Publisher: Splunk
Connector Version: 1.3.0
Product Vendor: Microsoft
Product Name: MS Graph for Active Directory
Product Version Supported (regex): ".*"
Minimum Product Version: 6.0.2
Connects to Microsoft Active Directory using MS Graph REST API services to support various generic and investigative actions
This app requires creating a Microsoft Azure Application. To do so, navigate to https://portal.azure.com in a browser and log in with a Microsoft account, then select Azure Active Directory .
- Go to App Registrations and click on + New registration .
- Give the app an appropriate name.
- Select a supported account type (configure the application to be multitenant).
- Click on the Register .
- Under Certificates & secrets , add New client secret . Note this key somewhere secure, as it cannot be retrieved after closing the window.
- Under Redirect URIs we will be updating the entry of https://phantom.local to reflect the actual redirect URI. We will get this from the SOAR asset we create below in the section titled "Configure the MS Graph for Active Directory SOAR app Asset"
Use this procedure to provide non-admin permissions to the app. To do so, navigate to https://portal.azure.com in a browser and log in with a Microsoft account, then navigate to the previously created app configuration.
- Under API Permissions , click on Add a permission .
- Go to Microsoft Graph Permissions , the following Delegated Permissions need to be
added:
- User.ReadWrite.All
- Directory.ReadWrite.All
- Directory.AccessAsUser.All
- User.ManageIdentities.All
- Group.ReadWrite.All
- GroupMember.ReadWrite.All
- RoleManagement.ReadWrite.Directory
- offline_access
- Click on the Add permissions .
- After making these changes, click on Grant admin consent .
Use this procedure to provide admin permissions to the app. To do so, navigate to https://portal.azure.com in a browser and log in with a Microsoft account, then navigate to the previously created app configuration.
- Under API Permissions , click on Add a permission .
- Go to Microsoft Graph Permissions , the following Application Permissions need to be
added:
- User.ReadWrite.All
- Directory.ReadWrite.All
- User.ManageIdentities.All
- Group.ReadWrite.All
- GroupMember.ReadWrite.All
- RoleManagement.ReadWrite.Directory
- Click on the Add permissions .
- After making these changes, click on Grant admin consent .
When creating an asset for the MS Graph for Active Directory app, place the Application ID of the app created during the previous step in the Client ID field and place the password generated during the app creation process in the Client Secret field. Then, after filling out the Tenant field, click SAVE .
After saving, a new field will appear in the Asset Settings tab. Take the URL found in the POST incoming for MS Graph to this location field and place it in the Redirect URIs field of the Azure Application configuration page. To this URL, add /result . After doing so the URL should look something like:
https://<phantom_host>/rest/handler/msgraphforactivedirectory_f2a239df-acb2-47d6-861c-726a435cfe76/<asset_name>/result
Once again, click on Save.
If you have received admin consent to use application permissions, make sure to check the Admin Access Required and Admin Consent Already Provided checkboxes on the asset.
To complete the authorization process, this app needs permission to view assets, which is not granted by default. First, under asset settings , check which user is listed under Select a user on behalf of which automated actions can be executed . By default, the user will be automation , but this user can be changed by clicking EDIT at the bottom of the window. To give this user permission to view assets, follow these steps:
- In the main drop-down menu, select Administration , then select the User Management , and under that tab, select Roles . Finally, click + ROLE .
- In the Add Role wizard, give the role a name (e.g Asset Viewer ), and provide a description. Subsequently, under Available Users , add the user assigned to the asset viewed earlier. Then click the Permissions tab.
- On the permission tab, under Available Privileges , give the role the View Assets privilege. Then click SAVE .
After setting up the asset and user, click the TEST CONNECTIVITY button. A window should pop up and display a URL. Navigate to this URL in a separate browser tab. This new tab will redirect to a Microsoft login page. Log in to a Microsoft account with administrator privileges to the Microsoft AD environment. After logging in, review the requested permissions listed, then click Accept . Finally, close that tab. The test connectivity window should show success.
The app should now be ready to use.
Please check the permissions for the state file as mentioned below.
- For Root Install Instance: /opt/phantom/local_data/app_states/f2a239df-acb2-47d6-861c-726a435cfe76/{asset_id}_state.json
- For Non-Root Install Instance: /<PHANTOM_HOME_DIRECTORY>/local_data/app_states/f2a239df-acb2-47d6-861c-726a435cfe76/{asset_id}_state.json
- File Rights: rw-rw-r-- (664) (The SOAR user should have read and write access for the state file)
- File Owner: appropriate SOAR user
The app uses HTTP/ HTTPS protocol for communicating with the Microsoft Graph server. Below are the default ports used by the Splunk SOAR Connector.
| Service Name | Transport Protocol | Port |
|---|---|---|
| https | tcp | 443 |
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a MS Graph for Active Directory asset in SOAR.
