Table: azuread_group - Query Azure Active Directory Groups using SQL
Azure Active Directory (Azure AD) is Microsoft's multi-tenant, cloud-based directory, and identity management service. It combines core directory services, application access management, and identity protection into a single solution. Azure AD also offers a rich, standards-based platform that enables developers to deliver access control to their applications, based on centralized policy and rules.
Table Usage Guide
The azuread_group table provides insights into groups within Microsoft's Azure Active Directory. As an IT administrator, you can explore group-specific details through this table, including the group's ID, display name, security identifier, and more. Utilize it to uncover information about groups, such as their membership and associated metadata, aiding in the management and security of your organization's resources.
Examples
Basic info
Explore which Azure Active Directory groups are present in your system, along with their associated email addresses. This can be useful for understanding your group structure and managing group communication.
select display_name, id, description, mailfrom azuread_group;select display_name, id, description, mailfrom azuread_group;List groups with public visibility
Explore which user groups within your Azure Active Directory have been set to public visibility. This can help in managing data security and privacy by identifying potential areas of risk.
select display_name, id, description, mailfrom azuread_groupwhere visibility = 'Public';select display_name, id, description, mailfrom azuread_groupwhere visibility = 'Public';List security enabled groups
Explore which groups in your Azure Active Directory have security features enabled. This information is useful for auditing purposes and ensuring adherence to security protocols.
select display_name, id, description, mailfrom azuread_groupwhere security_enabled;select display_name, id, description, mailfrom azuread_groupwhere security_enabled = 1;List groups that can be assigned to roles
Explore which groups within your Azure Active Directory can be assigned to roles. This enables better management of access permissions, ensuring appropriate role assignments within your organization.
select display_name, id, description, mailfrom azuread_groupwhere is_assignable_to_role;select display_name, id, description, mailfrom azuread_groupwhere is_assignable_to_role = 1;Get owner details of an specific group
Discover the segments that identify the owner of a specific group in the Azure Active Directory. This could be useful in scenarios where you need to understand access control and ownership structures within your organization.
select gr.display_name as group_name, u.display_name as user_name, owner_idfrom azuread_user u, azuread_group gr, jsonb_array_elements_text(gr.owner_ids) as owner_idwhere owner_id = u.id and gr.display_name = 'turbot'order by user_name;select gr.display_name as group_name, u.display_name as user_name, owner_id.value as owner_idfrom azuread_user u, azuread_group gr, json_each(gr.owner_ids) as owner_idwhere owner_id.value = u.id and gr.display_name = 'turbot'order by user_name;Query examples
- activedirectory_directory_roles_for_activedirectory_group
- activedirectory_directory_roles_for_user
- activedirectory_group_1_year_count
- activedirectory_group_24_hours_count
- activedirectory_group_30_90_days_count
- activedirectory_group_30_days_count
- activedirectory_group_90_365_days_count
- activedirectory_group_age_table
- activedirectory_group_by_creation_month
- activedirectory_group_by_tenant
- activedirectory_group_by_type
- activedirectory_group_count
- activedirectory_group_input
- activedirectory_group_members_attached
- activedirectory_group_members_attached_count
- activedirectory_group_overview
- activedirectory_group_owners
- activedirectory_group_type
- activedirectory_group_with_no_members_count
- activedirectory_groups_for_activedirectory_user
- activedirectory_groups_for_user
- activedirectory_microsoft_365_group_count
- activedirectory_security_group_count
- activedirectory_users_for_activedirectory_group
- subscriptions_for_activedirectory_group
- target_activedirectory_groups_for_activedirectory_group
Control examples
- CIS v1.4.0 > 1 Account and Authentication > 1.1 Azure Active Directory > 1.1.12 Ensure that only organizationally managed/approved public groups exist
- CIS v1.5.0 > 1 Account and Authentication > 1.1 Azure Active Directory > 1.1.12 Ensure that only organizationally managed/approved public groups exist
- CIS v2.0.0 > 1 Account and Authentication > 1.1 Azure Active Directory > 1.1.16 Ensure that only organizationally managed/approved public groups exist
- CIS v3.0.0 > 1 Microsoft 365 admin center > 1.2 Teams & groups > 1.2.1 Ensure that only organizationally managed/approved public groups exist
