The CData Sync App provides a straightforward way to continuously pipeline your Azure Active Directory data to any database, data lake, or data warehouse, making it easily available for Analytics, Reporting, AI, and Machine Learning.
The Azure Active Directory connector can be used from the CData Sync application to pull data from Azure Active Directory and move it to any of the supported destinations.
All hosted versions of Azure Active Directory are supported via the Microsoft Graph API v1.0. The data accessible via the Sync App includes information accessible from directory management.
For required properties, see the Settings tab.
For connection properties that are not typically required, see the Advanced tab.
CData provides an embedded OAuth application that simplifies authentication. You can, however, create a custom application for authentication. For information about creating a custom application and reasons for doing so, see Creating a Custom OAuth Application.
For authentication, the only difference between using the CData-provided (embedded) application and creating your own custom application is that you must set two additional connection properties in the Advanced Tab when using custom OAuth applications.
Before you connect, for Custom Azure AD applications only, set the following variables:
Click Connect to Azure Active Directory to open the OAuth endpoint in your default browser. Log in and grant permissions to the application.
The driver then completes the OAuth process as follows:
Azure Service Principal is role-based application-based authentication. This means that authentication is done per application, rather than per user. All tasks taken on by the application are executed without a default user context, but based on the assigned roles. The application access to the resources is controlled through the assigned roles' permissions.
For information about how to set up Azure Service Principal authentication, see Creating a Custom OAuth Application.
If you are running Azure Active Directory on an Azure VM and want to leverage MSI to connect, set AuthScheme to AzureMSI.
When your VM has multiple user-assigned managed identities, you must also specify OAuthClientId.
This section details a selection of advanced features of the Azure Active Directory Sync App.
The Sync App allows you to define virtual tables, called user defined views, whose contents are decided by a pre-configured query. These views are useful when you cannot directly control queries being issued to the drivers. See User Defined Views for an overview of creating and configuring custom views.
Use SSL Configuration to adjust how Sync App handles TLS/SSL certificate negotiations. You can choose from various certificate formats; see the SSLServerCert property under "Connection String Options" for more information.
Configure the Sync App for compliance with Firewall and Proxy, including Windows proxies and HTTP proxies. You can also set up tunnel connections.
The Sync App offloads as much of the SELECT statement processing as possible to Azure Active Directory and then processes the rest of the query in memory (client-side).
See Query Processing for more information.
See Logging for an overview of configuration settings that can be used to refine CData logging. For basic logging, you only need to set two connection properties, but there are numerous features that support more refined logging, where you can select subsets of information to be logged using the LogModules connection property.
By default, the Sync App attempts to negotiate SSL/TLS by checking the server's certificate against the system's trusted certificate store.
To specify another certificate, see the SSLServerCert property for the available formats to do so.
To connect through the Windows system proxy, you do not need to set any additional connection properties. To connect to other proxies, set ProxyAutoDetect to false.
In addition, to authenticate to an HTTP proxy, set ProxyAuthScheme, ProxyUser, and ProxyPassword, in addition to ProxyServer and ProxyPort.
Set the following properties:
This section shows the available API objects and provides more information on executing SQL to Azure Active Directory APIs.
Stored Procedures are function-like interfaces to Azure Active Directory. They can be used to modify information in Azure Active Directory.
The Sync App models the data in Azure Active Directory as a list of tables in a relational database that can be queried using standard SQL statements.
| Name | Description |
| Applications | Retrieves all applications for the authenticated user. |
| Devices | Retrieves all Devices for the authenticated user. |
| Domains | Retrieves all Domains for the authenticated user. |
| Groups | Retrieves all Azure Active Directory (Azure AD) groups, which can be Office 365 groups, or security groups. |
| Users | Retrieves all Azure AD user accounts within the authenticated permissions. |
Retrieves all applications for the authenticated user.
You can query Applications by specifying an Id or selecting all:
SELECT * FROM Applications WHERE Id = '037c5534-1059-4c71-9f1c-a9b887e34b03'
Select a certain column from the entity and filter by that column:
SELECT Id FROM Applications WHERE Id LIKE '%037c5534-1059-4c71-9f1c-a9b887e34b03%'
Specify a displayName in order to create a new Application, the displayName should be the name of the new Application:
INSERT INTO Applications (displayName) VALUES ('TestApp')
To update a Applications record you need to specify the Id in WHERE clause.
UPDATE Applications SET displayName = 'Test' WHERE Id = '037c5534-1059-4c71-9f1c-a9b887e34b03'
To delete an Application record, you need to specify the Id in WHERE clause.
DELETE FROM Applications WHERE Id = '480a2785-1c18-49ac-9a80-9dfc1b40e1f2'
| Name | Type | ReadOnly | Description |
| id [KEY] | String | False |
The id of the application. |
| addIns | String | False |
The addIns of the application. |
| api_acceptMappedClaims | Bool | False |
The api_acceptMappedClaims of the application. |
| api_knownClientApplications | String | False |
The api_knownClientApplications of the application. |
| api_oauth2PermissionScopes | String | False |
The api_oauth2PermissionScopes of the application. |
| api_preAuthorizedApplications | String | False |
The api_preAuthorizedApplications of the application. |
| api_requestedAccessTokenVersion | Int | False |
The api_requestedAccessTokenVersion of the application. |
| appId | String | False |
The appId of the application. |
| applicationTemplateId | String | False |
The applicationTemplateId of the application. |
| appRoles | String | False |
The appRoles of the application. |
| authenticationBehaviors_removeUnverifiedEmailClaim | Bool | False |
The authenticationBehaviors_removeUnverifiedEmailClaim of the application. |
| authenticationBehaviors_requireClientServicePrincipal | Bool | False |
The authenticationBehaviors_requireClientServicePrincipal of the application. |
| certification_certificationDetailsUrl | String | False |
The certification_certificationDetailsUrl of the application. |
| certification_certificationExpirationDateTime | Datetime | False |
The certification_certificationExpirationDateTime of the application. |
| certification_isCertifiedByMicrosoft | Bool | False |
The certification_isCertifiedByMicrosoft of the application. |
| certification_isPublisherAttested | Bool | False |
The certification_isPublisherAttested of the application. |
| certification_lastCertificationDateTime | Datetime | False |
The certification_lastCertificationDateTime of the application. |
| createdDateTime | Datetime | False |
The createdDateTime of the application. |
| defaultRedirectUri | String | False |
The defaultRedirectUri of the application. |
| description | String | False |
The description of the application. |
| disabledByMicrosoftStatus | String | False |
The disabledByMicrosoftStatus of the application. |
| displayName | String | False |
The displayName of the application. |
| groupMembershipClaims | String | False |
The groupMembershipClaims of the application. |
| identifierUris | String | False |
The identifierUris of the application. |
| info_logoUrl | String | False |
The info_logoUrl of the application. |
| info_marketingUrl | String | False |
The info_marketingUrl of the application. |
| info_privacyStatementUrl | String | False |
The info_privacyStatementUrl of the application. |
| info_supportUrl | String | False |
The info_supportUrl of the application. |
| info_termsOfServiceUrl | String | False |
The info_termsOfServiceUrl of the application. |
| isDeviceOnlyAuthSupported | Bool | False |
The isDeviceOnlyAuthSupported of the application. |
| isFallbackPublicClient | Bool | False |
The isFallbackPublicClient of the application. |
| keyCredentials | String | False |
The keyCredentials of the application. |
| logo | String | False |
The logo of the application. |
| notes | String | False |
The notes of the application. |
| oauth2RequirePostResponse | Bool | False |
The oauth2RequirePostResponse of the application. |
| optionalClaims_accessToken | String | False |
The optionalClaims_accessToken of the application. |
| optionalClaims_idToken | String | False |
The optionalClaims_idToken of the application. |
| optionalClaims_saml2Token | String | False |
The optionalClaims_saml2Token of the application. |
| parentalControlSettings_countriesBlockedForMinors | String | False |
The parentalControlSettings_countriesBlockedForMinors of the application. |
| parentalControlSettings_legalAgeGroupRule | String | False |
The parentalControlSettings_legalAgeGroupRule of the application. |
| passwordCredentials | String | False |
The passwordCredentials of the application. |
| publicClient_redirectUris | String | False |
The publicClient_redirectUris of the application. |
| publisherDomain | String | False |
The publisherDomain of the application. |
| requiredResourceAccess | String | False |
The requiredResourceAccess of the application. |
| samlMetadataUrl | String | False |
The samlMetadataUrl of the application. |
| serviceManagementReference | String | False |
The serviceManagementReference of the application. |
| servicePrincipalLockConfiguration_isEnabled | Bool | False |
The servicePrincipalLockConfiguration_isEnabled of the application. |
| servicePrincipalLockConfiguration_allProperties | Bool | False |
The servicePrincipalLockConfiguration_allProperties of the application. |
| servicePrincipalLockConfiguration_credentialsWithUsageVerify | Bool | False |
The servicePrincipalLockConfiguration_credentialsWithUsageVerify of the application. |
| servicePrincipalLockConfiguration_credentialsWithUsageSign | Bool | False |
The servicePrincipalLockConfiguration_credentialsWithUsageSign of the application. |
| servicePrincipalLockConfiguration_tokenEncryptionKeyId | Bool | False |
The servicePrincipalLockConfiguration_tokenEncryptionKeyId of the application. |
| signInAudience | String | False |
The signInAudience of the application. |
| spa_redirectUris | String | False |
The spa_redirectUris of the application. |
| tags | String | False |
The tags of the application. |
| tokenEncryptionKeyId | String | False |
The tokenEncryptionKeyId of the application. |
| verifiedPublisher_addedDateTime | Datetime | False |
The verifiedPublisher_addedDateTime of the application. |
| verifiedPublisher_displayName | String | False |
The verifiedPublisher_displayName of the application. |
| verifiedPublisher_verifiedPublisherId | String | False |
The verifiedPublisher_verifiedPublisherId of the application. |
| web_homePageUrl | String | False |
The web_homePageUrl of the application. |
| web_implicitGrantSettings_enableAccessTokenIssuance | Bool | False |
The web_implicitGrantSettings_enableAccessTokenIssuance of the application. |
| web_implicitGrantSettings_enableIdTokenIssuance | Bool | False |
The web_implicitGrantSettings_enableIdTokenIssuance of the application. |
| web_logoutUrl | String | False |
The web_logoutUrl of the application. |
| web_redirectUris | String | False |
The web_redirectUris of the application. |
Retrieves all Devices for the authenticated user.
