Entra Schema¶
EntraTenant¶
Representation of an Entra (formerly Azure AD) Tenant.
Field |
Description |
|---|---|
id |
Entra Tenant ID (GUID) |
created_date_time |
Date and time when the tenant was created |
default_usage_location |
Default location for usage reporting |
deleted_date_time |
Date and time when the tenant was deleted (if applicable) |
display_name |
Display name of the tenant |
marketing_notification_emails |
List of email addresses for marketing notifications |
mobile_device_management_authority |
Mobile device management authority for the tenant |
on_premises_last_sync_date_time |
Last time the tenant was synced with on-premises directory |
on_premises_sync_enabled |
Whether on-premises directory sync is enabled |
partner_tenant_type |
Type of partner tenant |
postal_code |
Postal code of the tenant’s address |
preferred_language |
Preferred language for the tenant |
state |
State/province of the tenant’s address |
street |
Street address of the tenant |
tenant_type |
Type of tenant (e.g., ‘AAD’) |
EntraUser¶
Representation of an Entra User.
Field |
Description |
|---|---|
id |
Entra User ID (GUID) |
user_principal_name |
User Principal Name (UPN) of the user |
display_name |
Display name of the user |
given_name |
Given (first) name of the user |
surname |
Surname (last name) of the user |
Primary email address of the user |
|
mobile_phone |
Mobile phone number of the user |
business_phones |
Business phone numbers of the user |
job_title |
Job title of the user |
department |
Department of the user |
office_location |
Office location of the user |
city |
City of the user’s address |
state |
State/province of the user’s address |
country |
Country of the user’s address |
company_name |
Company name of the user |
preferred_language |
Preferred language of the user |
employee_id |
Employee ID of the user |
employee_type |
Type of employee |
account_enabled |
Whether the user account is enabled |
age_group |
Age group of the user |
manager_id |
ID of the user’s manager |
Relationships¶
All Entra users are linked to an Entra Tenant
(:EntraUser)-[:RESOURCE]->(:EntraTenant)Entra users are members of groups
(:EntraUser)-[:MEMBER_OF]->(:EntraGroup)Entra users can have app role assignments
(:EntraUser)-[:HAS_APP_ROLE]->(:EntraAppRoleAssignment)Entra users can have a manager
(:EntraUser)-[:MANAGES]->(:EntraUser)Entra users can be owners of groups
(:EntraUser)-[:OWNER_OF]->(:EntraGroup)
EntraOU¶
Representation of an Entra OU.
Field |
Description |
|---|---|
id |
Entra Administrative Unit (OU) ID (GUID) |
display_name |
Display name of the administrative unit |
description |
Description of the administrative unit |
membership_type |
Membership type (“Assigned” for static or “Dynamic for rule-based) |
visibility |
Visibility setting (“Public” or “Private”) |
is_member_management_restricted |
Whether member management is restricted |
deleted_date_time |
Date and time when the administrative unit was soft-deleted |
Relationships¶
All Entra OUs are linked to an Entra Tenant
(:EntraOU)-[:RESOURCE]->(:EntraTenant)
EntraGroup¶
Representation of an Entra Group.
Field |
Description |
|---|---|
id |
Entra Group ID (GUID) |
display_name |
Display name of the group |
description |
Description of the group |
Primary email address of the group |
|
mail_nickname |
Mail nickname |
mail_enabled |
Whether the group has a mailbox |
security_enabled |
Whether the group is security enabled |
group_types |
List of group types |
visibility |
Group visibility setting |
is_assignable_to_role |
Whether the group can be assigned to roles |
created_date_time |
Creation timestamp |
deleted_date_time |
Deletion timestamp if applicable |
Relationships¶
All Entra groups are linked to an Entra Tenant
(:EntraGroup)-[:RESOURCE]->(:EntraTenant)Entra users are members of groups
(:EntraUser)-[:MEMBER_OF]->(:EntraGroup)Entra groups can be members of other groups
(:EntraGroup)-[:MEMBER_OF]->(:EntraGroup)Entra groups can have owners
(:EntraGroup)-[:OWNER_OF]->(:EntraUser)
EntraApplication¶
Representation of an Entra Application.
Field |
Description |
|---|---|
id |
Entra Application ID (GUID) |
app_id |
Application (client) ID - the unique identifier for the application |
display_name |
Display name of the application |
publisher_domain |
Publisher domain of the application |
sign_in_audience |
Audience that can sign in to the application |
created_date_time |
Date and time when the application was created |
web_redirect_uris |
List of redirect URIs for web applications |
lastupdated |
Timestamp of when this node was last updated in Cartography |
Relationships¶
All Entra applications are linked to an Entra Tenant
(:EntraApplication)-[:RESOURCE]->(:EntraTenant)App role assignments link to applications
(:EntraAppRoleAssignment)-[:ASSIGNED_TO]->(:EntraApplication)
EntraAppRoleAssignment¶
Representation of an Entra App Role Assignment.
Field |
Description |
|---|---|
id |
Unique identifier for the app role assignment |
app_role_id |
The ID of the app role assigned |
created_date_time |
Date and time when the assignment was created |
principal_id |
The ID of the user, group, or service principal assigned the role |
principal_display_name |
Display name of the assigned principal |
principal_type |
Type of principal (User, Group, or ServicePrincipal) |
resource_display_name |
Display name of the resource application |
resource_id |
The service principal ID of the resource application |
application_app_id |
The application ID used for linking to EntraApplication |
lastupdated |
Timestamp of when this node was last updated in Cartography |
Relationships¶
All app role assignments are linked to an Entra Tenant
(:EntraAppRoleAssignment)-[:RESOURCE]->(:EntraTenant)Users can have app role assignments
(:EntraUser)-[:HAS_APP_ROLE]->(:EntraAppRoleAssignment)Groups can have app role assignments
(:EntraGroup)-[:HAS_APP_ROLE]->(:EntraAppRoleAssignment)App role assignments are linked to applications
(:EntraAppRoleAssignment)-[:ASSIGNED_TO]->(:EntraApplication)
Example Queries¶
Here are some common query patterns for working with Entra applications and access management:
Application Access Analysis¶
Find all users with access to a specific application:
MATCH (u:EntraUser)-[:HAS_APP_ROLE]->(ara:EntraAppRoleAssignment)-[:ASSIGNED_TO]->(app:EntraApplication)
WHERE app.display_name = "Finance Tracker"
RETURN u.display_name, u.user_principal_name, ara.created_date_time
ORDER BY ara.created_date_time DESC
Find all applications a user has access to:
MATCH (u:EntraUser)-[:HAS_APP_ROLE]->(ara:EntraAppRoleAssignment)-[:ASSIGNED_TO]->(app:EntraApplication)
WHERE u.user_principal_name = "john.doe@example.com"
RETURN app.display_name, app.app_id, ara.app_role_id, ara.created_date_time
ORDER BY app.display_name
Find users with access via group membership:
MATCH (u:EntraUser)-[:MEMBER_OF]->(g:EntraGroup)-[:HAS_APP_ROLE]->(ara:EntraAppRoleAssignment)-[:ASSIGNED_TO]->(app:EntraApplication)
WHERE app.display_name = "HR Portal"
RETURN u.display_name, u.user_principal_name, g.display_name as group_name, ara.created_date_time
ORDER BY u.display_name