| VARIABLE | REQUIRED | TYPE | DESCRIPTION |
|---|---|---|---|
| tenant_id | required | string | Tenant (Tenant ID or Tenant Name) |
| client_id | required | string | Application ID |
| client_secret | required | password | Client Secret |
| region | optional | string | Microsoft AD Region |
| admin_access_required | optional | boolean | Admin Access Required |
| admin_access_granted | optional | boolean | Admin Consent Already Provided |
test connectivity - Use supplied credentials to generate a token with MS Graph
list users - Get a list of users
reset password - Reset or set a user's password in a Microsoft AD environment
disable tokens - Invalidate all active refresh tokens for a user in a Microsoft AD environment
enable user - Enable a user
disable user - Disable a user
list user devices - List devices for a specified user
list user attributes - List attributes for all or a specified user
set user attribute - Set an attribute for a user
remove user - Remove a user from a specified group
add user - Add a user to a specified group
list groups - List groups in the organization
get group - Get information about a group
list group members - List the members in a group
validate group - Returns true if a user is in a group; otherwise, false
list directory roles - List the directory roles that are activated in the tenant
generate token - Generate a token
Use supplied credentials to generate a token with MS Graph
Type: test
Read only: True
No parameters are required for this action
No Output
Get a list of users
Type: investigate
Read only: True
For more information on using the filter_string, select_string and expand_string parameters, refer to https://docs.microsoft.com/en-us/graph/query-parameters. By default, only a limited set of properties are returned, to return an alternative property set use $select query parameter.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| filter_string | optional | Filter string to apply to user listing | string | |
| select_string | optional | Select string to get additional user properties. Separate multiple values with commas | string | |
| expand_string | optional | Expand string to get a resource or collection referenced by a single relationship | string | |
| use_advanced_query | optional | Use advanced query capabilities | boolean |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failed | |
| action_result.parameter.expand_string | string | manager | |
| action_result.parameter.filter_string | string | startswith(displayName,'User') | |
| action_result.parameter.select_string | string | displayName | |
| action_result.parameter.use_advanced_query | boolean | True False | |
| action_result.data.*.accountEnabled | boolean | True False | |
| action_result.data.*.ageGroup | string | ||
| action_result.data.*.assignedLicenses.*.skuId | string | 189a915c-fe4f-4ffa-bde4-85b9628d07a0 | |
| action_result.data.*.assignedPlans.*.assignedTimestamp | string | 2017-08-29T02:31:40Z | |
| action_result.data.*.assignedPlans.*.capabilityStatus | string | Enabled | |
| action_result.data.*.assignedPlans.*.service | string | OfficeForms | |
| action_result.data.*.assignedPlans.*.servicePlanId | string | e212cbc7-0961-4c40-9825-01117710dcb1 | |
| action_result.data.*.city | string | Palo Alto | |
| action_result.data.*.companyName | string | ||
| action_result.data.*.consentProvidedForMinor | string | ||
| action_result.data.*.country | string | US | |
| action_result.data.*.createdDateTime | string | 2019-05-21T22:27:20Z | |
| action_result.data.*.creationType | string | ||
| action_result.data.*.deletionTimestamp | string | ||
| action_result.data.*.department | string | Sales | |
| action_result.data.*.dirSyncEnabled | string | ||
| action_result.data.*.displayName | string | User | |
| action_result.data.*.employeeId | string | ||
| action_result.data.*.facsimileTelephoneNumber | string | ||
| action_result.data.*.givenName | string | testuser | |
| action_result.data.*.id | string | user id |
e4c722ac-3b83-478d-8f52-c388885dc30f |
| action_result.data.*.immutableId | string | ||
| action_result.data.*.isCompromised | string | ||
| action_result.data.*.jobTitle | string | Sales Manager | |
| action_result.data.*.lastDirSyncTime | string | ||
| action_result.data.*.legalAgeGroupClassification | string | ||
| action_result.data.*.mail | string | email |
user@test.com |
| action_result.data.*.mailNickname | string | testmail | |
| action_result.data.*.mobile | string | +1 5556378688 | |
| action_result.data.*.mobilePhone | string | ||
| action_result.data.*.objectType | string | User | |
| action_result.data.*.odata.type | string | test.DirectoryServices.User | |
| action_result.data.*.officeLocation | string | ||
| action_result.data.*.onPremisesDistinguishedName | string | ||
| action_result.data.*.onPremisesSecurityIdentifier | string | ||
| action_result.data.*.otherMails | string | email |
user.test@outlook.com |
| action_result.data.*.passwordPolicies | string | None | |
| action_result.data.*.passwordProfile | string | ||
| action_result.data.*.passwordProfile.enforceChangePasswordPolicy | boolean | True False | |
| action_result.data.*.passwordProfile.forceChangePasswordNextLogin | boolean | True False | |
| action_result.data.*.passwordProfile.password | string | ||
| action_result.data.*.physicalDeliveryOfficeName | string | ||
| action_result.data.*.postalCode | string | 94303 | |
| action_result.data.*.preferredLanguage | string | en-US | |
| action_result.data.*.provisionedPlans.*.capabilityStatus | string | Enabled | |
| action_result.data.*.provisionedPlans.*.provisioningStatus | string | Success | |
| action_result.data.*.provisionedPlans.*.service | string | exchange | |
| action_result.data.*.proxyAddresses | string | SMTP:user1@test.com | |
| action_result.data.*.refreshTokensValidFromDateTime | string | 2017-09-27T22:54:59Z | |
| action_result.data.*.showInAddressList | string | ||
| action_result.data.*.sipProxyAddress | string | email |
user@test.com |
| action_result.data.*.state | string | CA | |
| action_result.data.*.streetAddress | string | 2479 E. Bayshore Rd. | |
| action_result.data.*.surname | string | Test_surname | |
