Azure AD schema of integration data

The integration data schema defines what data is imported within the Azure integration. In this section:

Account
- Mandatory and available on Creation \ Update
- Other account properties
Resource Types
- Directory
- Application
Other Resource Types
Permission Types
- Application Role
- License
- Service Plan
- Azure AD Group
- Azure AD Dynamic Group
- Azure AD Role
- RBAC Role
- RBAC Action
- RBAC DataAction
- AD Permission

Account

The user objects are imported from Azure AD and displayed as the Account objects in ObserveID. The attributes of the user are displayed as Additional Properties objects of the Account. There are two types of Additional Properties of Azure AD Accounts: built-in Additional Properties, existed in Azure AD by default, and custom Additional Properties, created by the user in Azure AD. The account schema below describes only the built-in properties.

Some Additional Properties can be required on the creation of an account and that is often accounted for the requirements of the Target system. Other Additional Properties can be allowed, and if needed, established for an account when it is created. This information is displayed in the On Creation column. There are also Additional Properties that are allowed to be updated with the Identities Update workflow. If an Additional Property can be updated is displayed in the On Update column.

On Creation or Update

Account Property	Type	Description	Provisioning Rules	On Creation	On Update
Name	String	The user principal name ([email protected]). It's an Internet-style login name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains. Target requirements: This property cannot contain accent characters. Only the following characters are allowed `A - Z, a - z, 0 - 9,' . - _ ! # ^ ~`. For the complete list of allowed characters, see username policies.	Set	Required	Required
Alternate Email	String	Additional email address for the user	Set	Allowed	Allowed
Business Phones	String	Primary telephone number of the user's place of business.	Set	Allowed	Allowed
City	String	City in which the user is located.	Set	Allowed	Allowed
Company Name	String	Name of the user’s company.		Allowed	Allowed
Country	String	Country/region in which the user is located. Maximum length is 128 characters.	Set	Allowed	Allowed
Department	String	Name for the department in which the user works.	Set	Allowed	Allowed
Display Name	String	Name to display in Azure portal user management for the user. This is usually the combination of the user's first name, middle initial and last name. This property is required when a user is created and it cannot be cleared during updates. Maximum length is 256 characters.	Set	Required	Required
E-Mail	String	Unique email address of the local account user in the directory.	Set	Allowed	Allowed
Employee ID	String	The employee identifier assigned to the user by the organization. The maximum length is 16 characters.	Set	Allowed	Allowed
Fax Number	String	Telephone number of the user's business fax machine.	Set	Allowed	Allowed
Given Name	String	Given name (first name) of the user. Maximum length is 64 characters.	Set	Allowed	Allowed
Job Title	String	User's job title. Maximum length is 128 characters.	Set	Allowed	Allowed
Mobile Phone	String	Primary cellular telephone number for the user.	Set	Allowed	Allowed
Office Location	String	Office location in the user's place of business.	Set	Allowed	Allowed
Postal Code	String	Postal code for the user's postal address. The postal code is specific to the user's country/region. In the United States of America, this attribute contains the ZIP code. Maximum length is 40 characters.	Set	Allowed	Allowed
State	String	State or province in the user's address.	Set	Allowed	Allowed
Street Address	String	Street address of the user's place of business.	Set	Allowed	Allowed
Surname	String	User's surname (family name or last name).	Set	Allowed	Allowed
Usage Location	String	Two-letter country/region code (ISO standard 3166). Not nullable. Examples: "US", "JP", and "GB". Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries/regions.	Set	Allowed	Allowed
User Type	String	User types in your directory. Options available: `Member`, or `Read-only`.	Set	Allowed	Allowed

Other account properties

Other account properties represent information that comes from the target ‘as is’.