You can query Devices by specifying an Id or selecting all:
SELECT * FROM Devices WHERE Id = '2b9c0347-9640-4ba4-bd2d-50965fb026e7'
Select a certain column from the entity and filter by that column:
SELECT * FROM Devices WHERE DisplayName LIKE '%Desk%'
Specify deviceId, accountEnabled, displayName, operatingSystem, operatingSystemVersion, and alternativeSecurityIds values in order to create a new Device:
INSERT INTO Devices (deviceId, accountEnabled, displayName, operatingSystem, operatingSystemVersion, alternativeSecurityIds) VALUES ('4c299165-6e8f-4b45-a5ba-c5d250a707ff', false, 'JustinBTest', 'Windows', '15.1', '[{"type":2,"key":"101010101011"}]')
To update a Device record you need to specify the Id in WHERE clause.
UPDATE Devices SET OperatingSystemVersion = 10.0.13439.0 WHERE Id = '6c32edb5-7f28-41f8-9965-f3f9a1718fde'
To delete a Device record, you need to specify the Id in WHERE clause.
DELETE FROM Devices WHERE Id = '6c32edb5-7f28-41f8-9965-f3f9a1718fde'
| Name | Type | ReadOnly | Description |
| id [KEY] | String | False |
The Id of the device. |
| deletedDateTime | Datetime | False |
The datetime when the device was deleted. |
| accountEnabled | Bool | False |
Indicator if device is account enabled. |
| alternativeSecurityIds | String | False |
The alternativeSecurityIds of the device. |
| approximateLastSignInDateTime | Datetime | False |
The approximateLastSignInDateTime of the device. |
| complianceExpirationDateTime | Datetime | False |
The complianceExpirationDateTime of the device. |
| deviceCategory | String | False |
The deviceCategory of the device. |
| deviceId | String | False |
The deviceId of the device. |
| deviceMetadata | String | False |
The deviceMetadata of the device. |
| deviceOwnership | String | False |
The deviceOwnership of the device. |
| deviceVersion | Int | False |
The deviceVersion of the device. |
| displayName | String | False |
The displayName of the device. |
| enrollmentProfileName | String | False |
The enrollmentProfileName of the device. |
| isCompliant | Bool | False |
Indicator if device is compliant. |
| isManaged | Bool | False |
Indicator if device is managed. |
| isManagementRestricted | Bool | False |
Indicator if device is management restricted. |
| mdmAppId | String | False |
The mdmAppId of the device. |
| onPremisesLastSyncDateTime | Datetime | False |
The onPremisesLastSyncDateTime of the device. |
| onPremisesSecurityIdentifier | String | False |
The onPremisesSecurityIdentifier of the device. |
| onPremisesSyncEnabled | Bool | False |
Indicator if device is on premises sync enabled. |
| operatingSystem | String | False |
The operatingSystem of the device. |
| operatingSystemVersion | String | False |
The operatingSystemVersion of the device. |
| physicalIds | String | False |
The physicalIds of the device. |
| profileType | String | False |
The profileType of the device. |
| registrationDateTime | Datetime | False |
The registrationDateTime of the device. |
| systemLabels | String | False |
The systemLabels of the device. |
| trustType | String | False |
The trustType of the device. |
Retrieves all Domains for the authenticated user.
You can query Domains by specifying an Id or selecting all:
SELECT * FROM Domains WHERE Id = 'rssbus.cn'
Select a certain column from the entity and filter by that column:
SELECT Id FROM Domains WHERE Id LIKE '%rssbus%'
Specify an Id in order to create a new Domain, the Id should be the name of the new Domain:
INSERT INTO Domains (Id) VALUES ('cdata.com')
To update a Domain record you need to specify the Id in WHERE clause.
UPDATE Domains SET passwordNotificationWindowInDays = 14 WHERE Id = 'cdata.com'
To delete a Domain record, you need to specify the Id in WHERE clause.
DELETE FROM Domains WHERE Id = 'cdata.com'
| Name | Type | ReadOnly | Description |
| id [KEY] | String | False |
The id of the domain. |
| authenticationType | String | False |
The authenticationType of the domain. |
| availabilityStatus | String | False |
The availabilityStatus of the domain. |
| isAdminManaged | Bool | False |
Indicator if domain is admin managed. |
| isDefault | Bool | False |
Indicator if domain is default. |
| isInitial | Bool | False |
Indicator if domain is initial. |
| isRoot | Bool | False |
Indicator if domain is root. |
| isVerified | Bool | False |
Indicator if domain is verified. |
| passwordNotificationWindowInDays | Int | False |
The passwordNotificationWindowInDays of the domain. |
| passwordValidityPeriodInDays | Int | False |
The passwordValidityPeriodInDays of the domain. |
| state_lastActionDateTime | Datetime | False |
The lastActionDateTime of the state. |
| state_operation | String | False |
The operation of the state. |
| state_status | String | False |
The status of the state. |
| supportedServices | String | False |
The supported services of the domain. |
Retrieves all Azure Active Directory (Azure AD) groups, which can be Office 365 groups, or security groups.
Groups require Administrator permissions. To work with them, you must create your own custom OAuth App and set the appropriate OAuthClientId and OAuthClientSecret. In this app, you must configure it to request the Group.Read.All and the Group.ReadWrite.All permissions. This can be done at https://apps.dev.microsoft.com, or in the App Registrations panel at http://portal.azure.com. See Creating a Custom OAuth Application for more details on creating a custom app.
To authorize Groups permissions, an administrator must grant the Groups permissions for your organization at large. This can be done via the administrator authorization endpoint. Simply have the administrator grant permissions. Then run the OAuth authorization as normal afterwards.
Note that if your organization has multiple tenants, you may replace the /common/ in the url with the tenant Id to indicate which tenant to grant permissions for.
Retrieve all groups, specify a GroupId (Id), or simply filter by a certain column:
SELECT * FROM Groups WHERE Id = '029b15a8-dfd1-460e-83b6-262a75328c13' SELECT Id, Description, DisplayName FROM Groups WHERE Name = 'test'
The following are required to create a new Security Group:
INSERT INTO Groups (DisplayName, MailEnabled, MailNickname, SecurityEnabled) VALUES ('Test group', false, 'test', true)
To update a group record you need to specify the Id in WHERE clause.
UPDATE Groups SET Description = 'updated description from api' WHERE Id = 'bc48eaf7-0dc6-45d1-b17a-5b5397466ee1'
To delete a group record, you need to specify the Id in WHERE clause.
DELETE FROM Groups WHERE Id = 'bc48eaf7-0dc6-45d1-b17a-5b5397466ee1'
Retrieve recently deleted groups. Deleted groups remain available for up to 30 days.