| action_result.data.*.telephoneNumber | string | ||
| action_result.data.*.thumbnailPhoto@odata.mediaEditLink | string | directoryObjects/6132ca31-7a09-434f-a269-abe836d0c01e/test.DirectoryServices.User/thumbnailPhoto | |
| action_result.data.*.usageLocation | string | US | |
| action_result.data.*.userPrincipalName | string | user id |
user@test.com |
| action_result.data.*.userState | string | ||
| action_result.data.*.userStateChangedOn | string | ||
| action_result.data.*.userType | string | Member | |
| action_result.summary.num_users | numeric | 8 | |
| action_result.summary.result_found | boolean | True False | |
| action_result.summary.total_results | numeric | 7 | |
| action_result.message | string | Successfully listed users | |
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
Reset or set a user's password in a Microsoft AD environment
Type: contain
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| user_id | required | User ID to change password - can be user principal name or object ID | string | user id |
| force_change | optional | Force user to change password on next login | boolean | |
| temp_password | required | Temporary password for user | string |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failed | |
| action_result.parameter.force_change | boolean | True False | |
| action_result.parameter.temp_password | string | Temp_PA$$w0rd | |
| action_result.parameter.user_id | string | user id |
ee3dc4f2-70f9-446f-a19e-6b4e95ba030d user@test.com |
| action_result.data | string | ||
| action_result.summary.status | string | Successfully reset user password | |
| action_result.message | string | Status: Successfully reset user password | |
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
Invalidate all active refresh tokens for a user in a Microsoft AD environment
Type: contain
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| user_id | required | User ID to disable tokens of - can be user principal name or object ID | string | user id |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failed | |
| action_result.parameter.user_id | string | user id |
ee3dc4f2-70f9-446f-a19e-6b4e95ba030d user@test.com |
| action_result.data | string | ||
| action_result.data.*.@odata.context | string | https://graph.test.com/v1.0/$metadata#Edm.Boolean | |
| action_result.data.*.odata.metadata | string | url |
https://graph.windows.net/1t309est-db6c-4tes-t1d2-12bf3456d78d/$metadata#Edm.Null |
| action_result.data.*.odata.null | boolean | True False | |
| action_result.data.*.value | boolean | True False | |
| action_result.summary.status | string | Successfully disabled tokens | |
| action_result.message | string | Successfully invalidated tokens Status: Successfully disabled tokens | |
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
Enable a user
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| user_id | required | User ID to enable - can be user principal name or object ID | string | user id |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failed | |
| action_result.parameter.user_id | string | user id |
user@test.com |
| action_result.data | string | ||
| action_result.summary.status | string | Successfully enabled user user@test.com | |
| action_result.message | string | Status: Successfully enabled user user@test.com | |
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
Disable a user
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| user_id | required | User ID to disable - can be user principal name or object ID | string | user id |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failed | |
| action_result.parameter.user_id | string | user id |
user@test.com |
| action_result.data | string | ||
| action_result.summary.status | string | Successfully disabled user user@test.com | |
| action_result.message | string | Status: Successfully disabled user user@test.com | |
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
List devices for a specified user
Type: investigate
Read only: True
By default, only a limited set of properties are returned, to return an alternative property set use $select query parameter. For more information on using the select_string parameter, refer to this documentation.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| user_id | required | User ID - can be user principal name or object ID | string | user id |
| select_string | optional | Select string to get additional user properties. Separate multiple values with commas | string |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failed | |
| action_result.parameter.select_string | string | displayName | |
| action_result.parameter.user_id | string | user id |
user@test.com |
| action_result.data.*.@odata.type | string | #test.graph.device | |
| action_result.data.*.accountEnabled | boolean | True False | |
| action_result.data.*.alternativeSecurityIds.*.identityProvider | string | ||
| action_result.data.*.alternativeSecurityIds.*.key | string | WAA1ADAAOQA6ADwAUwBIAEEAMQAtAFQAUAAtAFAAVQBCAEsARQBZAD4AOQA5AEEARQAwADgAOABDAEUANAA1ADgAMABCADcAQgBGAEEARQA2ADEAQQBCADYANAA3ADYANgA5ADUAOAAzAEQANABFAEYARQA5ADYAOAAyAHkAcQBSAEIANwBrAGEAMQA4AEoATAByACsAegB4AE8AYwB6AE8AYgBNAFEANQBZAEgAbgB0AFQAdgBOAG0AbgA5AEQAZQA2AFgAVQBUAGgAcwBFAD0A | |
| action_result.data.*.alternativeSecurityIds.*.type | numeric | 2 | |
| action_result.data.*.approximateLastSignInDateTime | string | 2019-09-26T03:42:15Z | |
| action_result.data.*.complianceExpirationDateTime | string | ||
| action_result.data.*.createdDateTime | string | 2019-09-26T03:42:15Z | |
| action_result.data.*.deletedDateTime | string | ||
| action_result.data.*.deviceCategory | string | ||
| action_result.data.*.deviceId | string | ||
| action_result.data.*.deviceMetadata | string | ||
| action_result.data.*.deviceOwnership | string | ||
| action_result.data.*.deviceVersion | numeric | ||
| action_result.data.*.displayName | string | ||
| action_result.data.*.domainName | string | ||
| action_result.data.*.enrollmentProfileName | string | ||
| action_result.data.*.enrollmentType | string | ||
| action_result.data.*.extensionAttributes.extensionAttribute1 | string | ||