Account Property	Type	Description	Provisioning Rules	On Creation	On Update
Azure Account Status	String	It is the Account Enabled property of an Azure AD user. Allowed values: `true` and `false`. If the property is set with the `true` value on Azure, the Account Status is displayed as `Enabled`. If the property is set with the `false` value on Azure, the Account Status is displayed as `Disabled`.	n/a	n/a	n/a
Age Group	String	Sets the age group of the user. Allowed values: `null`, `Minor`, `NotAdult` and `Adult`.	n/a	n/a	n/a
Consent Provided For Minor	String	Sets whether consent has been obtained for minors. Allowed values: `null`, `Granted`, `Denied` and `NotRequired`.	n/a	n/a	n/a
Creation Type	String	Indicates whether the user account was created through one of the following methods: - As a regular school or work account (`null`). As an external account (`Invitation`). As a local account for an Azure Active Directory B2C tenant (`LocalAccount`). Through self-service sign-up by an internal user using email verification (`EmailVerified`). Through self-service sign-up by an external user signing up through a link that is part of a user flow (`SelfServiceSignUp`).	n/a	n/a	n/a
Employee Hire Date	DateTime	The date and time when the user was hired or will start work in case of a future hire.	n/a	n/a	n/a
Employee Type	String	Captures enterprise worker type. For example, `Employee`, `Contractor`, `Consultant`, or `Vendor`.	n/a	n/a	n/a
Im Addresses	Strings	The instant message voice over IP (VOIP) session initiation protocol (SIP) addresses for the user. Read-only.	n/a	n/a	n/a
Is Resource Account	Boolean	Do not use – reserved for future use.	n/a	n/a	n/a
Issuer	String	Issuer of the user. There are two types of issuers: local B2C tenant default domain name; or social identity.	n/a	n/a	n/a
Last Password Change Date Time	DateTime	The time when this Azure AD user last changed their password or when their password was created, whichever date the latest action was performed. The date and time information uses ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.	n/a	n/a	n/a
Legal Age Group Classification	String	Used by enterprise applications to determine the legal age group of the user. This property is read-only and calculated based on ageGroup and consentProvidedForMinor properties. Allowed values: `null`, `MinorWithOutParentalConsent`, `MinorWithParentalConsent`, `MinorNoParentalConsentRequired`, `NotAdult` and `Adult`.	n/a	n/a	n/a
Licenses	Strings	Indicates licenses that are directly-assigned and those that the user has inherited through group memberships. Read-only.	n/a	n/a	n/a
Manager Email	String	Email address of the user’s manager.	n/a	n/a	n/a
Manager ID	String	Organizational contact assigned as the user's manager.	n/a	n/a	n/a
MFA Enabled	Boolean	It is a true\false parameter. If true, it indicates that the MFA is enabled for the user. Otherwise, disabled.	n/a	n/a	n/a
On Premises Distinguished Name	String	Contains the on-premises Active Directory `distinguished name` or `DN`. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect. Read-only.	n/a	n/a	n/a
On Premises Domain Name	String	Contains the on-premises `domainFQDN`, also called dnsDomainName synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect. Read-only.	n/a	n/a	n/a
On Premises Immutable Id	String	This property is used to associate an on-premises Active Directory user account to their Azure AD user object. This property must be specified when creating a new user account in the Graph if you are using a federated domain for the user's userPrincipalName (UPN) property. NOTE: The $ and _ characters cannot be used when specifying this property.	n/a	n/a	n/a
On Premises Last Sync Date Time	String	Indicates the last time at which the object was synced with the on-premises directory; for example: `2013-02-16T03:04:54Z`. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only.	n/a	n/a	n/a
On Premises SamAccountName	String	Contains the on-premises `samAccountName` synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect. Read-only.	n/a	n/a	n/a
On Premises Security Identifier	String	Contains the on-premises security identifier (SID) for the user that was synchronized from on-premises to the cloud. Read-only.	n/a	n/a	n/a
On Premises Sync Enabled	Boolean	`true` if this user object is currently being synced from an on-premises Active Directory (AD); otherwise the user isn't being synced and can be managed in Azure Active Directory (Azure AD). Read-only.	n/a	n/a	n/a
On Premises User Principal Name	String	Contains the on-premises `userPrincipalName` synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect. Read-only.	n/a	n/a	n/a
Other Mails	Strings	A list of additional email addresses for the user; for example: `["[email protected]", "[email protected]"]`. NOTE: This property cannot contain accent characters.	n/a	n/a	n/a
Password Policies	String	Specifies password policies for the user. This value is an enumeration with one possible value being `DisableStrongPassword`, which allows weaker passwords than the default policy to be specified. `DisablePasswordExpiration` can also be specified. The two may be specified together; for example: `DisablePasswordExpiration, DisableStrongPassword`.	n/a	n/a	n/a
Preferred Data Locations	String	The preferred data location for the user.	n/a	n/a	n/a
Preferred Language	String	The preferred language for the user. Should follow ISO 639-1 Code; for example `en-US`.	n/a	n/a	n/a
Proxy Addresses	Strings	For example: `["SMTP: [email protected]", "smtp: [email protected]"]`. The proxy address prefixed with `SMTP` (capitalized) is the primary proxy address while those prefixed with `smtp` are the secondary proxy addresses. For Azure AD B2C accounts, this property has a limit of ten unique addresses. Read-only in Microsoft Graph; you can update this property only through the Microsoft 365 admin center. Not nullable.	n/a	n/a	n/a
Security Identifier	String	Security identifier (SID) of the user, used in Windows scenarios.	n/a	n/a	n/a
Show In Address List	Boolean	Do not use in Microsoft Graph. Manage this property through the Microsoft 365 admin center instead. Represents whether the user should be included in the Outlook global address list.	n/a	n/a	n/a
Sign In Sessions Valid From Date Time	DateTime	Any refresh tokens or sessions tokens (session cookies) issued before this time are invalid, and applications will get an error when using an invalid refresh or sessions token to acquire a delegated access token (to access APIs such as Microsoft Graph). If this happens, the application will need to acquire a new refresh token by making a request to the authorize endpoint. Read-only.	n/a	n/a	n/a

Resource Types

The resource objects are imported from Azure AD and displayed as the resources in ObserveID. The attributes of each resource type that a specific resource belongs to are displayed as Additional Properties objects of the Resource.

Resource Property	Type	Description
Directory
ResourceId	String	The unique identifier of the resource.
Domain Name	String	The registered domain name established for the Azure AD directory. One domain name can only be established in one directory.
Application
App Id	String	The unique identifier for the application that is assigned to an application by Azure AD.
Created Date Time	DateTime	The date and time the application was registered. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time.
Default Redirect URL	String
Description	String	Free text field to provide a description of the application object to end users.
Disabled By Microsoft Status	String	Specifies whether Microsoft has disabled the registered application. Possible values are: `null` (default value), `NotDisabled`, and `DisabledDueToViolationOfServicesAgreement` (reasons may include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement).
Extension Properties	String
Identifier Uris	Strings	Also known as App ID URI, this value is set when an application is used as a resource app. The identifierUris acts as the prefix for the scopes you'll reference in your API's code, and it must be globally unique.
Is Device Only Auth Supported	Boolean	Specifies whether this application supports device authentication without a user. The default is false.
Is Fallback Public Client	Boolean	Specifies the fallback application type as public client, such as an installed application running on a mobile device. The default value is false which means the fallback application type is confidential client such as a web app.
Logo URL	String
Marketing URL	String
Privacy Statement URL	String
Publisher Domain	String	The verified publisher domain for the application. Read-only.
Sign In Audience	String	Specifies the Microsoft accounts that are supported for the current application. The possible values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount (default), and PersonalMicrosoftAccount.
Support URL	String
Terms of Service URL	String
Unique Name	String

Other Resource Types

There are other resource types that can be imported if available, from the Azure AD target, and attributed with additional properties, if any. Below is an example list of the permission types extracted.

microsoft.compute/disks	microsoft.network/publicipaddresses
microsoft.compute/sshpublickeys	microsoft.network/virtualnetworks
microsoft.compute/virtualmachines	microsoft.portal/dashboards
microsoft.compute/virtualmachines/extensions	microsoft.sql/servers
microsoft.dbforpostgresql/servers	microsoft.storage/storageaccounts
microsoft.insights/components	microsoft.web/sites
microsoft.network/networkinterfaces	microsoft.resources/subscriptions
microsoft.network/networksecuritygroups	microsoft.sql/servers/databases
microsoft.network/networkwatchers	microsoft.resources/subscriptions/resourcegroups

Permission Types

The permission objects are imported from Azure AD and displayed as the permissions in ObserveID. The attributes of each permission type that a specific permission belongs to are displayed as Additional Properties objects of the Permission.