GETDELETED FROM Groups
| Name | Type | ReadOnly | Description |
| id [KEY] | String | False |
The Id of the group. |
| deletedDateTime | Datetime | False |
The datetime when the group was deleted. |
| allowExternalSenders | Bool | False |
The indicator showing if external senders should be allowed or not. |
| assignedLabels | String | False |
The assigned labels of the group. |
| assignedLicenses | String | False |
The assigned licenses of the group. |
| autoSubscribeNewMembers | Bool | False |
The indicator showing if new members should be autosubscribed. |
| classification | String | False |
The classification of the group. |
| createdDateTime | Datetime | False |
The created DateTime of the group. |
| description | String | False |
The description of the group. |
| displayName | String | False |
The display name of the group. |
| expirationDateTime | Datetime | False |
The expiration datetime of the group. |
| groupTypes | String | False |
The types of the group. |
| hasMembersWithLicenseErrors | Bool | False |
Indicator if there are members with license error. |
| hideFromAddressLists | Bool | False |
Whether or not to hide the group from address lists. |
| hideFromOutlookClients | Bool | False |
Whether or not to hide the group from Outlook Clients. |
| isArchived | Bool | False |
Indicator if group is archived. |
| isAssignableToRole | Bool | False |
Indicator if group is assignable to role. |
| isManagementRestricted | Bool | False |
Indicator if group is management restricted. |
| isSubscribedByMail | Bool | False |
Indicator if group is subscribed by email. |
| licenseProcessingState | String | False |
The license processing state of the group. |
| String | False |
The mail of the group. | |
| mailEnabled | Bool | False |
Indicator if mail is enabled in the group. |
| mailNickname | String | False |
The mail nickname of the group. |
| membershipRule | String | False |
The membership rule of the group. |
| membershipRuleProcessingState | String | False |
The membership rule processing state of the group. |
| onPremisesDomainName | String | False |
The Domain Name of the group. |
| onPremisesLastSyncDateTime | Datetime | False |
The LastSync DateTime of the group. |
| onPremisesProvisioningErrors | String | False |
The provisioning errors of the group. |
| onPremisesSamAccountName | String | False |
The Sam Account Name of the group. |
| onPremisesSecurityIdentifier | String | False |
The security identifier of the group. |
| onPremisesSyncEnabled | Bool | False |
Indicator if sync is enabled in the group. |
| preferredDataLocation | String | False |
The preferred data location of the group. |
| preferredLanguage | String | False |
Preferred language in the group. |
| proxyAddresses | String | False |
The proxy addresses of the group. |
| renewedDateTime | Datetime | False |
The renewed DateTime of the group. |
| securityEnabled | Bool | False |
Indicator if security is enabled in the group. |
| securityIdentifier | String | False |
The security identifier of the group. |
| serviceProvisioningErrors | String | False |
The service provisioning errors of the group. |
| theme | String | False |
The theme of the group. |
| unseenCount | Int | False |
The unseen count of the group. |
| visibility | String | False |
The visibility of the group. |
Retrieves all Azure AD user accounts within the authenticated permissions.
Query the Users table. The Sync App will use the Azure Active Directory API to process WHERE clause conditions built with the following columns and operators. The rest of the filter is executed client side within the Sync App.
For example, the following query is processed server side:
SELECT * FROM Users WHERE Id = '08d30c14-2775-45c9-8809-3eca47340959'
Note: when querying the Users table with an asterik (*), only the default columns will be returned. (i.e. businessPhones, displayName, givenName, id, jobTitle, mail, mobilePhone, officeLocation, preferredLanguage, surname, userPrincipalName)
To get the data for extra columns in the Users table, you must provide them in the query. For example:
SELECT id, department, officeLocation, state, displayName, mail FROM Users
The following are required to create a new organizational User:
INSERT INTO Users (AccountEnabled, DisplayName, MailNickname, UserPrincipalName, PasswordProfile_ForceChangePasswordNextSignIn, PasswordProfile_Password) VALUES (false, 'John Smith', 'JohnS', '[email protected]', true, '123password')
To update a user record you need to specify the Id in WHERE clause.
UPDATE Users SET JobTitle = 'New Job Title' WHERE Id = 'bc48eaf7-0dc6-45d1-b17a-5b5397466ee1'
To delete a user record, you need to specify the Id in WHERE clause.
DELETE FROM Users WHERE Id = 'bc48eaf7-0dc6-45d1-b17a-5b5397466ee1'
Retrieve recently deleted users. Deleted users remain available for up to 30 days.
GETDELETED FROM Users
| Name | Type | ReadOnly | Description |
| id [KEY] | String | False |
The id of the user. |
| deletedDateTime | Datetime | False |
The deletedDateTime of the user. |
| accountEnabled | Bool | False |
Indicates if accountEnabled for the user. |
| businessPhones | String | False |
The businessPhones of the user. |
| city | String | False |
The city of the user. |
| companyName | String | False |
The companyName of the user. |
| country | String | False |
The country of the user. |
| createdDateTime | Datetime | False |
The createdDateTime of the user. |
| department | String | False |
The department of the user. |
| displayName | String | False |
The displayName of the user. |
| employeeHireDate | Datetime | False |
The employeeHireDate of the user. |
| employeeId | String | False |
The employeeId of the user. |
| employeeOrgData_costCenter | String | False |
The employeeOrgData_costCenter of the user. |
| employeeOrgData_division | String | False |
The employeeOrgData_division of the user. |
| employeeType | String | False |
The employeeType of the user. |
| givenName | String | False |
The givenName of the user. |
| identities | String | False |
The identities of the user. |
| imAddresses | String | False |
The imAddresses of the user. |
| isManagementRestricted | Bool | False |
Indicator if user is management restricted. |
| isResourceAccount | Bool | False |
Indicates if it isResourceAccount of the user. |
| jobTitle | String | False |
The jobTitle of the user. |
| lastPasswordChangeDateTime | Datetime | False |
The lastPasswordChangeDateTime of the user. |
| String | False |
The mail of the user. | |
| mailNickname | String | False |
The mailNickname of the user. |
| mobilePhone | String | False |
The mobilePhone of the user. |
| officeLocation | String | False |
The officeLocation of the user. |
| onPremisesDistinguishedName | String | False |
The onPremisesDistinguishedName of the user. |
| onPremisesDomainName | String | False |
The onPremisesDomainName of the user. |
| onPremisesExtensionAttributes_extensionAttribute1 | String | False |
The onPremisesExtensionAttributes_extensionAttribute1 of the user. |
| onPremisesExtensionAttributes_extensionAttribute10 | String | False |
The onPremisesExtensionAttributes_extensionAttribute10 of the user. |
| onPremisesExtensionAttributes_extensionAttribute11 | String | False |
The onPremisesExtensionAttributes_extensionAttribute11 of the user. |
| onPremisesExtensionAttributes_extensionAttribute12 | String | False |
The onPremisesExtensionAttributes_extensionAttribute12 of the user. |
| onPremisesExtensionAttributes_extensionAttribute13 | String | False |
The onPremisesExtensionAttributes_extensionAttribute13 of the user. |
| onPremisesExtensionAttributes_extensionAttribute14 | String | False |
The onPremisesExtensionAttributes_extensionAttribute14 of the user. |
| onPremisesExtensionAttributes_extensionAttribute15 | String | False |
The onPremisesExtensionAttributes_extensionAttribute15 of the user. |
| onPremisesExtensionAttributes_extensionAttribute2 | String | False |
The onPremisesExtensionAttributes_extensionAttribute2 of the user. |
| onPremisesExtensionAttributes_extensionAttribute3 | String | False |
The onPremisesExtensionAttributes_extensionAttribute3 of the user. |
| onPremisesExtensionAttributes_extensionAttribute4 | String | False |
The onPremisesExtensionAttributes_extensionAttribute4 of the user. |
| onPremisesExtensionAttributes_extensionAttribute5 | String | False |
The onPremisesExtensionAttributes_extensionAttribute5 of the user. |
| onPremisesExtensionAttributes_extensionAttribute6 | String | False |
The onPremisesExtensionAttributes_extensionAttribute6 of the user. |
| onPremisesExtensionAttributes_extensionAttribute7 | String | False |
The onPremisesExtensionAttributes_extensionAttribute7 of the user. |
| onPremisesExtensionAttributes_extensionAttribute8 | String | False |
The onPremisesExtensionAttributes_extensionAttribute8 of the user. |
| onPremisesExtensionAttributes_extensionAttribute9 | String | False |
The onPremisesExtensionAttributes_extensionAttribute9 of the user. |
| onPremisesImmutableId | String | False |
The onPremisesImmutableId of the user. |
| onPremisesLastSyncDateTime | Datetime | False |
The onPremisesLastSyncDateTime of the user. |
| onPremisesProvisioningErrors | String | False |
The onPremisesProvisioningErrors of the user. |
| onPremisesSamAccountName | String | False |
The onPremisesSamAccountName of the user. |
| onPremisesSecurityIdentifier | String | False |
The onPremisesSecurityIdentifier of the user. |
| onPremisesSyncEnabled | Bool | False |
Indicates onPremisesSyncEnabled for the user. |
| onPremisesUserPrincipalName | String | False |
The onPremisesUserPrincipalName of the user. |
| otherMails | String | False |
The otherMails of the user. |
| passwordProfile_forceChangePasswordNextSignIn | Bool | False |
The passwordProfile_forceChangePasswordNextSignIn of the user. |
| passwordProfile_forceChangePasswordNextSignInWithMfa | Bool | False |
The passwordProfile_forceChangePasswordNextSignInWithMfa of the user. |
| passwordProfile_password | String | False |
The passwordProfile_password of the user. |
| postalCode | String | False |
The postalCode of the user. |
| preferredLanguage | String | False |
The preferredLanguage of the user. |
| serviceProvisioningErrors | String | False |
The service provisioning errors of the user. |
| state | String | False |
The state of the user. |
| streetAddress | String | False |
The streetAddress of the user. |
| surname | String | False |
The surname of the user. |
| userPrincipalName | String | False |
The userPrincipalName of the user. |
| userType | String | False |
The userType of the user. |
Views are similar to tables in the way that data is represented; however, views are read-only.
