Table: azuread_directory_setting - Query Azure Active Directory Directory Settings using SQL

Azure Active Directory (Azure AD) is Microsoft's multi-tenant, cloud-based directory, and identity management service. Directory Settings in Azure AD are configurable settings that define the behavior and functionality of the directory. These settings include the ability to manage features like self-service password reset, device settings, group settings, and more.

Table Usage Guide

The azuread_directory_setting table provides insights into Directory Settings within Azure Active Directory. As an IT administrator, explore settings-specific details through this table, including the status of various features like self-service password reset, device settings, group settings, and more. Utilize it to uncover information about the configuration and behavior of your Azure AD directory.

Examples

Basic info

Explore the basic information in your Azure Active Directory settings to determine the areas where changes or updates may be needed. This can be especially useful in managing user access and permissions within your organization.

select
  display_name,
  id,
  value
from
  azuread_directory_setting;

select
  display_name,
  id,
  value
from
  azuread_directory_setting;

Determine if the workflow for user admin consent is activated. This is useful for managing and enforcing user permissions and access controls within your Azure Active Directory.

select
  display_name,
  id,
  name,
  value
from
  azuread_directory_setting
where
  display_name = 'Consent Policy Settings'
  and name = 'EnableAdminConsentRequests'
  and value :: bool;

select
  display_name,
  id,
  name,
  value
from
  azuread_directory_setting
where
  display_name = 'Consent Policy Settings'
  and name = 'EnableAdminConsentRequests'
  and value = '1';

Check if banned password protection is enabled

Determine if your organization's password policy is effectively safeguarding against the use of commonly banned passwords. This query is beneficial in identifying potential vulnerabilities in your password protection settings, ensuring a robust security protocol.

select
  display_name,
  id,
  name,
  value
from
  azuread_directory_setting
where
  display_name = 'Password Rule Settings'
  and (
    name = 'EnableBannedPasswordCheckOnPremises'
    and value :: bool
  )
  and (
    name = 'BannedPasswordCheckOnPremisesMode'
    and value = 'Enforced'
  );

select
  display_name,
  id,
  name,
  value
from
  azuread_directory_setting
where
  display_name = 'Password Rule Settings'
  and (
    name = 'EnableBannedPasswordCheckOnPremises'
    and value = 'true'
  )
  and (
    name = 'BannedPasswordCheckOnPremisesMode'
    and value = 'Enforced'
  );

Control examples

Schema for azuread_directory_setting

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
display_name	text		Display name of this group of settings, which comes from the associated template.
id	text	=	Unique identifier for these settings.
name	text	=	Name of the setting.
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.
template_id	text		Unique identifier for the template used to create this group of settings.
tenant_id	text	=, !=, ~~, ~~, !~~, !~~	The Azure Tenant ID where the resource is located.
title	text		Title of the resource.
value	text		Value of the setting.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azuread

You can pass the configuration to the command with the --config argument:

steampipe_export_azuread --config '<your_config>' azuread_directory_setting