| action_result.data.*.extensionAttributes.extensionAttribute10 | string | ||
| action_result.data.*.extensionAttributes.extensionAttribute11 | string | ||
| action_result.data.*.extensionAttributes.extensionAttribute12 | string | ||
| action_result.data.*.extensionAttributes.extensionAttribute13 | string | ||
| action_result.data.*.extensionAttributes.extensionAttribute14 | string | ||
| action_result.data.*.extensionAttributes.extensionAttribute15 | string | ||
| action_result.data.*.extensionAttributes.extensionAttribute2 | string | ||
| action_result.data.*.extensionAttributes.extensionAttribute3 | string | ||
| action_result.data.*.extensionAttributes.extensionAttribute4 | string | ||
| action_result.data.*.extensionAttributes.extensionAttribute5 | string | ||
| action_result.data.*.extensionAttributes.extensionAttribute6 | string | ||
| action_result.data.*.extensionAttributes.extensionAttribute7 | string | ||
| action_result.data.*.extensionAttributes.extensionAttribute8 | string | ||
| action_result.data.*.extensionAttributes.extensionAttribute9 | string | ||
| action_result.data.*.externalSourceName | string | ||
| action_result.data.*.id | string | ||
| action_result.data.*.isCompliant | boolean | ||
| action_result.data.*.isManaged | boolean | ||
| action_result.data.*.isRooted | string | ||
| action_result.data.*.managementType | string | ||
| action_result.data.*.manufacturer | string | ||
| action_result.data.*.mdmAppId | string | ||
| action_result.data.*.model | string | ||
| action_result.data.*.onPremisesLastSyncDateTime | string | ||
| action_result.data.*.onPremisesSyncEnabled | boolean | ||
| action_result.data.*.operatingSystem | string | Windows | |
| action_result.data.*.operatingSystemVersion | string | 10.0.18362.0 | |
| action_result.data.*.profileType | string | RegisteredDevice | |
| action_result.data.*.registrationDateTime | string | 2019-09-26T03:42:15Z | |
| action_result.data.*.sourceType | string | ||
| action_result.data.*.trustType | string | Workplace | |
| action_result.summary | string | ||
| action_result.summary.status | string | Successfully retrieved owned devices for user test@user.test.com | |
| action_result.message | string | Status: Successfully retrieved owned devices for user test@user.test.com | |
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
List attributes for all or a specified user
Type: investigate
Read only: True
By default, only a limited set of properties are returned, to return an alternative property set use $select query parameter. For more information on using the select_string and expand_string parameters, refer to https://docs.microsoft.com/en-us/graph/query-parameters.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| user_id | optional | User ID - can be user principal name or object ID | string | user id |
| select_string | optional | Select string to get additional user properties. Separate multiple values with commas | string | |
| expand_string | optional | Expand string to get a resource or collection referenced by a single relationship | string | |
| use_advanced_query | optional | Use advanced query capabilities | boolean |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failed | |
| action_result.parameter.expand_string | string | manager | |
| action_result.parameter.select_string | string | displayName | |
| action_result.parameter.use_advanced_query | boolean | True False | |
| action_result.parameter.user_id | string | user id |
user@test.com |
| action_result.data.*.@odata.context | string | https://graph.test.com/v1.0/$metadata#users/$entity | |
| action_result.data.*.accountEnabled | boolean | True False | |
| action_result.data.*.ageGroup | string | ||
| action_result.data.*.assignedLicenses.*.skuId | string | f30db892-07e9-47e9-837c-80727f46fd3d | |
| action_result.data.*.assignedPlans.*.assignedTimestamp | string | 2019-04-26T07:21:18Z | |
| action_result.data.*.assignedPlans.*.capabilityStatus | string | Enabled | |
| action_result.data.*.assignedPlans.*.service | string | exchange | |
| action_result.data.*.assignedPlans.*.servicePlanId | string | 33c4f319-9bdd-48d6-9c4d-410b750a4a5a | |
| action_result.data.*.city | string | ||
| action_result.data.*.companyName | string | ||
| action_result.data.*.consentProvidedForMinor | string | ||
| action_result.data.*.country | string | ||
| action_result.data.*.createdDateTime | string | 2019-05-02T20:27:59Z | |
| action_result.data.*.creationType | string | ||
| action_result.data.*.deletionTimestamp | string | ||
| action_result.data.*.department | string | Sales | |
| action_result.data.*.dirSyncEnabled | string | ||
| action_result.data.*.displayName | string | Test User | |
| action_result.data.*.employeeId | string | ||
| action_result.data.*.facsimileTelephoneNumber | string | ||
| action_result.data.*.givenName | string | ||
| action_result.data.*.id | string | user id |
7d55d7e6-cf5a-4dd2-a176-57a3c33b7fa9 |
| action_result.data.*.identities.*.issuer | string | test.com | |
| action_result.data.*.identities.*.issuerAssignedId | string | test2@user.test.com | |
| action_result.data.*.identities.*.signInType | string | userPrincipalName | |
| action_result.data.*.immutableId | string | ||
| action_result.data.*.isCompromised | string | ||
| action_result.data.*.jobTitle | string | ||
| action_result.data.*.lastDirSyncTime | string | ||
| action_result.data.*.legalAgeGroupClassification | string | ||
| action_result.data.*.mail | string | email |
|
| action_result.data.*.mailNickname | string | test | |
| action_result.data.*.mobile | string | ||
| action_result.data.*.mobilePhone | string | ||
| action_result.data.*.objectId | string | 59f51194-1998-4932-a8ac-468e59374edc | |
| action_result.data.*.objectType | string | User | |
| action_result.data.*.odata.metadata | string | https://graph.windows.net/1t309est-db6c-4tes-t1d2-12bf3456d78d/$metadata#directoryObjects/@Element | |
| action_result.data.*.odata.type | string | test.DirectoryServices.User | |
| action_result.data.*.officeLocation | string | ||
| action_result.data.*.onPremisesDistinguishedName | string | ||
| action_result.data.*.onPremisesSecurityIdentifier | string | ||