Queries can be executed against a view as if it were a normal table.
| Name | Description |
| AdministrativeUnitMembers | Retrieves all AdministrativeUnitMembers for the authenticated user. |
| AdministrativeUnits | Retrieves all AdministrativeUnits for the authenticated user. |
| Contacts | Retrieves the Contacts for the organization. |
| Contracts | Retrieves all contracts for the authenticated user. |
| DeviceLocalCredentials | Retrieves the local administrator account credential of a device object. |
| DeviceRegisteredOwners | DeviceRegisteredOwners table for Azure AD data provider. |
| DeviceRegisteredUsers | DeviceRegisteredUsers table for Azure AD data provider. |
| DirectoryAudits | Retrieves all directory audit items for the authenticated user. |
| DirectoryRoleMembers | DirectoryRoleMembers table for Azure AD data provider. |
| DirectoryRoles | Retrieves all DirectoryRoles for the authenticated user. |
| DirectoryRoleTemplates | Retrieves all DirectoryRoleTemplates for the authenticated user. |
| GroupApplicationRoleAssignments | GroupApplicationRoleAssignments table for Azure AD data provider. |
| GroupMembers | GroupMembers table for Azure AD data providers. |
| Organization | Retrieves the Organization for the authenticated user. |
| RoleAssignments | Retrieves the Role Assignments for the Azure AD. |
| RoleDefinitions | Retrieves the Role Definitions for the Azure AD. |
| SignIns | Retrieves the user sign-ins for your tenant. |
| UserApplicationRoleAssignments | UserApplicationRoleAssignments table for Azure AD data provider. |
| UserManagers | UserManagers table for Azure AD data provider. |
Retrieves all AdministrativeUnitMembers for the authenticated user.
Get the members of administrative units in your Azure Active Directory. You can filter results by UnitId and MemberId.
For example, the following queries are processed server side:
SELECT * FROM AdministrativeUnitMembers WHERE UnitId = '1721e354-9b76-49d5-bdf1-bb30a936c3ab'
SELECT * FROM AdministrativeUnitMembers WHERE MemberId IN (SELECT Id FROM Users)
| Name | Type | Description |
| UnitId [KEY] | String | The id of the administrativeUnit. |
| MemberId [KEY] | String | The User or Group Id of the user listed. |
Retrieves all AdministrativeUnits for the authenticated user.
Most filters are handled server side, but the specific field of Id will change the endpoint we use to retrieve the data. It must be specified with an '=' or IN condition.
For example:
SELECT * FROM AdministrativeUnits WHERE Id = '1721e354-9b76-49d5-bdf1-bb30a936c3ab'
SELECT * FROM AdministrativeUnits WHERE Id IN ('1721e354-9b76-49d5-bdf1-bb30a936c3ab')
SELECT * FROM AdministrativeUnits WHERE DisplayName LIKE '%Test%'
| Name | Type | Description |
| id [KEY] | String | The id of the administrativeUnit. |
| deletedDateTime | Datetime | The datetime when the administrativeUnit was deleted. |
| description | String | The description of the administrativeUnit. |
| displayName | String | The displayName of the administrativeUnit. |
| isMemberManagementRestricted | Bool | Indicator if administrativeUnit is member management restricted. |
| visibility | String | The visibility of the administrativeUnit. |
Retrieves the Contacts for the organization.
Most filters are handled server side, but the specific field of Id will change the endpoint we use to retrieve the data. It must be specified with an '=' or IN condition.
For example:
SELECT * FROM Contacts WHERE Id = '8b0a526e-178d-4494-a276-8819b74d7933'
SELECT * FROM Contacts WHERE Id IN ('8b0a526e-178d-4494-a276-8819b74d7933', 'a8f14261-fb3b-42f7-a27a-d29877b5010b')
SELECT * FROM Contacts WHERE DisplayName LIKE '%Test%'
| Name | Type | Description |
| id [KEY] | String | The id of the organizationalContact. |
| deletedDateTime | Datetime | The datetime when the contact was deleted. |
| addresses | String | The addresses of the organizationalContact. |
| companyName | String | The companyName of the organizationalContact. |
| department | String | The department of the organizationalContact. |
| displayName | String | The displayName of the organizationalContact. |
| givenName | String | The givenName of the organizationalContact. |
| jobTitle | String | The jobTitle of the organizationalContact. |
| String | The mail of the organizationalContact. | |
| mailNickname | String | The mailNickname of the organizationalContact. |
| onPremisesLastSyncDateTime | Datetime | The onPremisesLastSyncDateTime of the organizationalContact. |
| onPremisesProvisioningErrors | String | The provisioning errors of the organizationalContact. |
| onPremisesSyncEnabled | Bool | Indicator if organizationalContact is onPremisesSyncEnabled. |
| phones | String | The phones of the organizationalContact. |
| proxyAddresses | String | The proxyAddresses of the organizationalContact. |
| surname | String | The surname of the organizationalContact. |
Retrieves all contracts for the authenticated user.
Most filters are handled server side, but the specific field of Id will change the endpoint we use to retrieve the data. It must be specified with an '=' or IN condition.
For example:
SELECT * FROM Contracts WHERE Id = '8b0a526e-178d-4494-a276-8819b74d7933'
SELECT * FROM Contracts WHERE Id IN ('8b0a526e-178d-4494-a276-8819b74d7933')
SELECT * FROM Contracts WHERE DisplayName LIKE '%Test%'
| Name | Type | Description |
| id [KEY] | String | The id of the contract. |
| deletedDateTime | Datetime | The datetime when the contract was deleted. |
| contractType | String | The contractType of the contract. |
| customerId | String | The customerId of the contract. |
| defaultDomainName | String | The defaultDomainName of the contract. |
| displayName | String | The displayName of the contract. |
Retrieves the local administrator account credential of a device object.
Most filters are handled server side, but the specific field of Id will change the endpoint we use to retrieve the data. It must be specified with an '=' or IN condition.
For example:
SELECT * FROM DeviceLocalCredentials WHERE Id = '2183313c-ac52-4772-8482-7b2eb2a5d7c9_LBZWQ_311068785'
SELECT * FROM DeviceLocalCredentials WHERE Id IN ('2183313c-ac52-4772-8482-7b2eb2a5d7c9_LBZWQ_311068785')
SELECT * FROM DeviceLocalCredentials WHERE DeviceName LIKE '%Desktop%'
| Name | Type | Description |
| id [KEY] | String | The id of the deviceLocalCredential. |
| credentials | String | The credentials of the deviceLocalCredential. |
| deviceName | String | The deviceName of the deviceLocalCredential. |
| lastBackupDateTime | Datetime | The lastBackupDateTime of the deviceLocalCredential. |
| refreshDateTime | Datetime | The refreshDateTime of the deviceLocalCredential. |
DeviceRegisteredOwners table for Azure AD data provider.
Get the owners of registered Devices in your Azure Active Directory. You can filter results by DeviceId and OwnerId.
For example, the following queries are processed server side:
SELECT * FROM DeviceRegisteredOwners WHERE DeviceId = '2b9c0347-9640-4ba4-bd2d-50965fb026e7'
SELECT * FROM DeviceRegisteredOwners WHERE OwnerId IN (SELECT Id FROM Groups)
| Name | Type | Description |
| DeviceId [KEY] | String | The Id of the Device. |
| OwnerId [KEY] | String | The User Id of the owner listed. |
DeviceRegisteredUsers table for Azure AD data provider.
Get the users of registered Devices in your Azure Active Directory. You can filter results by DeviceId and UserId.
For example, the following queries are processed server side:
SELECT * FROM DeviceRegisteredUsers WHERE DeviceId = '2b9c0347-9640-4ba4-bd2d-50965fb026e7'
SELECT * FROM DeviceRegisteredUsers WHERE UsersId IN (SELECT Id FROM Users)
| Name | Type | Description |
| DeviceId [KEY] | String | The Id of the Device. |
| UserId [KEY] | String | The User Id of the user listed. |
Retrieves all directory audit items for the authenticated user.
Most filters are handled server side, but the specific field of Id will change the endpoint we use to retrieve the data. It must be specified with an '=' or IN condition.
For example:
SELECT * FROM DirectoryAudits WHERE Id = 'Directory_2183313c-ac52-4772-8482-7b2eb2a5d7c9_LBZWQ_311068785'
SELECT * FROM DirectoryAudits WHERE Id IN ('Directory_2183313c-ac52-4772-8482-7b2eb2a5d7c9_LBZWQ_311068785')
SELECT * FROM DirectoryAudits WHERE ActivityDisplayName LIKE '%Update%'
| Name | Type | Description |
| id [KEY] | String | The id of the DirectoryAudit. |
| activityDateTime | Datetime | The activityDateTime of the DirectoryAudit. |
| activityDisplayName | String | The activityDisplayName of the DirectoryAudit. |
| additionalDetails | String | The additionalDetails of the DirectoryAudit. |
| category | String | The category of the DirectoryAudit. |
| correlationId | String | The correlationId of the DirectoryAudit. |
| initiatedBy_app_appid | String | The initiatedBy_app_appid of the DirectoryAudit. |
| initiatedBy_app_displayName | String | The initiatedBy_app_displayName of the DirectoryAudit. |
| initiatedBy_app_servicePrincipalId | String | The initiatedBy_app_servicePrincipalId of the DirectoryAudit. |
| initiatedBy_app_servicePrincipalName | String | The initiatedBy_app_servicePrincipalName of the DirectoryAudit. |
| loggedByService | String | The loggedByService of the DirectoryAudit. |
| operationType | String | The operationType of the DirectoryAudit. |
| result | String | The result of the DirectoryAudit. |
| resultReason | String | The resultReason of the DirectoryAudit. |
| targetResources | String | The targetResources of the DirectoryAudit. |
DirectoryRoleMembers table for Azure AD data provider.
