Table: azuread_user - Query Azure AD Users using SQL
Azure Active Directory (Azure AD) is Microsoft's multi-tenant, cloud-based directory, and identity management service. It combines core directory services, application access management, and identity protection into a single solution. Azure AD is the backbone of the Office 365 system, and it can sync with on-premise Active Directory.
Table Usage Guide
The azuread_user
table provides insights into user profiles within Azure Active Directory. As a system administrator, explore user-specific details through this table, including user identities, user principal names, and associated metadata. Utilize it to uncover information about users, such as their display names, job titles, and the verification of user identities.
Examples
Basic info
Explore the basic information of users in your Azure Active Directory. This can be useful for understanding the user composition of your organization, including their display names, principal names, IDs, given names, and emails.
select display_name, user_principal_name, id, given_name, mailfrom azuread_user;
select display_name, user_principal_name, id, given_name, mailfrom azuread_user;
List guest users
Discover the segments that consist of guest users within your Azure Active Directory, allowing you to better manage and monitor these specific user accounts. This is particularly useful in maintaining security protocols and ensuring guest users have appropriate access permissions.
select display_name, user_principal_name, id, mailfrom azuread_userwhere user_type = 'Guest';
select display_name, user_principal_name, id, mailfrom azuread_userwhere user_type = 'Guest';
List disabled users
Discover the segments that consist of disabled user accounts within the Azure Active Directory. This can be useful in monitoring and managing user accessibility for security and compliance purposes.
select display_name, user_principal_name, id, mailfrom azuread_userwhere not account_enabled;
select display_name, user_principal_name, id, mailfrom azuread_userwhere account_enabled = 0;
List users with access to directory roles
Discover the segments that have access to directory roles to better manage permissions and security protocols. This is particularly useful for administrators seeking to optimize access control and understand user-role relationships.
select u.display_name as username, role.display_name as directory_rolefrom azuread_directory_role as role, jsonb_array_elements_text(member_ids) as m_id, azuread_user as uwhere u.id = m_id;
select u.display_name as username, role.display_name as directory_rolefrom azuread_directory_role as role, json_each(role.member_ids) as m_id, azuread_user as uwhere u.id = m_id.value;
List users with information of groups they are attached
Discover the segments that outline the association between users and groups in your Azure Active Directory. This query is useful for assessing user-group relationships, aiding in the management of access and permissions.
select grp.display_name as group_name, grp.id as group_id, u.display_name as username, u.user_principal_name as user_principal_name, u.id as user_idfrom azuread_group as grp, jsonb_array_elements_text(member_ids) as m_id, azuread_user as uwhere u.id = m_idorder by group_id, username;
select grp.display_name as group_name, grp.id as group_id, u.display_name as username, u.user_principal_name as user_principal_name, u.id as user_idfrom azuread_group as grp, json_each(grp.member_ids) as m_id, azuread_user as uwhere u.id = m_id.valueorder by group_id, username;
Query examples
- activedirectory_deprecated_user_with_owner_role_count
- activedirectory_directory_roles_for_activedirectory_user
- activedirectory_external_guest_user_count
- activedirectory_external_guest_user_with_owner_role_count
- activedirectory_group_members_attached
- activedirectory_group_owners
- activedirectory_groups_for_activedirectory_user
- activedirectory_user_1_year_count
- activedirectory_user_24_hours_count
- activedirectory_user_30_90_days_count
- activedirectory_user_30_days_count
- activedirectory_user_90_365_days_count
- activedirectory_user_age_table
- activedirectory_user_by_creation_month
- activedirectory_user_by_tenant
- activedirectory_user_by_user_type
- activedirectory_user_count
- activedirectory_user_input
- activedirectory_user_overview
- activedirectory_user_type
- activedirectory_user_with_custom_role_count
- activedirectory_users_for_activedirectory_group
- subscriptions_for_activedirectory_user
Control examples
- 1.1.1 Ensure multifactor authentication is enabled for all users in administrative roles
- 1.1.1 Ensure multifactor authentication is enabled for all users in administrative roles
- 1.1.11 Enable Conditional Access policies to block legacy authentication
- 1.1.13 Enable Azure AD Identity Protection sign-in risk policies
- 1.1.14 Enable Azure AD Identity Protection user risk policies
- 1.1.15 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
- 1.1.15 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
- 1.1.2 Ensure multifactor authentication is enabled for all users in administrative roles
- 1.1.2 Ensure multifactor authentication is enabled for all users in all roles
- 1.1.2 Ensure multifactor authentication is enabled for all users in all roles
- 1.1.21 Ensure 'Microsoft Azure Management' is limited to administrative roles
- 1.1.3 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
- 1.1.3 Ensure that between two and four global admins are designated
- 1.1.3 Ensure that between two and four global admins are designated
- 1.1.3 Ensure that between two and four global admins are designated
