Table: azuread_directory_role - Query Azure Active Directory Directory Roles using SQL
Azure Active Directory (Azure AD) is Microsoft's multi-tenant, cloud-based directory, and identity management service. It combines core directory services, application access management, and identity protection into a single solution. Directory Roles in Azure AD provide access to various features and capabilities in the Azure portal and Azure AD administrative features.
Table Usage Guide
The azuread_directory_role
table provides insights into Directory Roles within Azure Active Directory. As a DevOps engineer or IT professional, you can explore role-specific details through this table, including permissions, and associated metadata. Utilize it to uncover information about roles, such as their assigned permissions, the users associated with each role, and the verification of role-specific settings.
Examples
Basic info
Explore the roles within your Azure Active Directory to understand their functions and who has been assigned to them. This can be useful for auditing purposes or to ensure the correct permissions have been granted.
select id, display_name, description, member_idsfrom azuread_directory_role;
select id, display_name, description, member_idsfrom azuread_directory_role;
List users with access to directory roles
Explore which users have access to specific directory roles. This is useful for managing and reviewing user permissions in a system.
select u.display_name as username, role.display_name as directory_rolefrom azuread_directory_role as role, jsonb_array_elements_text(member_ids) as m_id, azuread_user as uwhere u.id = m_id;
select u.display_name as username, role.display_name as directory_rolefrom azuread_directory_role as role, json_each(role.member_ids) as m_id, azuread_user as uwhere u.id = m_id.value;
Query examples
Control examples
- CIS v1.4.0 > 1 Account and Authentication > 1.1 Azure Active Directory > 1.1.1 Ensure multifactor authentication is enabled for all users in administrative roles
- CIS v1.4.0 > 1 Account and Authentication > 1.1 Azure Active Directory > 1.1.15 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
- CIS v1.4.0 > 1 Account and Authentication > 1.1 Azure Active Directory > 1.1.2 Ensure multifactor authentication is enabled for all users in all roles
- CIS v1.4.0 > 1 Account and Authentication > 1.1 Azure Active Directory > 1.1.3 Ensure that between two and four global admins are designated
- CIS v1.5.0 > 1 Account and Authentication > 1.1 Azure Active Directory > 1.1.1 Ensure multifactor authentication is enabled for all users in administrative roles
- CIS v1.5.0 > 1 Account and Authentication > 1.1 Azure Active Directory > 1.1.15 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
- CIS v1.5.0 > 1 Account and Authentication > 1.1 Azure Active Directory > 1.1.2 Ensure multifactor authentication is enabled for all users in all roles
- CIS v1.5.0 > 1 Account and Authentication > 1.1 Azure Active Directory > 1.1.3 Ensure that between two and four global admins are designated
- CIS v2.0.0 > 1 Account and Authentication > 1.1 Azure Active Directory > 1.1.2 Ensure multifactor authentication is enabled for all users in administrative roles
- CIS v2.0.0 > 1 Account and Authentication > 1.1 Azure Active Directory > 1.1.21 Ensure 'Microsoft Azure Management' is limited to administrative roles
- CIS v2.0.0 > 1 Account and Authentication > 1.1 Azure Active Directory > 1.1.3 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
- CIS v2.0.0 > 1 Account and Authentication > 1.1 Azure Active Directory > 1.1.4 Ensure multifactor authentication is enabled for all users
- CIS v2.0.0 > 1 Account and Authentication > 1.1 Azure Active Directory > 1.1.7 Ensure that between two and four global admins are designated
- CIS v2.1.0 > 1 Identity and Access Management > 1.25 Ensure fewer than 5 users have global administrator assignment
- CIS v3.0.0 > 1 Microsoft 365 admin center > 1.1 Users > 1.1.3 Ensure that between two and four global admins are designated
- CIS v3.0.0 > 2 Identity > 2.26 Ensure fewer than 5 users have global administrator assignment
- CIS v3.0.0 > 5 Microsoft Entra admin center > 5.2 Protection > 5.2.2 Conditional Access > 5.2.2.1 Ensure multifactor authentication is enabled for all users in administrative roles
- CIS v3.0.0 > 5 Microsoft Entra admin center > 5.2 Protection > 5.2.2 Conditional Access > 5.2.2.2 Ensure multifactor authentication is enabled for all users
- CIS v3.0.0 > 5 Microsoft Entra admin center > 5.2 Protection > 5.2.2 Conditional Access > 5.2.2.4 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
- CIS v3.0.0 > 5 Microsoft Entra admin center > 5.2 Protection > 5.2.2 Conditional Access > 5.2.2.8 Ensure 'Microsoft Azure Management' is limited to administrative roles
Schema for azuread_directory_role
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
description | text | The description for the directory role. | |
display_name | text | The display name for the directory role. | |
id | text | = | The unique identifier for the directory role. |
member_ids | jsonb | Id of the owners of the application. The owners are a set of non-admin users who are allowed to modify this object. | |
role_template_id | text | The id of the directoryRoleTemplate that this role is based on. The property must be specified when activating a directory role in a tenant with a POST operation. After the directory role has been activated, the property is read only. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
tenant_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Azure Tenant ID where the resource is located. |
title | text | Title of the resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azuread
You can pass the configuration to the command with the --config
argument:
steampipe_export_azuread --config '<your_config>' azuread_directory_role