| action_result.data.*.otherMails | string | email |
user@test.com |
| action_result.data.*.passwordPolicies | string | ||
| action_result.data.*.passwordProfile | string | ||
| action_result.data.*.passwordProfile.enforceChangePasswordPolicy | boolean | True False | |
| action_result.data.*.passwordProfile.forceChangePasswordNextLogin | boolean | True False | |
| action_result.data.*.passwordProfile.password | string | ||
| action_result.data.*.physicalDeliveryOfficeName | string | ||
| action_result.data.*.postalCode | string | ||
| action_result.data.*.preferredLanguage | string | ||
| action_result.data.*.provisionedPlans.*.capabilityStatus | string | Enabled | |
| action_result.data.*.provisionedPlans.*.provisioningStatus | string | Success | |
| action_result.data.*.provisionedPlans.*.service | string | exchange | |
| action_result.data.*.proxyAddresses | string | SMTP:test_shared_mailbox@test.com | |
| action_result.data.*.refreshTokensValidFromDateTime | string | 2019-05-16T19:54:18Z | |
| action_result.data.*.showInAddressList | string | ||
| action_result.data.*.sipProxyAddress | string | email |
|
| action_result.data.*.state | string | ||
| action_result.data.*.streetAddress | string | ||
| action_result.data.*.surname | string | ||
| action_result.data.*.telephoneNumber | string | ||
| action_result.data.*.thumbnailPhoto@odata.mediaEditLink | string | directoryObjects/59f12345-1998-4932-a8ac-468e59374edc/test.DirectoryServices.User/thumbnailPhoto | |
| action_result.data.*.usageLocation | string | US | |
| action_result.data.*.userPrincipalName | string | user id |
user@test.com |
| action_result.data.*.userState | string | ||
| action_result.data.*.userStateChangedOn | string | ||
| action_result.data.*.userType | string | Member | |
| action_result.summary.status | string | Successfully retrieved user attributes Successfully retrieved attributes for user user@test.com | |
| action_result.message | string | Status: Successfully retrieved user attributes Status: Successfully retrieved attributes for user user@test.com, User enabled: False | |
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
Set an attribute for a user
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| user_id | required | User ID - can be user principal name or object ID | string | user id |
| attribute | required | Attribute to set | string | |
| attribute_value | required | Value of attribute to set | string |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failed | |
| action_result.parameter.attribute | string | department | |
| action_result.parameter.attribute_value | string | Sales | |
| action_result.parameter.user_id | string | user id |
user@test.com |
| action_result.data | string | ||
| action_result.data.*.classification | string | ||
| action_result.data.*.createdDateTime | string | 2021-03-25T18:40:53Z | |
| action_result.data.*.deletedDateTime | string | ||
| action_result.data.*.deletionTimestamp | string | ||
| action_result.data.*.description | string | This is for testing purpose | |
| action_result.data.*.dirSyncEnabled | string | ||
| action_result.data.*.displayName | string | Test-site | |
| action_result.data.*.expirationDateTime | string | ||
| action_result.data.*.id | string | user id |
2a201c95-101b-42d9-a7af-9a2fdf8193f1 |
| action_result.data.*.isAssignableToRole | string | ||
| action_result.data.*.lastDirSyncTime | string | ||
| action_result.data.*.mail | string | email |
Test-site@test.com |
| action_result.data.*.mailEnabled | boolean | True False | |
| action_result.data.*.mailNickname | string | Test-site | |
| action_result.data.*.membershipRule | string | ||
| action_result.data.*.membershipRuleProcessingState | string | ||
| action_result.data.*.objectType | string | Group | |
| action_result.data.*.odata.type | string | test.DirectoryServices.Group | |
| action_result.data.*.onPremisesDomainName | string | domain |
|
| action_result.data.*.onPremisesLastSyncDateTime | string | ||
| action_result.data.*.onPremisesNetBiosName | string | ||
| action_result.data.*.onPremisesSamAccountName | string | ||
| action_result.data.*.onPremisesSecurityIdentifier | string | ||
| action_result.data.*.onPremisesSyncEnabled | string | ||
| action_result.data.*.preferredDataLocation | string | ||
| action_result.data.*.preferredLanguage | string | ||
| action_result.data.*.proxyAddresses | string | SMTP:test-h@test.com | |
| action_result.data.*.renewedDateTime | string | 2021-03-25T18:40:53Z | |
| action_result.data.*.securityEnabled | boolean | True False | |
| action_result.data.*.securityIdentifier | string | S-1-12-1-294681889-1319597617-672379543-28952017 | |
| action_result.data.*.theme | string | ||
| action_result.data.*.visibility | string | Private | |
| action_result.summary.status | string | Successfully enabled user user@test.com | |
| action_result.message | string | Status: Successfully enabled user user@test.com | |
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
Remove a user from a specified group
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| group_object_id | required | Object ID of group | string | group object id |
| user_id | required | User ID to remove from group | string | user id |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failed | |
| action_result.parameter.group_object_id | string | group object id |
ddb876b3-603a-437b-9814-2d46a2219a1e |
| action_result.parameter.user_id | string | user id |
17be76d0-35ed-4881-ab62-d2eb73c2ebe3 |
| action_result.data | string | ||
| action_result.summary.status | string | Successfully removed user from group User not in group | |
| action_result.message | string | Status: Successfully removed user from group Status: User not in group | |
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
Add a user to a specified group
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| group_object_id | required | Object ID of group | string | group object id |
| user_id | required | User ID to add to group | string | user id |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failed | |
| action_result.parameter.group_object_id | string | group object id |