Get the members of Directory Roles in your Azure Active Directory. You can filter results by RoleId and UserId.
For example, the following queries are processed server side:
SELECT * FROM DirectoryRoleMembers WHERE RoleId = '25502c98-94df-43fa-baf7-4a105e200030'
SELECT * FROM DirectoryRoleMembers WHERE UserId IN (SELECT Id FROM Users)
| Name | Type | Description |
| RoleId [KEY] | String | The id of the directoryRole. |
| UserId [KEY] | String | The User Id of the user listed. |
Retrieves all DirectoryRoles for the authenticated user.
Most filters are handled server side, but the specific field of Id will change the endpoint we use to retrieve the data. It must be specified with an '=' or IN condition.
For example:
SELECT * FROM DirectoryRoles WHERE Id = '0f1032b0-ec73-4f72-836e-3b4411ea70c6'
SELECT * FROM DirectoryRoles WHERE RoleTemplateId = '4d6ac14f-3453-41d0-bef9-a3e0c569773a'
SELECT * FROM DirectoryRoles WHERE Id IN ('0f1032b0-ec73-4f72-836e-3b4411ea70c6', '081c8ba7-15a3-4c39-9972-053427b3c857')
SELECT * FROM DirectoryRoles WHERE DisplayName LIKE '%Admin%'
| Name | Type | Description |
| id [KEY] | String | The id of the directoryRole. |
| deletedDateTime | Datetime | The datetime when the directoryRole was deleted. |
| description | String | The description of the directoryRole. |
| displayName | String | The displayName of the directoryRole. |
| roleTemplateId | String | The roleTemplateId of the directoryRole. |
Retrieves all DirectoryRoleTemplates for the authenticated user.
Most filters are handled server side, but the specific field of Id will change the endpoint we use to retrieve the data. It must be specified with an '=' or IN condition.
For example:
SELECT * FROM DirectoryRoleTemplates WHERE Id = '62e90394-69f5-4237-9190-012177145e10'
SELECT * FROM DirectoryRoleTemplates WHERE Id IN ('62e90394-69f5-4237-9190-012177145e10', '2af84b1e-32c8-42b7-82bc-daa82404023b')
SELECT * FROM DirectoryRoleTemplates WHERE DisplayName LIKE '%Admin%'
| Name | Type | Description |
| id [KEY] | String | The id of the directoryRoleTemplate. |
| deletedDateTime | Datetime | The datetime when the directoryRoleTemplate was deleted. |
| description | String | The description of the directoryRoleTemplate. |
| displayName | String | The displayName of the directoryRoleTemplate. |
GroupApplicationRoleAssignments table for Azure AD data provider.
Get the group application roles assignments in your Azure Active Directory. You can filter results by GroupId.
For example, the following queries are processed server side:
SELECT * FROM GroupApplicationRoleAssignments WHERE GroupId = 'ffacf701-6caf-4228-9e3b-7e57c14122ee'
SELECT * FROM GroupApplicationRoleAssignments WHERE GroupId IN (SELECT Id FROM Groups)
| Name | Type | Description |
| GroupId [KEY] | String | The GroupId of the ApplicationRoleAssignment. |
| id [KEY] | String | The id of the ApplicationRoleAssignment. |
| appRoleId | String | The appRoleId of the ApplicationRoleAssignment. |
| createdDateTime | Datetime | The createdDateTime of the ApplicationRoleAssignment. |
| principalDisplayName | String | The principalDisplayName of the ApplicationRoleAssignment. |
| principalId | String | The principalId of the ApplicationRoleAssignment. |
| principalType | String | The principalType of the ApplicationRoleAssignment. |
| resourceDisplayName | String | The resourceDisplayName of the ApplicationRoleAssignment. |
| resourceId | String | The resourceId of the ApplicationRoleAssignment. |
GroupMembers table for Azure AD data providers.
Query the GroupMembers table by retrieving everything from Azure AD or by specifying the GroupId with = and IN operators. You can filter results by GroupId and MemberId.
For example, the following queries are processed server-side:
SELECT * FROM GroupMembers WHERE GroupId IN ('4729c5e5-f923-4435-8a41-44423d42ea79', 'acabe397-8370-4c31-aeb7-2d7ae6b8cda1')
SELECT * FROM GroupMembers WHERE GroupId = '4729c5e5-f923-4435-8a41-44423d42ea79'
| Name | Type | Description |
| GroupId [KEY] | String | The Id of the Group. |
| MemberId [KEY] | String | The User Id of the member listed. |
Retrieves the Organization for the authenticated user.
SELECT * FROM Organization
| Name | Type | Description |
| id [KEY] | String | The id of the organization. |
| deletedDateTime | Datetime | The datetime when the organization was deleted. |
| assignedPlans | String | The assignedPlans of the organization. |
| businessPhones | String | The businessPhones of the organization. |
| city | String | The city of the organization. |
| country | String | The country of the organization. |
| countryLetterCode | String | The countryLetterCode of the organization. |
| createdDateTime | Datetime | The createdDateTime of the organization. |
| defaultUsageLocation | String | The defaultUsageLocation of the organization. |
| displayName | String | The displayName of the organization. |
| marketingNotificationEmails | String | The marketingNotificationEmails of the organization. |
| mobileDeviceManagementAuthority | String | The mobileDeviceManagementAuthority of the organization. |
| onPremisesLastPasswordSyncDateTime | Datetime | The onPremisesLastPasswordSyncDateTime of the organization. |
| onPremisesLastSyncDateTime | Datetime | The onPremisesLastSyncDateTime of the organization. |
| onPremisesSyncEnabled | Bool | Indicator if organization is onPremisesSyncEnabled. |
| partnerTenantType | String | The partnerTenantType of the organization. |
| postalCode | String | The postalCode of the organization. |
| preferredLanguage | String | The preferredLanguage of the organization. |
| privacyProfile_contactEmail | String | The contactEmail of the privacyProfile. |
| privacyProfile_statementUrl | String | The statementUrl of the privacyProfile. |
| provisionedPlans | String | The provisionedPlans of the organization. |
| securityComplianceNotificationMails | String | The securityComplianceNotificationMails of the organization. |
| securityComplianceNotificationPhones | String | The securityComplianceNotificationPhones of the organization. |
| state | String | The state of the organization. |
| street | String | The street of the organization. |
| technicalNotificationMails | String | The technicalNotificationMails of the organization. |
| tenantType | String | The tenantType of the organization. |
| verifiedDomains | String | The verifiedDomains of the organization. |
Retrieves the Role Assignments for the Azure AD.
Most filters are handled server side, but the specific field of Id will change the endpoint we use to retrieve the data. It must be specified with an '=' or IN condition.
For example:
SELECT * FROM RoleAssignments WHERE Id = '4yeYchSc90m7G5YI8Va7uM8rSNTfthJJt-QfAs-zqcI-1' SELECT * FROM RoleAssignments WHERE RoleDefinitionId = '62e90394-69f5-4237-9190-012177145e10' SELECT * FROM RoleAssignments WHERE PrincipalId = 'e5d250bd-92b4-44b2-b002-bc559f6d79e5'
| Name | Type | Description |
| id [KEY] | String | The id of the roleAssignment. |
| condition | String | The condition of the roleAssignment. |
| roleDefinitionId | String | The roleDefinitionId of the roleAssignment. |
| principalId | String | The principalId of the roleAssignment. |
| directoryScopeId | String | The directoryScopeId of the roleAssignment. |
| appScopeId | String | The appScopeId of the roleAssignment. |
Retrieves the Role Definitions for the Azure AD.
Most filters are handled server side, but the specific field of Id will change the endpoint we use to retrieve the data. It must be specified with an '=' or IN condition.
For example:
SELECT * FROM RoleDefinitions WHERE Id = '62e90394-69f5-4237-9190-012177145e10'
SELECT * FROM RoleDefinitions WHERE Id IN ('62e90394-69f5-4237-9190-012177145e10', 'fe930be7-5e62-47db-91af-98c3a49a38b1')
SELECT * FROM RoleDefinitions WHERE DisplayName LIKE '%Admin%'
| Name | Type | Description |
| id [KEY] | String | The id of the roleDefinition. |
| allowedPrincipalTypes | String | The allowedPrincipalTypes of the roleDefinition. |
| description | String | The description of the roleDefinition. |
| displayName | String | The displayName of the roleDefinition. |
| isBuiltIn | Bool | Indicator if roleDefinition is Builtin. |
| isEnabled | Bool | Indicator if roleDefinition is Enabled. |
| isPrivileged | Bool | Indicator if roleDefinition is Privileged. |
| resourceScopes | String | The resourceScopes of the roleDefinition. |
| rolePermissions | String | The rolePermissions of the roleDefinition. |
| templateId | String | The templateId of the roleDefinition. |
| version | String | The version of the roleDefinition. |
Retrieves the user sign-ins for your tenant.
Most filters are handled server side, but the specific field of Id will change the endpoint we use to retrieve the data. It must be specified with an '=' or IN condition.