- 1.1.4 Ensure Guest Users are reviewed at least biweekly
- 1.1.4 Ensure multifactor authentication is enabled for all users
- 1.1.5 Ensure that password protection is enabled for Active Directory
- 1.1.5 Ensure that password protection is enabled for Active Directory
- 1.1.6 Enable Conditional Access policies to block legacy authentication
- 1.1.6 Enable Conditional Access policies to block legacy authentication
- 1.1.7 Ensure that between two and four global admins are designated
- 1.1.8 Enable Azure AD Identity Protection sign-in risk policies
- 1.1.8 Enable Azure AD Identity Protection sign-in risk policies
- 1.1.9 Enable Azure AD Identity Protection user risk policies
- 1.1.9 Enable Azure AD Identity Protection user risk policies
- 1.2.7 Ensure Multifactor Authentication is Required to access Microsoft Admin Portals
- 1.3 Ensure guest users are reviewed on a monthly basis
- 1.3 Ensure guest users are reviewed on a monthly basis
- 1.3.1 Ensure the 'Password expiration policy' is set to 'Set passwords to never expire'
- 1.4 Ensure Guest Users Are Reviewed on a Regular Basis
- 1.4 Ensure Guest Users Are Reviewed on a Regular Basis
- 1.4 Ensure the 'Password expiration policy' is set to 'Set passwords to never expire
- 1.5 Ensure Guest Users Are Reviewed on a Regular Basis
- 1.5 Ensure that Office 365 Passwords Are Not Set to Expire
- 3.1.1 Ensure Microsoft 365 audit log search is Enabled
- 5.1 Ensure Microsoft 365 audit log search is Enabled
- 5.1 Ensure Microsoft 365 audit log search is Enabled
- 5.14 Ensure Guest Users are reviewed at least biweekly
- 5.15 Ensure Guest Users are reviewed at least biweekly
- 5.15 Ensure Guest Users are reviewed at least biweekly
- 5.2 Ensure Microsoft 365 audit log search is Enabled
- 5.2.2.1 Ensure multifactor authentication is enabled for all users in administrative roles
- 5.2.2.2 Ensure multifactor authentication is enabled for all users
- 5.2.2.3 Enable Conditional Access policies to block legacy authentication
- 5.2.2.4 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
- 5.2.2.6 Enable Azure AD Identity Protection user risk policies
- 5.2.2.7 Enable Azure AD Identity Protection sign-in risk policies
- 5.2.2.8 Ensure 'Microsoft Azure Management' is limited to administrative roles
- Blocked accounts with owner permissions on Azure resources should be removed
- Blocked accounts with read and write permissions on Azure resources should be removed
- Ensure guest users are reviewed on a monthly basis
- Guest accounts with owner permissions on Azure resources should be removed
- Guest accounts with read permissions on Azure resources should be removed
- Guest accounts with write permissions on Azure resources should be removed
- IAM users should not have built in contributor role
Schema for azuread_user
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
account_enabled | boolean | !=, = | True if the account is enabled; otherwise, false. |
created_date_time | timestamp with time zone | The time at which the user was created. | |
department | text | The name of the department in which the user works. | |
display_name | text | = | The name displayed in the address book for the user. This is usually the combination of the user's first name, middle initial and last name. |
filter | text | = | Odata query to search for resources. |
given_name | text | The given name (first name) of the user. | |
id | text | = | The unique identifier for the user. Should be treated as an opaque identifier. |
im_addresses | jsonb | The instant message voice over IP (VOIP) session initiation protocol (SIP) addresses for the user. | |
text | The SMTP address for the user, for example, jeff@contoso.onmicrosoft.com. | ||
mail_nickname | text | The mail alias for the user. | |
member_of | jsonb | A list the groups and directory roles that the user is a direct member of. | |
on_premises_immutable_id | text | Used to associate an on-premises Active Directory user account with their Azure AD user object. | |
other_mails | jsonb | A list of additional email addresses for the user. | |
password_policies | text | Specifies password policies for the user. This value is an enumeration with one possible value being DisableStrongPassword, which allows weaker passwords than the default policy to be specified. DisablePasswordExpiration can also be specified. The two may be specified together; for example: DisablePasswordExpiration, DisableStrongPassword. | |
password_profile | jsonb | Specifies the password profile for the user. The profile contains the user’s password. This property is required when a user is created. | |
sign_in_sessions_valid_from_date_time | timestamp with time zone | Any refresh tokens or sessions tokens (session cookies) issued before this time are invalid, and applications will get an error when using an invalid refresh or sessions token to acquire a delegated access token (to access APIs such as Microsoft Graph). | |
surname | text | = | Family name or last name of the active directory user. |
tenant_id | text | The Azure Tenant ID where the resource is located. | |
title | text | Title of the resource. | |
usage_location | text | A two letter country code (ISO standard 3166), required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. | |
user_principal_name | text | = | Principal email of the active directory user. |
user_type | text | = | A string value that can be used to classify user types in your directory. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azuread
You can pass the configuration to the command with the --config
argument:
steampipe_export_azuread --config '<your_config>' azuread_user