ddb876b3-603a-437b-9814-2d46a2219a1e |
| action_result.parameter.user_id | string | user id |
17be76d0-35ed-4881-ab62-d2eb73c2ebe3 |
| action_result.data | string | ||
| action_result.summary.status | string | Successfully added user to group User already in group | |
| action_result.message | string | Status: Successfully added user to group Status: User already in group | |
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
List groups in the organization
Type: investigate
Read only: True
By default, only a limited set of properties are returned, to return an alternative property set use $select query parameter. For more information on using the select_string and expand_string parameters, refer to https://docs.microsoft.com/en-us/graph/query-parameters.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| filter_string | optional | Filter string to apply to group listing | string | |
| select_string | optional | Select string to get additional group properties. Separate multiple values with commas | string | |
| expand_string | optional | Expand string to get a resource or collection referenced by a single relationship | string | |
| use_advanced_query | optional | Use advanced query capabilities | boolean |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failed | |
| action_result.parameter.expand_string | string | members | |
| action_result.parameter.filter_string | string | createdDateTime ge '2014-01-01T00:00:00Z' | |
| action_result.parameter.select_string | string | displayName | |
| action_result.parameter.use_advanced_query | boolean | True False | |
| action_result.data.*.classification | string | ||
| action_result.data.*.createdDateTime | string | 2021-03-25T18:40:53Z | |
| action_result.data.*.deletedDateTime | string | ||
| action_result.data.*.deletionTimestamp | string | ||
| action_result.data.*.description | string | This is for testing purpose | |
| action_result.data.*.dirSyncEnabled | string | ||
| action_result.data.*.displayName | string | Test-site | |
| action_result.data.*.expirationDateTime | string | ||
| action_result.data.*.id | string | group object id |
2a201c95-101b-42d9-a7af-9a2fdf8193f1 |
| action_result.data.*.isAssignableToRole | string | ||
| action_result.data.*.lastDirSyncTime | string | ||
| action_result.data.*.mail | string | email |
Test-site@test.com |
| action_result.data.*.mailEnabled | boolean | True False | |
| action_result.data.*.mailNickname | string | Test-site | |
| action_result.data.*.membershipRule | string | ||
| action_result.data.*.membershipRuleProcessingState | string | ||
| action_result.data.*.objectType | string | Group | |
| action_result.data.*.odata.type | string | test.DirectoryServices.Group | |
| action_result.data.*.onPremisesDomainName | string | domain |
|
| action_result.data.*.onPremisesLastSyncDateTime | string | ||
| action_result.data.*.onPremisesNetBiosName | string | ||
| action_result.data.*.onPremisesSamAccountName | string | ||
| action_result.data.*.onPremisesSecurityIdentifier | string | ||
| action_result.data.*.onPremisesSyncEnabled | string | ||
| action_result.data.*.preferredDataLocation | string | ||
| action_result.data.*.preferredLanguage | string | ||
| action_result.data.*.proxyAddresses | string | SMTP:test-h@test.com | |
| action_result.data.*.renewedDateTime | string | 2021-03-25T18:40:53Z | |
| action_result.data.*.securityEnabled | boolean | True False | |
| action_result.data.*.securityIdentifier | string | S-1-12-1-294681889-1319597617-672379543-28952017 | |
| action_result.data.*.theme | string | ||
| action_result.data.*.visibility | string | Private | |
| action_result.summary.num_groups | numeric | 7 | |
| action_result.message | string | Num groups: 7 | |
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
Get information about a group
Type: investigate
Read only: True
By default, only a limited set of properties are returned, to return an alternative property set use $select query parameter. For more information on using the select_string and expand_string parameters, refer to https://docs.microsoft.com/en-us/graph/query-parameters.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| object_id | required | Object ID of group | string | group object id |
| select_string | optional | Select string to get additional group properties. Separate multiple values with commas | string | |
| expand_string | optional | Expand string to get a resource or collection referenced by a single relationship | string | |
| use_advanced_query | optional | Use advanced query capabilities | boolean |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failed | |
| action_result.parameter.expand_string | string | members | |
| action_result.parameter.object_id | string | group object id |
ddb876b3-603a-437b-9814-2d46a2219a1e |
| action_result.parameter.select_string | string | displayName | |
| action_result.parameter.use_advanced_query | boolean | True False | |
| action_result.data.*.@odata.context | string | https://graph.test.com/v1.0/$metadata#groups(id,displayName)/$entity | |
| action_result.data.*.classification | string | ||
| action_result.data.*.createdDateTime | string | 2020-08-05T11:59:49Z | |
| action_result.data.*.deletedDateTime | string | ||
| action_result.data.*.deletionTimestamp | string | ||
| action_result.data.*.description | string | This is the office 365 group | |
| action_result.data.*.dirSyncEnabled | string | ||
| action_result.data.*.displayName | string | o365group | |
| action_result.data.*.expirationDateTime | string | ||
| action_result.data.*.id | string | group object id |
ddb876b3-603a-437b-9814-2d46a2219a1e |
| action_result.data.*.isAssignableToRole | string | ||
| action_result.data.*.lastDirSyncTime | string | ||
| action_result.data.*.mail | string | email |
bc7f9cabe@test.com |
| action_result.data.*.mailEnabled | boolean | True False | |
| action_result.data.*.mailNickname | string | bc7f9cabe | |
| action_result.data.*.membershipRule | string | ||
| action_result.data.*.membershipRuleProcessingState | string | ||
| action_result.data.*.objectType | string | Group | |
