIN
azure_tenant_id
STRING
Required
The Azure tenant ID associated with the domain
datasource_id
STRING
Optional
ID of the data source
id
STRING
Required
Unique identifier for the domain
name
STRING
Required
Domain name
provider_id
STRING
Optional
ID of the identity provider
risk_score
NUMBER
Optional
Risk score assigned to the domain
Azure AD License
Represents a product license assigned to users in Microsoft Entra ID that grants access to Microsoft cloud services and applications. Licenses determine which features and capabilities are available to users, including Microsoft 365 services, Entra ID Premium features (like Conditional Access), and other Microsoft cloud products.
Entity Type Group: ROLE
datasource_id
STRING
Optional
ID of the data source
id
STRING
Required
Unique identifier for the license
name
STRING
Required
Name of the license
owners
STRING
Optional
List of license owners
provider_id
STRING
Optional
ID of the identity provider
risk_score
NUMBER
Optional
Risk score assigned to the license
Last updated
Was this helpful?