Schema for azuread_group
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| assigned_labels | jsonb | The list of sensitivity label pairs (label ID, label name) associated with a Microsoft 365 group. | |
| classification | text | Describes a classification for the group (such as low, medium or high business impact). | |
| created_date_time | timestamp with time zone | The time at which the group was created. | |
| description | text | An optional description for the group. | |
| display_name | text | = | The name displayed in the address book for the user. This is usually the combination of the user's first name, middle initial and last name. |
| expiration_date_time | timestamp with time zone | Timestamp of when the group is set to expire. | |
| filter | text | = | Odata query to search for groups. |
| group_types | jsonb | Specifies the group type and its membership. If the collection contains Unified, the group is a Microsoft 365 group; otherwise, it's either a security group or distribution group. For details, see [groups overview](https://docs.microsoft.com/en-us/graph/api/resources/groups-overview?view=graph-rest-1.0). | |
| id | text | = | The unique identifier for the group. |
| is_assignable_to_role | boolean | Indicates whether this group can be assigned to an Azure Active Directory role or not. | |
| is_subscribed_by_mail | boolean | Indicates whether the signed-in user is subscribed to receive email conversations. Default value is true. | |
| text | = | The SMTP address for the group, for example, "serviceadmins@contoso.onmicrosoft.com". | |
| mail_enabled | boolean | !=, = | Specifies whether the group is mail-enabled. |
| mail_nickname | text | The mail alias for the user. | |
| member_ids | jsonb | Id of Users and groups that are members of this group. | |
| membership_rule | text | The mail alias for the group, unique in the organization. | |
| membership_rule_processing_state | text | Indicates whether the dynamic membership processing is on or paused. Possible values are On or Paused. | |
| on_premises_domain_name | text | Contains the on-premises Domain name synchronized from the on-premises directory. | |
| on_premises_last_sync_date_time | timestamp with time zone | Indicates the last time at which the group was synced with the on-premises directory. | |
| on_premises_net_bios_name | text | Contains the on-premises NetBiosName synchronized from the on-premises directory. | |
| on_premises_sam_account_name | text | Contains the on-premises SAM account name synchronized from the on-premises directory. | |
| on_premises_security_identifier | text | Contains the on-premises security identifier (SID) for the group that was synchronized from on-premises to the cloud. | |
| on_premises_sync_enabled | boolean | !=, = | True if this group is synced from an on-premises directory; false if this group was originally synced from an on-premises directory but is no longer synced; null if this object has never been synced from an on-premises directory (default). |
| owner_ids | jsonb | Id od the owners of the group. The owners are a set of non-admin users who are allowed to modify this object. | |
| proxy_addresses | jsonb | Email addresses for the group that direct to the same group mailbox. For example: ["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]. The any operator is required to filter expressions on multi-valued properties. | |
| renewed_date_time | timestamp with time zone | Timestamp of when the group was last renewed. This cannot be modified directly and is only updated via the renew service action. | |
| resource_behavior_options | jsonb | Specifies the group behaviors that can be set for a Microsoft 365 group during creation. Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SubscribeNewGroupMembers, WelcomeEmailDisabled. | |
| resource_provisioning_options | jsonb | Specifies the group resources that are provisioned as part of Microsoft 365 group creation, that are not normally part of default group creation. Possible value is Team. | |
| security_enabled | boolean | !=, = | Specifies whether the group is a security group. |
| security_identifier | text | Security identifier of the group, used in Windows scenarios. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| tags | jsonb | A map of tags for the resource. | |
| tenant_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Azure Tenant ID where the resource is located. |
| title | text | Title of the resource. | |
| visibility | text | Specifies the group join policy and group content visibility for groups. Possible values are: Private, Public, or Hiddenmembership. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azureadYou can pass the configuration to the command with the --config argument:
steampipe_export_azuread --config '<your_config>' azuread_group