| action_result.data.*.odata.metadata | string | https://graph.windows.net/1t309est-db6c-4tes-t1d2-12bf3456d78d/$metadata#directoryObjects/@Element | |
| action_result.data.*.odata.type | string | test.DirectoryServices.Group | |
| action_result.data.*.onPremisesDomainName | string | domain |
|
| action_result.data.*.onPremisesLastSyncDateTime | string | ||
| action_result.data.*.onPremisesNetBiosName | string | ||
| action_result.data.*.onPremisesSamAccountName | string | ||
| action_result.data.*.onPremisesSecurityIdentifier | string | ||
| action_result.data.*.onPremisesSyncEnabled | string | ||
| action_result.data.*.preferredDataLocation | string | ||
| action_result.data.*.preferredLanguage | string | ||
| action_result.data.*.proxyAddresses | string | SMTP:bc7f9cabe@test.com | |
| action_result.data.*.renewedDateTime | string | 2020-08-05T11:59:49Z | |
| action_result.data.*.securityEnabled | boolean | True False | |
| action_result.data.*.securityIdentifier | string | S-1-12-1-909260723-1083662375-1952945031-2402852259 | |
| action_result.data.*.theme | string | ||
| action_result.data.*.visibility | string | ||
| action_result.summary.display_name | string | o365group | |
| action_result.summary.status | string | Successfully retrieved group 104d4576-1544-48b5-bb7e-9f8f871aa824 | |
| action_result.message | string | Display name: o365group | |
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
List the members in a group
Type: investigate
Read only: True
By default, only a limited set of properties are returned, to return an alternative property set use $select query parameter. For more information on using the select_string and expand_string parameters, refer to https://docs.microsoft.com/en-us/graph/query-parameters.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| group_object_id | required | Object ID of group | string | group object id |
| select_string | optional | Select string to get additional properties. Separate multiple values with commas | string | |
| expand_string | optional | Expand string to get a resource or collection referenced by a single relationship | string | |
| use_advanced_query | optional | Use advanced query capabilities | boolean |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failed | |
| action_result.parameter.expand_string | string | manager | |
| action_result.parameter.group_object_id | string | group object id |
ebcd3130-55a1-4cbf-81b2-86408ff21203 |
| action_result.parameter.select_string | string | displayName | |
| action_result.parameter.use_advanced_query | boolean | True False | |
| action_result.data.*.@odata.type | string | #test.graph.user | |
| action_result.data.*.accountEnabled | boolean | True | |
| action_result.data.*.ageGroup | string | ||
| action_result.data.*.assignedLicenses.*.skuId | string | 189a915c-fe4f-4ffa-bde4-85b9628d07a0 | |
| action_result.data.*.assignedPlans.*.assignedDateTime | string | 2022-11-03T15:12:28Z | |
| action_result.data.*.assignedPlans.*.capabilityStatus | string | Deleted | |
| action_result.data.*.assignedPlans.*.service | string | AADPremiumService | |
| action_result.data.*.assignedPlans.*.servicePlanId | string | eec0eb4f-6444-4f95-aba0-50c24d67f998 | |
| action_result.data.*.city | string | Palo Alto | |
| action_result.data.*.companyName | string | ||
| action_result.data.*.consentProvidedForMinor | string | ||
| action_result.data.*.country | string | US | |
| action_result.data.*.createdDateTime | string | 2016-06-09T18:33:27Z | |
| action_result.data.*.creationType | string | ||
| action_result.data.*.deletedDateTime | string | ||
| action_result.data.*.department | string | ||
| action_result.data.*.displayName | string | Firstname Lastname | |
| action_result.data.*.employeeHireDate | string | ||
| action_result.data.*.employeeId | string | ||
| action_result.data.*.employeeOrgData | string | ||
| action_result.data.*.employeeType | string | ||
| action_result.data.*.externalUserState | string | ||
| action_result.data.*.externalUserStateChangeDateTime | string | ||
| action_result.data.*.faxNumber | string | ||
| action_result.data.*.givenName | string | ||
| action_result.data.*.id | string | user id |
17be76d0-35ed-4881-ab62-d2eb73c2ebe3 |
| action_result.data.*.identities.*.issuer | string | test.com | |
| action_result.data.*.identities.*.issuerAssignedId | string | test@user.test.com | |
| action_result.data.*.identities.*.signInType | string | userPrincipalName | |
| action_result.data.*.isResourceAccount | string | ||
| action_result.data.*.jobTitle | string | ||
| action_result.data.*.legalAgeGroupClassification | string | ||
| action_result.data.*.mail | string | ||
| action_result.data.*.mailNickname | string | User | |
| action_result.data.*.mobilePhone | string | ||
| action_result.data.*.officeLocation | string | ||
| action_result.data.*.onPremisesDistinguishedName | string | ||
| action_result.data.*.onPremisesDomainName | string | ||
| action_result.data.*.onPremisesExtensionAttributes.extensionAttribute1 | string | ||
| action_result.data.*.onPremisesExtensionAttributes.extensionAttribute10 | string | ||
| action_result.data.*.onPremisesExtensionAttributes.extensionAttribute11 | string | ||
| action_result.data.*.onPremisesExtensionAttributes.extensionAttribute12 | string | ||
| action_result.data.*.onPremisesExtensionAttributes.extensionAttribute13 | string | ||
| action_result.data.*.onPremisesExtensionAttributes.extensionAttribute14 | string | ||
| action_result.data.*.onPremisesExtensionAttributes.extensionAttribute15 | string | ||
| action_result.data.*.onPremisesExtensionAttributes.extensionAttribute2 | string | ||
| action_result.data.*.onPremisesExtensionAttributes.extensionAttribute3 | string | ||
| action_result.data.*.onPremisesExtensionAttributes.extensionAttribute4 | string | ||
| action_result.data.*.onPremisesExtensionAttributes.extensionAttribute5 | string | ||
| action_result.data.*.onPremisesExtensionAttributes.extensionAttribute6 | string | ||
| action_result.data.*.onPremisesExtensionAttributes.extensionAttribute7 | string | ||
| action_result.data.*.onPremisesExtensionAttributes.extensionAttribute8 | string | ||