For example:
SELECT * FROM SignIns WHERE Id = '8b0a526e-178d-4494-a276-8819b74d7933'
SELECT * FROM SignIns WHERE Id IN ('8b0a526e-178d-4494-a276-8819b74d7933', 'a8f14261-fb3b-42f7-a27a-d29877b5010b')
SELECT * FROM SignIns WHERE ResourceDisplayName LIKE '%Test%'
| Name | Type | Description |
| id [KEY] | String | The id of the SignIns. |
| appDisplayName | String | The appDisplayName of the SignIns. |
| appId | String | The appId of the SignIns. |
| appliedConditionalAccessPolicies | String | The appliedConditionalAccessPolicies of the SignIns. |
| clientAppUsed | String | The clientAppUsed of the SignIns. |
| conditionalAccessStatus | String | The conditionalAccessStatus of the SignIns. |
| correlationId | String | The correlationId of the SignIns. |
| createdDateTime | Datetime | The createdDateTime of the SignIns. |
| deviceDetail_browser | String | The deviceDetail_browser of the SignIns. |
| deviceDetail_deviceId | String | The deviceDetail_deviceId of the SignIns. |
| deviceDetail_displayName | String | The deviceDetail_displayName of the SignIns. |
| deviceDetail_isCompliant | Bool | The deviceDetail_isCompliant of the SignIns. |
| deviceDetail_isManaged | Bool | The deviceDetail_isManaged of the SignIns. |
| deviceDetail_operatingSystem | String | The deviceDetail_operatingSystem of the SignIns. |
| deviceDetail_trustType | String | The deviceDetail_trustType of the SignIns. |
| ipAddress | String | The ipAddress of the SignIns. |
| isInteractive | Bool | The isInteractive of the SignIns. |
| signInLocation_city | String | The signInLocation_city of the SignIns. |
| signInLocation_countryOrRegion | String | The signInLocation_countryOrRegion of the SignIns. |
| signInLocation_state | String | The signInLocation_state of the SignIns. |
| resourceDisplayName | String | The resourceDisplayName of the SignIns. |
| resourceId | String | The resourceId of the SignIns. |
| riskDetail | String | The riskDetail of the SignIns. |
| riskEventTypes | String | The riskEventTypes of the DirectoryAudit. |
| riskEventTypes_v2 | String | The riskEventTypes_v2 of the DirectoryAudit. |
| riskLevelAggregated | String | The riskLevelAggregated of the SignIns. |
| riskLevelDuringSignIn | String | The riskLevelDuringSignIn of the SignIns. |
| riskState | String | The riskState of the SignIns. |
| signInStatus_additionalDetails | String | The signInStatus_additionalDetails of the SignIns. |
| signInStatus_errorCode | Int | The signInStatus_errorCode of the application. |
| signInStatus_failureReason | String | The signInStatus_failureReason of the SignIns. |
| userDisplayName | String | The userDisplayName of the SignIns. |
| userId | String | The userId of the SignIns. |
| userPrincipalName | String | The userPrincipalName of the SignIns. |
UserApplicationRoleAssignments table for Azure AD data provider.
Get the user application roles assignments in your Azure Active Directory. You can filter results by UserId.
For example, the following queries are processed server side:
SELECT * FROM UserApplicationRoleAssignments WHERE UserId = 'ffacf701-6caf-4228-9e3b-7e57c14122ee'
SELECT * FROM UserApplicationRoleAssignments WHERE UserId IN (SELECT Id FROM Users)
| Name | Type | Description |
| UserId [KEY] | String | The UserId of the ApplicationRoleAssignment. |
| id [KEY] | String | The id of the ApplicationRoleAssignment. |
| appRoleId | String | The appRoleId of the ApplicationRoleAssignment. |
| createdDateTime | Datetime | The createdDateTime of the ApplicationRoleAssignment. |
| principalDisplayName | String | The principalDisplayName of the ApplicationRoleAssignment. |
| principalId | String | The principalId of the ApplicationRoleAssignment. |
| principalType | String | The principalType of the ApplicationRoleAssignment. |
| resourceDisplayName | String | The resourceDisplayName of the ApplicationRoleAssignment. |
| resourceId | String | The resourceId of the ApplicationRoleAssignment. |
UserManagers table for Azure AD data provider.
Get the manager of users in your Azure Active Directory. You can filter results by UserId.
For example, the following queries are processed server side:
SELECT * FROM UserManagers WHERE UserId = 'ffacf701-6caf-4228-9e3b-7e57c14122ee'
SELECT * FROM UserManagers WHERE UserId IN (SELECT Id FROM Users)
| Name | Type | Description |
| UserId [KEY] | String | The UserId of the manager. |
| id [KEY] | String | The id of the manager. |
| displayName | String | The displayName of the manager. |
| jobTitle | String | The jobTitle of the manager. |
| String | The mail of the manager. | |
| userPrincipalName | String | The userPrincipalName of the manager. |
The Sync App maps types from the data source to the corresponding data type available in the schema. The table below documents these mappings.
| Azure Active Directory (OData V4) | CData Schema |
| Edm.Binary | binary |
| Edm.Boolean | bool |
| Edm.Date | datetime |
| Edm.DateTimeOffset | datetime |
| Edm.Decimal | decimal |
| Edm.Double | double |
| Edm.Guid | guid |
| Edm.Int32 | int |
| Edm.String | string |
| Edm.TimeOfDay | time |
The connection string properties are the various options that can be used to establish a connection. This section provides a complete list of the options you can configure in the connection string for this provider. Click the links for further details.
For more information on establishing a connection, see Establishing a Connection.
| Property | Description |
| AuthScheme | The type of authentication to use when connecting to Azure Active Directory. |
| Property | Description |
| AzureTenant | The Microsoft Online tenant being used to access data. If not specified, your default tenant is used. |
| AzureEnvironment | The Azure Environment to use when establishing a connection. |
| Property | Description |
| OAuthClientId | The client Id assigned when you register your application with an OAuth authorization server. |
| OAuthClientSecret | The client secret assigned when you register your application with an OAuth authorization server. |
| OAuthGrantType | The grant type for the OAuth flow. |
| Property | Description |
| OAuthJWTCert | The JWT Certificate store. |
| OAuthJWTCertType | The type of key store containing the JWT Certificate. |
| OAuthJWTCertPassword | The password for the OAuth JWT certificate. |
| OAuthJWTCertSubject | The subject of the OAuth JWT certificate. |
| Property | Description |
| SSLServerCert | The certificate to be accepted from the server when connecting using TLS/SSL. |
| Property | Description |
| FirewallType | The protocol used by a proxy-based firewall. |
| FirewallServer | The name or IP address of a proxy-based firewall. |
| FirewallPort | The TCP port for a proxy-based firewall. |
| FirewallUser | The user name to use to authenticate with a proxy-based firewall. |
| FirewallPassword | A password used to authenticate to a proxy-based firewall. |
| Property | Description |
| ProxyAutoDetect | This indicates whether to use the system proxy settings or not. |
| ProxyServer | The hostname or IP address of a proxy to route HTTP traffic through. |
| ProxyPort | The TCP port the ProxyServer proxy is running on. |
| ProxyAuthScheme | The authentication type to use to authenticate to the ProxyServer proxy. |
| ProxyUser | A user name to be used to authenticate to the ProxyServer proxy. |
| ProxyPassword | A password to be used to authenticate to the ProxyServer proxy. |
| ProxySSLType | The SSL type to use when connecting to the ProxyServer proxy. |
| ProxyExceptions | A semicolon separated list of destination hostnames or IPs that are exempt from connecting through the ProxyServer . |
| Property | Description |
| LogModules | Core modules to be included in the log file. |
| Property | Description |
| Location | A path to the directory that contains the schema files defining tables, views, and stored procedures. |
| BrowsableSchemas | This property restricts the schemas reported to a subset of the available schemas. For example, BrowsableSchemas=SchemaA,SchemaB,SchemaC. |
| Tables | This property restricts the tables reported to a subset of the available tables. For example, Tables=TableA,TableB,TableC. |
| Views | Restricts the views reported to a subset of the available tables. For example, Views=ViewA,ViewB,ViewC. |
| Property | Description |
| MaxRows | Limits the number of rows returned when no aggregation or GROUP BY is used in the query. This takes precedence over LIMIT clauses. |
| Other | These hidden properties are used only in specific use cases. |
| PseudoColumns | This property indicates whether or not to include pseudo columns as columns to the table. |
| Timeout | The value in seconds until the timeout error is thrown, canceling the operation. |
| UserDefinedViews | A filepath pointing to the JSON configuration file containing your custom views. |
This section provides a complete list of the Authentication properties you can configure in the connection string for this provider.
| Property | Description |
| AuthScheme | The type of authentication to use when connecting to Azure Active Directory. |
The type of authentication to use when connecting to Azure Active Directory.
This section provides a complete list of the Azure Authentication properties you can configure in the connection string for this provider.
| Property | Description |
| AzureTenant | The Microsoft Online tenant being used to access data. If not specified, your default tenant is used. |
| AzureEnvironment | The Azure Environment to use when establishing a connection. |
The Microsoft Online tenant being used to access data. If not specified, your default tenant is used.
The Microsoft Online tenant being used to access data. For instance, contoso.onmicrosoft.com. Alternatively, specify the tenant Id. This value is the directory Id in the Azure Portal > Azure Active Directory > Properties.