Permission Property	Type	Description
Application Role Represents an application role that can be requested by (and granted to) a client application, or that can be used to assign an application to users or groups in a specified role.
Allowed Member Types	Strings	Specifies whether this app role can be assigned to users and groups (by setting to `["User"]`), to other application's (by setting to `["Application"]`, or both (by setting to `["User", "Application"]`).
Description	String	The description for the app role. This is displayed when the app role is being assigned and, if the app role functions as an application permission, during consent experiences.
Origin	String	Specifies if the app role is defined on the `application` object or on the `servicePrincipal` entity. Read-only.
Values	String	Specifies the value of the roles claim that the application should expect in the token. The value should exactly match the string referenced in the application's code. The value can't contain spaces.
License A service SKU that a company is subscribed to.
Azure Name	String	It is `String ID` used by PowerShell v1.0 cmdlets when performing operations on licenses or by the skuPartNumber property of the subscribedSku Microsoft Graph API.
License Warnings	Long	The number of units that are in warning status. When the subscription of the service SKU has expired, the customer has a grace period to renew their subscription before it is cancelled (moved to a suspended state).
Licenses Active	Long	The number of units that are enabled for the active subscription of the service SKU.
Licenses Consumed	Long	The number of licenses that have been assigned.
Licenses Suspended	Long	The number of units that are suspended because the subscription of the service SKU has been cancelled. The units cannot be assigned but can still be reactivated before they are deleted.
Service Plan A service plan associated with a subscribed SKU.
Azure Name	String	The name of the service plan.
Azure AD Group Represents an Azure Active Directory (Azure AD) group, which can be a Microsoft 365 group, or a security group.
Description	String	Description of the group.
Created Date Time	DateTime	Timestamp of when the group was created.
Mail Nickname	String	Unique alias of the group email.
Group Type	String	`Microsoft 365` group or `Security` group.
E-Mail	String	SMTP address of the group email.
Membership Type	String	`DynamicMembership` or `Assigned` membership.
Is Assignable To Role	Boolean	Indicates whether the group can be assigned to an Azure Active Directory role or not.
ResourceId	String	The unique identifier of the group.
Azure AD Dynamic Group Microsoft 365 and security groups can have dynamic membership rules that automatically add or remove members from the group based on the principal's properties.
Description	String	Description of the group.
Created Date Time	DateTime	Timestamp of when the group was created.
Mail Nickname	String	Unique alias of the group email.
Group Type	String	`Microsoft 365` group or `Security` group.
E-Mail	String	SMTP address of the group email.
Membership Type	String	`DynamicMembership` or `Assigned` membership.
Dynamic Group Membership Rule	String	Rule that determines members of the dynamic group.
Dynamic Group Membership Rule Processing State	String	Indicates whether the dynamic membership processing is active, or paused. Possible values are `On` or `Paused`.
Is Assignable To Role	Boolean	Indicates whether the group can be assigned to an Azure Active Directory role or not.
ResourceId	String	The unique identifier of the group.
Azure AD Role Represents an Azure AD directory role. Azure AD directory roles are also known as administrator roles.
Description	String	Description of the role.
Role Type	String	Indicates whether it is a custom, or built-in role.
Template ID	String	Optional parameter to indicate if a role has been created from a template.
ResourceId	String	The unique identifier of the role.
RBAC Role A collection of permissions in Azure Active Directory (Azure AD) listing the operations that can be performed and the resources against which they can performed.
Description	String	Description of the role.
Role Type	String	Indicates whether it is a custom, or built-in role.
ResourceId	String	The unique identifier of the role.
RBAC Action The `Actions` permission specifies the control plane actions that the role allows to be performed. It is a collection of strings that identify securable actions of Azure resource providers. Actions are specified with strings that have the following format: `{Company}.{ProviderName}/{resourceType}/{action}`
Description	String	Description of the permission.
RBAC DataAction The `DataActions` permission specifies the data plane actions that the role allows to be performed to your data within that object.
Description	String	Description of the permission.
AD Permission
ID	String	Permission name following the pattern: `resource.operation.constraint`. For example, `User.Read` grants permission to read the profile of the signed-in user.