| action_result.data.*.onPremisesExtensionAttributes.extensionAttribute9 | string | ||
| action_result.data.*.onPremisesImmutableId | string | ||
| action_result.data.*.onPremisesLastSyncDateTime | string | ||
| action_result.data.*.onPremisesSamAccountName | string | ||
| action_result.data.*.onPremisesSecurityIdentifier | string | ||
| action_result.data.*.onPremisesSyncEnabled | string | ||
| action_result.data.*.onPremisesUserPrincipalName | string | ||
| action_result.data.*.passwordPolicies | string | ||
| action_result.data.*.passwordProfile | string | ||
| action_result.data.*.postalCode | string | 94303 | |
| action_result.data.*.preferredDataLocation | string | ||
| action_result.data.*.preferredLanguage | string | ||
| action_result.data.*.provisionedPlans.*.capabilityStatus | string | Enabled | |
| action_result.data.*.provisionedPlans.*.provisioningStatus | string | Success | |
| action_result.data.*.provisionedPlans.*.service | string | testCommunicationsOnline | |
| action_result.data.*.refreshTokensValidFromDateTime | string | 2022-08-08T13:00:58Z | |
| action_result.data.*.showInAddressList | string | ||
| action_result.data.*.signInSessionsValidFromDateTime | string | 2022-08-08T13:00:58Z | |
| action_result.data.*.state | string | CA | |
| action_result.data.*.streetAddress | string | 2479 E. Bayshore Rd. | |
| action_result.data.*.surname | string | ||
| action_result.data.*.usageLocation | string | US | |
| action_result.data.*.userPrincipalName | string | ews_retest@test.com | |
| action_result.data.*.userType | string | Member | |
| action_result.summary.num_members | numeric | user id |
3 |
| action_result.summary.num_users | numeric | 3 | |
| action_result.message | string | Num members: 3 | |
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
Returns true if a user is in a group; otherwise, false
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| group_object_id | required | Object ID of group | string | group object id |
| user_id | required | User ID to validate | string | user id |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failed | |
| action_result.parameter.group_object_id | string | group object id |
ebcd3130-55a1-4cbf-81b2-86408ff21203 |
| action_result.parameter.user_id | string | user id |
user@test.com |
| action_result.data.*.@odata.context | string | https://graph.test.com/v1.0/$metadata#directoryObjects | |
| action_result.data.*.user_in_group | string | ||
| action_result.data.*.value.*.@odata.type | string | #test.graph.group | |
| action_result.data.*.value.*.classification | string | ||
| action_result.data.*.value.*.createdDateTime | string | 2022-02-25T12:05:22Z | |
| action_result.data.*.value.*.deletedDateTime | string | ||
| action_result.data.*.value.*.description | string | Test group for MSGraph | |
| action_result.data.*.value.*.displayName | string | Test group for MSGraph | |
| action_result.data.*.value.*.expirationDateTime | string | ||
| action_result.data.*.value.*.id | string | user id |
49233413-24c6-4516-a9e1-4d5f87fe34fd |
| action_result.data.*.value.*.isAssignableToRole | string | ||
| action_result.data.*.value.*.mail | string | test@user.test.com | |
| action_result.data.*.value.*.mailEnabled | boolean | True | |
| action_result.data.*.value.*.mailNickname | string | TestgroupforMSGraph | |
| action_result.data.*.value.*.membershipRule | string | ||
| action_result.data.*.value.*.membershipRuleProcessingState | string | ||
| action_result.data.*.value.*.onPremisesDomainName | string | ||
| action_result.data.*.value.*.onPremisesLastSyncDateTime | string | ||
| action_result.data.*.value.*.onPremisesNetBiosName | string | ||
| action_result.data.*.value.*.onPremisesSamAccountName | string | ||
| action_result.data.*.value.*.onPremisesSecurityIdentifier | string | ||
| action_result.data.*.value.*.onPremisesSyncEnabled | string | ||
| action_result.data.*.value.*.preferredDataLocation | string | ||
| action_result.data.*.value.*.preferredLanguage | string | ||
| action_result.data.*.value.*.renewedDateTime | string | 2022-02-25T12:05:22Z | |
| action_result.data.*.value.*.securityEnabled | boolean | True | |
| action_result.data.*.value.*.securityIdentifier | string | S-1-12-1-1227043859-1159079110-1598939561-4248108679 | |
| action_result.data.*.value.*.theme | string | ||
| action_result.data.*.value.*.visibility | string | Private | |
| action_result.summary.message | string | User is member of group | |
| action_result.summary.user_in_group | string | ||
| action_result.message | string | User in group: True | |
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
List the directory roles that are activated in the tenant
Type: investigate
Read only: True
Pagination is not implemented for this action as this endpoint does not support pagination. Here is the Documentation for the same.
No parameters are required for this action
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failed | |
| action_result.data.*.deletedDateTime | string | ||
| action_result.data.*.deletionTimestamp | string | ||
| action_result.data.*.description | string | Can read basic directory information. For granting access to applications, not intended for users. | |
| action_result.data.*.displayName | string | Directory Readers | |
| action_result.data.*.id | string | directory object id |
02b238cb-0d15-454b-aae6-0e94993a3207 |
| action_result.data.*.isSystem | boolean | True False | |
| action_result.data.*.objectType | string | Role | |
| action_result.data.*.odata.type | string | test.DirectoryServices.DirectoryRole | |
| action_result.data.*.roleTemplateId | string | role template id |
88d8e3e3-8f55-4a1e-953a-9b9898b8876b |
| action_result.summary.num_directory_roles | numeric | 9 | |
| action_result.message | string | Num directory roles: 9 | |
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
Generate a token
Type: generic
Read only: False
No parameters are required for this action
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failed | |
| action_result.data | string | ||
| action_result.summary | string | ||
| action_result.message | string | Token generated | |
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |