Table: azuread_service_principal - Query Azure Active Directory Service Principals using SQL
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service. It helps your employees sign in and access resources in external resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications. Service Principals in Azure AD are the security identities that user-created apps, services, and automation tools use to access specific Azure resources.
Table Usage Guide
The azuread_service_principal table provides insights into Service Principals within Azure Active Directory. As a security analyst or a DevOps engineer, explore details about the service principals through this table, including their roles, permissions, and other related information. Utilize it to uncover details about the service principals, such as their associated applications, permissions, and the roles they play in your Azure environment.
Examples
Basic info
Explore the relationship between display names and application names in your Azure Active Directory. This can be useful in understanding how your applications are connected and organized within the directory.
select display_name, id, app_display_namefrom azuread_service_principal;select display_name, id, app_display_namefrom azuread_service_principal;List disabled service principals
Uncover the details of disabled service principals within your Azure Active Directory. This is useful in ensuring that disabled accounts are not posing a security risk or cluttering your system.
select display_name, idfrom azuread_service_principalwhere not account_enabled;select display_name, idfrom azuread_service_principalwhere account_enabled = 0;List service principals related to applications
Explore which service principals are directly related to applications in Azure Active Directory. This can be useful to determine which applications have active accounts, aiding in both security and account management.
select id, app_display_name, account_enabledfrom azuread_service_principalwhere service_principal_type = 'Application' and tenant_id = app_owner_organization_id;select id, app_display_name, account_enabledfrom azuread_service_principalwhere service_principal_type = 'Application' and tenant_id = app_owner_organization_id;Schema for azuread_service_principal
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| account_enabled | boolean | !=, = | true if the service principal account is enabled; otherwise, false. |
| add_ins | jsonb | Defines custom behavior that a consuming service can use to call an app in specific contexts. | |
| alternative_names | jsonb | Used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities. | |
| app_description | text | The description exposed by the associated application. | |
| app_display_name | text | The display name exposed by the associated application. | |
| app_id | text | The unique identifier for the associated application (its appId property). | |
| app_owner_organization_id | text | Contains the tenant id where the application is registered. This is applicable only to service principals backed by applications. | |
| app_role_assignment_required | boolean | Specifies whether users or other service principals need to be granted an app role assignment for this service principal before users can sign in or apps can get tokens. The default value is false. | |
| app_roles | jsonb | The roles exposed by the application which this service principal represents. | |
| description | text | Free text field to provide an internal end-user facing description of the service principal. | |
| display_name | text | = | The display name for the service principal. |
| id | text | = | The unique identifier for the service principal. |
| info | jsonb | Basic profile information of the acquired application such as app's marketing, support, terms of service and privacy statement URLs. | |
| key_credentials | jsonb | The collection of key credentials associated with the service principal. | |
| login_url | text | Specifies the URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on. | |
| logout_url | text | Specifies the URL that will be used by Microsoft's authorization service to logout an user using OpenId Connect front-channel, back-channel or SAML logout protocols. | |
| notification_email_addresses | jsonb | Specifies the list of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications. | |
| oauth2_permission_scopes | jsonb | The published permission scopes. | |
| owner_ids | jsonb | Id of the owners of the application. The owners are a set of non-admin users who are allowed to modify this object. | |
| password_credentials | jsonb | Represents a password credential associated with a service principal. | |
| reply_urls | jsonb | The URLs that user tokens are sent to for sign in with the associated application, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to for the associated application. | |
| service_principal_names | jsonb | Contains the list of identifiersUris, copied over from the associated application. Additional values can be added to hybrid applications. These values can be used to identify the permissions exposed by this app within Azure AD. | |
| service_principal_type | text | = | Identifies whether the service principal represents an application, a managed identity, or a legacy application. This is set by Azure AD internally. |
| sign_in_audience | text | Specifies the Microsoft accounts that are supported for the current application. Supported values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| tags | jsonb | A map of tags for the resource. | |
| tags_src | jsonb | Custom strings that can be used to categorize and identify the service principal. | |
| tenant_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Azure Tenant ID where the resource is located. |
| title | text | Title of the resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azureadYou can pass the configuration to the command with the --config argument:
steampipe_export_azuread --config '<your_config>' azuread_service_principal