turbot/microsoft365
steampipe plugin install microsoft365

Microsoft 365 + Steampipe

Microsoft 365 is a suite of cloud-based productivity and collaboration applications that integrates all Microsoft's existing online applications (Outlook, People etc.).

Steampipe is an open-source zero-ETL engine to instantly query cloud APIs using SQL.

For example:

select
subject,
online_meeting_url,
start_time,
end_time
from
microsoft365_calendar_event
where
user_id = 'test@org.onmicrosoft.com'
and start_time >= current_date
and end_time <= (current_date + interval '1 day');
+----------------+--------------------------------------+---------------------------+---------------------------+
| subject | online_meeting_url | start_time | end_time |
+----------------+--------------------------------------+---------------------------+---------------------------+
| Weekly Meeting | https://meet.google.com/xxx-yyyy-zzz | 2022-08-03T08:00:00+05:30 | 2022-08-03T08:30:00+05:30 |
+----------------+--------------------------------------+---------------------------+---------------------------+

Documentation

Get started

Install

Download and install the latest Microsoft 365 plugin:

steampipe plugin install microsoft365

Credentials

ItemDescription
CredentialsUse the az login command to setup your Default Connection
PermissionsGrant the following permissions to your user:
  • Calendars.Read
  • Files.Read.All
  • Group.Read.All
  • Mail.Read
  • MailboxSettings.Read
  • SharePointTenantSettings.Read.All
  • Team.ReadBasic.All
  • TeamMember.Read.All
  • User.Read.All
  • RadiusEach connection represents a single Azure Tenant.
    Resolution1. Credentials explicitly set in a steampipe config file (~/.steampipe/config/microsoft365.spc).
    2. Credentials specified in environment variables e.g. AZURE_TENANT_ID.

    Configuration

    Installing the latest microsoft365 plugin will create a config file (~/.steampipe/config/microsoft365.spc) with a single connection named microsoft365:

    connection "microsoft365" {
    plugin = "microsoft365"
    # User's ID or email used with the microsoft365_my_* tables
    # Not required if using Azure CLI authentication
    # user_id = "test@org.domain.com"
    # Defaults to "AZUREPUBLICCLOUD". Valid environments are "AZUREPUBLICCLOUD", "AZURECHINACLOUD" and "AZUREUSGOVERNMENTCLOUD"
    # environment = "AZUREPUBLICCLOUD"
    # You can connect to Azure using one of options below:
    # Use client secret authentication (https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret)
    # tenant_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
    # client_id = "YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY"
    # client_secret = "ZZZZZZZZZZZZZZZZZZZZZZZZ"
    # Use client certificate authentication (https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#option-1-upload-a-certificate)
    # tenant_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
    # client_id = "YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY"
    # certificate_path = "~/home/azure_cert.pem"
    # certificate_password = "notreal~pwd"
    # Use a managed identity (https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview)
    # This method is useful with Azure virtual machines
    # tenant_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
    # client_id = "YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY"
    # enable_msi = true
    # msi_endpoint = "http://169.254.169.254/metadata/identity/oauth2/token"
    # If no credentials are specified, the plugin will use Azure CLI authentication
    }

    By default, all options are commented out in the default connection, thus Steampipe will resolve your credentials using the same order as mentioned in Credentials. This provides a quick way to get started with Steampipe, but you will probably want to customize your experience using configuration options for querying multiple tenants, configuring credentials from your Azure CLI, Client Certificate, etc.

    Configuring Microsoft 365 Credentials

    The Microsoft 365 plugin support multiple formats and authentication mechanisms, and they are tried in the below order:

    1. Client Secret Credentials if set; otherwise
    2. Client Certificate Credentials if set; otherwise
    3. Azure Managed System Identity (useful with virtual machines) if set; otherwise
    4. If no credentials are supplied, then the az cli credentials are used

    Client Secret Credentials

    You may specify the tenant ID, client ID, and client secret to authenticate:

    • tenant_id: Specify the tenant to authenticate with.
    • client_id: Specify the app client ID to use.
    • client_secret: Specify the app secret to use.
    connection "microsoft365_via_sp_secret" {
    plugin = "microsoft365"
    tenant_id = "00000000-0000-0000-0000-000000000000"
    client_id = "00000000-0000-0000-0000-000000000000"
    client_secret = "my plaintext password"
    }

    Client Certificate Credentials

    You may specify the tenant ID, client ID, certificate path, and certificate password to authenticate:

    • tenant_id: Specify the tenant to authenticate with.
    • client_id: Specify the app client ID to use.
    • certificate_path: Specify the certificate path to use.
    • certificate_password: Specify the certificate password to use.
    connection "microsoft365_via_sp_cert" {
    plugin = "microsoft365"
    tenant_id = "00000000-0000-0000-0000-000000000000"
    client_id = "00000000-0000-0000-0000-000000000000"
    certificate_path = "path/to/file.pem"
    certificate_password = "my plaintext password"
    }

    Azure Managed Identity

    Steampipe works with managed identities (formerly known as Managed Service Identity), provided it is running in Azure, e.g., on a VM. All configuration is handled by Azure. See Azure Managed Identities for more details.

    • enable_msi: Specify true to use managed identity credentials.
    • tenant_id: Specify the tenant to authenticate with.
    • client_id: Specify the app client ID of managed identity to use.
    • msi_endpoint: Specify the MSI endpoint to connect to, otherwise use the default Azure Instance Metadata Service (IMDS) endpoint.
    connection "microsoft365_msi" {
    plugin = "microsoft365"
    tenant_id = "00000000-0000-0000-0000-000000000000"
    client_id = "00000000-0000-0000-0000-000000000000"
    enable_msi = true
    msi_endpoint = "http://169.254.169.254/metadata/identity/oauth2/token"
    }

    Azure CLI

    If no credentials are specified and the SDK environment variables are not set, the plugin will use the active credentials from the az cli. You can run az login to set up these credentials.

    connection "microsoft365" {
    plugin = "microsoft365"
    }

    Credentials from Environment Variables

    The Microsoft 365 plugin will use the standard Azure environment variables to obtain credentials only if other arguments (tenant_id, client_id, client_secret, certificate_path, etc..) are not specified in the connection:

    export AZURE_TENANT_ID="00000000-0000-0000-0000-000000000000"
    export AZURE_ENVIRONMENT="AZUREPUBLICCLOUD" # Defaults to "AZUREPUBLICCLOUD". Valid environments are "AZUREPUBLICCLOUD", "AZURECHINACLOUD" and "AZUREUSGOVERNMENTCLOUD"
    export AZURE_CLIENT_ID="00000000-0000-0000-0000-000000000000"
    export AZURE_CLIENT_SECRET="my plaintext secret"
    export AZURE_CERTIFICATE_PATH=path/to/file.pem
    export AZURE_CERTIFICATE_PASSWORD="my plaintext password"
    connection "microsoft365" {
    plugin = "microsoft365"
    }

    Postgres FDW

    This plugin is available as a native Postgres FDW. Unlike Steampipe CLI, which ships with an embedded Postgres server instance, the Postgres FDW can be installed in any supported Postgres database version.

    You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_postgres_installer.sh script:

    /bin/sh -c "$(curl -fsSL https://steampipe.io/install/postgres.sh)" -- microsoft365

    The installer will prompt you for the plugin name and version, download and install the appropriate files for your OS, system architecture, and Postgres version.

    To configure the Postgres FDW, you will create an extension, foreign server, and schema and import the foreign schema.

    CREATE EXTENSION IF NOT EXISTS steampipe_postgres_microsoft365;
    CREATE SERVER steampipe_microsoft365 FOREIGN DATA WRAPPER steampipe_postgres_microsoft365 OPTIONS (config '<your_config>');
    CREATE SCHEMA microsoft365;
    IMPORT FOREIGN SCHEMA microsoft365 FROM SERVER steampipe_microsoft365 INTO microsoft365;

    SQLite Extension

    This plugin is available as a SQLite Extension, making the tables available as SQLite virtual tables.

    You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_sqlite_installer.sh script:

    /bin/sh -c "$(curl -fsSL https://steampipe.io/install/sqlite.sh)" -- microsoft365

    The installer will prompt you for the plugin name, version, and destination directory. It will then determine the OS and system architecture, and it will download and install the appropriate package.

    To configure the SQLite extension, load the extension module and then run the steampipe_configure_microsoft365 function to configure it with plugin-specific options.

    $ sqlite3
    sqlite> .load ./steampipe_sqlite_extension_microsoft365.so
    sqlite> select steampipe_configure_microsoft365('<your_config>');

    Export

    This plugin is available as a standalone Export CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

    You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

    /bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- microsoft365

    You can pass the configuration to the command with the --config argument:

    steampipe_export_microsoft365 --config '<your_config>' <table_name>