Typically it is not necessary to specify the Tenant. This can be automatically determined by Microsoft when using the OAuthGrantType set to CODE (default). However, it may fail in the case that the user belongs to multiple tenants. For instance, if an Admin of domain A invites a user of domain B to be a guest user. The user will now belong to both tenants. It is a good practice to specify the Tenant, although in general things should normally work without having to specify it.
The AzureTenant is required when setting OAuthGrantType to CLIENT. When using client credentials, there is no user context. The credentials are taken from the context of the app itself. While Microsoft still allows client credentials to be obtained without specifying which Tenant, it has a much lower probability of picking the specific tenant you want to work with. For this reason, we require AzureTenant to be explicitly stated for all client credentials connections to ensure you get credentials that are applicable for the domain you intend to connect to.
The Azure Environment to use when establishing a connection.
In most cases, leaving the environment set to global will work. However, if your Azure Account has been added to a different environment, the AzureEnvironment may be used to specify which environment. The available values are GLOBAL, CHINA, USGOVT, USGOVTDOD.
This section provides a complete list of the OAuth properties you can configure in the connection string for this provider.
| Property | Description |
| OAuthClientId | The client Id assigned when you register your application with an OAuth authorization server. |
| OAuthClientSecret | The client secret assigned when you register your application with an OAuth authorization server. |
| OAuthGrantType | The grant type for the OAuth flow. |
The client Id assigned when you register your application with an OAuth authorization server.
As part of registering an OAuth application, you will receive the OAuthClientId value, sometimes also called a consumer key, and a client secret, the OAuthClientSecret.
The client secret assigned when you register your application with an OAuth authorization server.
As part of registering an OAuth application, you will receive the OAuthClientId, also called a consumer key. You will also receive a client secret, also called a consumer secret. Set the client secret in the OAuthClientSecret property.
The grant type for the OAuth flow.
The following options are available: CODE,CLIENT
This section provides a complete list of the JWT OAuth properties you can configure in the connection string for this provider.
| Property | Description |
| OAuthJWTCert | The JWT Certificate store. |
| OAuthJWTCertType | The type of key store containing the JWT Certificate. |
| OAuthJWTCertPassword | The password for the OAuth JWT certificate. |
| OAuthJWTCertSubject | The subject of the OAuth JWT certificate. |
The JWT Certificate store.
The name of the certificate store for the client certificate.
The OAuthJWTCertType field specifies the type of the certificate store specified by OAuthJWTCert. If the store is password protected, specify the password in OAuthJWTCertPassword.
OAuthJWTCert is used in conjunction with the OAuthJWTCertSubject field in order to specify client certificates. If OAuthJWTCert has a value, and OAuthJWTCertSubject is set, a search for a certificate is initiated. Please refer to the OAuthJWTCertSubject field for details.
Designations of certificate stores are platform-dependent.
The following are designations of the most common User and Machine certificate stores in Windows:
| MY | A certificate store holding personal certificates with their associated private keys. |
| CA | Certifying authority certificates. |
| ROOT | Root certificates. |
| SPC | Software publisher certificates. |
In Java, the certificate store normally is a file containing certificates and optional private keys.
When the certificate store type is PFXFile, this property must be set to the name of the file. When the type is PFXBlob, the property must be set to the binary contents of a PFX file (i.e. PKCS12 certificate store).
The type of key store containing the JWT Certificate.
This property can take one of the following values:
| USER | For Windows, this specifies that the certificate store is a certificate store owned by the current user. Note: This store type is not available in Java. |
| MACHINE | For Windows, this specifies that the certificate store is a machine store. Note: this store type is not available in Java. |
| PFXFILE | The certificate store is the name of a PFX (PKCS12) file containing certificates. |
| PFXBLOB | The certificate store is a string (base-64-encoded) representing a certificate store in PFX (PKCS12) format. |
| JKSFILE | The certificate store is the name of a Java key store (JKS) file containing certificates. Note: this store type is only available in Java. |
| JKSBLOB | The certificate store is a string (base-64-encoded) representing a certificate store in Java key store (JKS) format. Note: this store type is only available in Java. |
| PEMKEY_FILE | The certificate store is the name of a PEM-encoded file that contains a private key and an optional certificate. |
| PEMKEY_BLOB | The certificate store is a string (base64-encoded) that contains a private key and an optional certificate. |
| PUBLIC_KEY_FILE | The certificate store is the name of a file that contains a PEM- or DER-encoded public key certificate. |
| PUBLIC_KEY_BLOB | The certificate store is a string (base-64-encoded) that contains a PEM- or DER-encoded public key certificate. |
| SSHPUBLIC_KEY_FILE | The certificate store is the name of a file that contains an SSH-style public key. |
| SSHPUBLIC_KEY_BLOB | The certificate store is a string (base-64-encoded) that contains an SSH-style public key. |
| P7BFILE | The certificate store is the name of a PKCS7 file containing certificates. |
| PPKFILE | The certificate store is the name of a file that contains a PPK (PuTTY Private Key). |
| XMLFILE | The certificate store is the name of a file that contains a certificate in XML format. |
| XMLBLOB | The certificate store is a string that contains a certificate in XML format. |
The password for the OAuth JWT certificate.
If the certificate store is of a type that requires a password, this property is used to specify that password in order to open the certificate store.
The subject of the OAuth JWT certificate.
When loading a certificate the subject is used to locate the certificate in the store.
If an exact match is not found, the store is searched for subjects containing the value of the property.
If a match is still not found, the property is set to an empty string, and no certificate is selected.
The special value "*" picks the first certificate in the certificate store.
The certificate subject is a comma separated list of distinguished name fields and values. For instance "CN=www.server.com, OU=test, C=US, [email protected]". Common fields and their meanings are displayed below.
| Field | Meaning |
| CN | Common Name. This is commonly a host name like www.server.com. |
| O | Organization |
| OU | Organizational Unit |
| L | Locality |
| S | State |
| C | Country |
| E | Email Address |
If a field value contains a comma it must be quoted.
This section provides a complete list of the SSL properties you can configure in the connection string for this provider.
| Property | Description |
| SSLServerCert | The certificate to be accepted from the server when connecting using TLS/SSL. |
The certificate to be accepted from the server when connecting using TLS/SSL.
If using a TLS/SSL connection, this property can be used to specify the TLS/SSL certificate to be accepted from the server. Any other certificate that is not trusted by the machine is rejected.
This property can take the following forms:
| Description | Example |
| A full PEM Certificate (example shortened for brevity) | -----BEGIN CERTIFICATE----- MIIChTCCAe4CAQAwDQYJKoZIhv......Qw== -----END CERTIFICATE----- |
| A path to a local file containing the certificate | C:\cert.cer |
| The public key (example shortened for brevity) | -----BEGIN RSA PUBLIC KEY----- MIGfMA0GCSq......AQAB -----END RSA PUBLIC KEY----- |
| The MD5 Thumbprint (hex values can also be either space or colon separated) | ecadbdda5a1529c58a1e9e09828d70e4 |
| The SHA1 Thumbprint (hex values can also be either space or colon separated) | 34a929226ae0819f2ec14b4a3d904f801cbb150d |
If not specified, any certificate trusted by the machine is accepted.
Use '*' to signify to accept all certificates. Note that this is not recommended due to security concerns.
This section provides a complete list of the Firewall properties you can configure in the connection string for this provider.
| Property | Description |
| FirewallType | The protocol used by a proxy-based firewall. |
| FirewallServer | The name or IP address of a proxy-based firewall. |
| FirewallPort | The TCP port for a proxy-based firewall. |
| FirewallUser | The user name to use to authenticate with a proxy-based firewall. |
| FirewallPassword | A password used to authenticate to a proxy-based firewall. |
The protocol used by a proxy-based firewall.
This property specifies the protocol that the Sync App will use to tunnel traffic through the FirewallServer proxy. Note that by default, the Sync App connects to the system proxy; to disable this behavior and connect to one of the following proxy types, set ProxyAutoDetect to false.
| Type | Default Port | Description |
| TUNNEL | 80 | When this is set, the Sync App opens a connection to Azure Active Directory and traffic flows back and forth through the proxy. |
| SOCKS4 | 1080 | When this is set, the Sync App sends data through the SOCKS 4 proxy specified by FirewallServer and FirewallPort and passes the FirewallUser value to the proxy, which determines if the connection request should be granted. |
| SOCKS5 | 1080 | When this is set, the Sync App sends data through the SOCKS 5 proxy specified by FirewallServer and FirewallPort. If your proxy requires authentication, set FirewallUser and FirewallPassword to credentials the proxy recognizes. |
To connect to HTTP proxies, use ProxyServer and ProxyPort. To authenticate to HTTP proxies, use ProxyAuthScheme, ProxyUser, and ProxyPassword.
The name or IP address of a proxy-based firewall.
This property specifies the IP address, DNS name, or host name of a proxy allowing traversal of a firewall. The protocol is specified by FirewallType: Use FirewallServer with this property to connect through SOCKS or do tunneling. Use ProxyServer to connect to an HTTP proxy.
Note that the Sync App uses the system proxy by default. To use a different proxy, set ProxyAutoDetect to false.
The TCP port for a proxy-based firewall.
This specifies the TCP port for a proxy allowing traversal of a firewall. Use FirewallServer to specify the name or IP address. Specify the protocol with FirewallType.
The user name to use to authenticate with a proxy-based firewall.
The FirewallUser and FirewallPassword properties are used to authenticate against the proxy specified in FirewallServer and FirewallPort, following the authentication method specified in FirewallType.
A password used to authenticate to a proxy-based firewall.
This property is passed to the proxy specified by FirewallServer and FirewallPort, following the authentication method specified by FirewallType.
This section provides a complete list of the Proxy properties you can configure in the connection string for this provider.
| Property | Description |
| ProxyAutoDetect | This indicates whether to use the system proxy settings or not. |
| ProxyServer | The hostname or IP address of a proxy to route HTTP traffic through. |
| ProxyPort | The TCP port the ProxyServer proxy is running on. |
| ProxyAuthScheme | The authentication type to use to authenticate to the ProxyServer proxy. |
| ProxyUser | A user name to be used to authenticate to the ProxyServer proxy. |
| ProxyPassword | A password to be used to authenticate to the ProxyServer proxy. |
| ProxySSLType | The SSL type to use when connecting to the ProxyServer proxy. |
| ProxyExceptions | A semicolon separated list of destination hostnames or IPs that are exempt from connecting through the ProxyServer . |
This indicates whether to use the system proxy settings or not.
This takes precedence over other proxy settings, so you'll need to set ProxyAutoDetect to FALSE in order use custom proxy settings.
To connect to an HTTP proxy, see ProxyServer. For other proxies, such as SOCKS or tunneling, see FirewallType.
The hostname or IP address of a proxy to route HTTP traffic through.
The hostname or IP address of a proxy to route HTTP traffic through. The Sync App can use the HTTP, Windows (NTLM), or Kerberos authentication types to authenticate to an HTTP proxy.
If you need to connect through a SOCKS proxy or tunnel the connection, see FirewallType.
By default, the Sync App uses the system proxy. If you need to use another proxy, set ProxyAutoDetect to false.
The TCP port the ProxyServer proxy is running on.
The port the HTTP proxy is running on that you want to redirect HTTP traffic through. Specify the HTTP proxy in ProxyServer. For other proxy types, see FirewallType.
The authentication type to use to authenticate to the ProxyServer proxy.
This value specifies the authentication type to use to authenticate to the HTTP proxy specified by ProxyServer and ProxyPort.
Note that the Sync App will use the system proxy settings by default, without further configuration needed; if you want to connect to another proxy, you will need to set ProxyAutoDetect to false, in addition to ProxyServer and ProxyPort. To authenticate, set ProxyAuthScheme and set ProxyUser and ProxyPassword, if needed.
The authentication type can be one of the following:
If you need to use another authentication type, such as SOCKS 5 authentication, see FirewallType.
A user name to be used to authenticate to the ProxyServer proxy.
The ProxyUser and ProxyPassword options are used to connect and authenticate against the HTTP proxy specified in ProxyServer.
You can select one of the available authentication types in ProxyAuthScheme. If you are using HTTP authentication, set this to the user name of a user recognized by the HTTP proxy. If you are using Windows or Kerberos authentication, set this property to a user name in one of the following formats:
user@domain domain\user
A password to be used to authenticate to the ProxyServer proxy.
This property is used to authenticate to an HTTP proxy server that supports NTLM (Windows), Kerberos, or HTTP authentication. To specify the HTTP proxy, you can set ProxyServer and ProxyPort. To specify the authentication type, set ProxyAuthScheme.
If you are using HTTP authentication, additionally set ProxyUser and ProxyPassword to HTTP proxy.
If you are using NTLM authentication, set ProxyUser and ProxyPassword to your Windows password. You may also need these to complete Kerberos authentication.
For SOCKS 5 authentication or tunneling, see FirewallType.
By default, the Sync App uses the system proxy. If you want to connect to another proxy, set ProxyAutoDetect to false.
The SSL type to use when connecting to the ProxyServer proxy.
This property determines when to use SSL for the connection to an HTTP proxy specified by ProxyServer. This value can be AUTO, ALWAYS, NEVER, or TUNNEL. The applicable values are the following:
| AUTO | Default setting. If the URL is an HTTPS URL, the Sync App will use the TUNNEL option. If the URL is an HTTP URL, the component will use the NEVER option. |
| ALWAYS | The connection is always SSL enabled. |
| NEVER | The connection is not SSL enabled. |
| TUNNEL | The connection is through a tunneling proxy. The proxy server opens a connection to the remote host and traffic flows back and forth through the proxy. |
A semicolon separated list of destination hostnames or IPs that are exempt from connecting through the ProxyServer .
The ProxyServer is used for all addresses, except for addresses defined in this property. Use semicolons to separate entries.
Note that the Sync App uses the system proxy settings by default, without further configuration needed; if you want to explicitly configure proxy exceptions for this connection, you need to set ProxyAutoDetect = false, and configure ProxyServer and ProxyPort. To authenticate, set ProxyAuthScheme and set ProxyUser and ProxyPassword, if needed.
This section provides a complete list of the Logging properties you can configure in the connection string for this provider.
| Property | Description |
| LogModules | Core modules to be included in the log file. |
Core modules to be included in the log file.
Only the modules specified (separated by ';') will be included in the log file. By default all modules are included.
See the Logging page for an overview.
This section provides a complete list of the Schema properties you can configure in the connection string for this provider.
| Property | Description |
| Location | A path to the directory that contains the schema files defining tables, views, and stored procedures. |
| BrowsableSchemas | This property restricts the schemas reported to a subset of the available schemas. For example, BrowsableSchemas=SchemaA,SchemaB,SchemaC. |
| Tables | This property restricts the tables reported to a subset of the available tables. For example, Tables=TableA,TableB,TableC. |
| Views | Restricts the views reported to a subset of the available tables. For example, Views=ViewA,ViewB,ViewC. |
A path to the directory that contains the schema files defining tables, views, and stored procedures.
The path to a directory which contains the schema files for the Sync App (.rsd files for tables and views, .rsb files for stored procedures). The folder location can be a relative path from the location of the executable. The Location property is only needed if you want to customize definitions (for example, change a column name, ignore a column, and so on) or extend the data model with new tables, views, or stored procedures.
If left unspecified, the default location is "%APPDATA%\\CData\\AzureAD Data Provider\\Schema" with %APPDATA% being set to the user's configuration directory:
| Platform | %APPDATA% |
| Windows | The value of the APPDATA environment variable |
| Linux | ~/.config |
This property restricts the schemas reported to a subset of the available schemas. For example, BrowsableSchemas=SchemaA,SchemaB,SchemaC.
Listing the schemas from databases can be expensive. Providing a list of schemas in the connection string improves the performance.
This property restricts the tables reported to a subset of the available tables. For example, Tables=TableA,TableB,TableC.
Listing the tables from some databases can be expensive. Providing a list of tables in the connection string improves the performance of the Sync App.
This property can also be used as an alternative to automatically listing views if you already know which ones you want to work with and there would otherwise be too many to work with.
Specify the tables you want in a comma-separated list. Each table should be a valid SQL identifier with any special characters escaped using square brackets, double-quotes or backticks. For example, Tables=TableA,[TableB/WithSlash],WithCatalog.WithSchema.`TableC With Space`.
Note that when connecting to a data source with multiple schemas or catalogs, you will need to provide the fully qualified name of the table in this property, as in the last example here, to avoid ambiguity between tables that exist in multiple catalogs or schemas.
Restricts the views reported to a subset of the available tables. For example, Views=ViewA,ViewB,ViewC.
Listing the views from some databases can be expensive. Providing a list of views in the connection string improves the performance of the Sync App.
This property can also be used as an alternative to automatically listing views if you already know which ones you want to work with and there would otherwise be too many to work with.
Specify the views you want in a comma-separated list. Each view should be a valid SQL identifier with any special characters escaped using square brackets, double-quotes or backticks. For example, Views=ViewA,[ViewB/WithSlash],WithCatalog.WithSchema.`ViewC With Space`.
Note that when connecting to a data source with multiple schemas or catalogs, you will need to provide the fully qualified name of the table in this property, as in the last example here, to avoid ambiguity between tables that exist in multiple catalogs or schemas.
This section provides a complete list of the Miscellaneous properties you can configure in the connection string for this provider.
| Property | Description |
| MaxRows | Limits the number of rows returned when no aggregation or GROUP BY is used in the query. This takes precedence over LIMIT clauses. |
| Other | These hidden properties are used only in specific use cases. |
| PseudoColumns | This property indicates whether or not to include pseudo columns as columns to the table. |
| Timeout | The value in seconds until the timeout error is thrown, canceling the operation. |
| UserDefinedViews | A filepath pointing to the JSON configuration file containing your custom views. |
Limits the number of rows returned when no aggregation or GROUP BY is used in the query. This takes precedence over LIMIT clauses.
Limits the number of rows returned when no aggregation or GROUP BY is used in the query. This takes precedence over LIMIT clauses.
These hidden properties are used only in specific use cases.
The properties listed below are available for specific use cases. Normal driver use cases and functionality should not require these properties.
Specify multiple properties in a semicolon-separated list.
| DefaultColumnSize | Sets the default length of string fields when the data source does not provide column length in the metadata. The default value is 2000. |
| ConvertDateTimeToGMT | Determines whether to convert date-time values to GMT, instead of the local time of the machine. |
| RecordToFile=filename | Records the underlying socket data transfer to the specified file. |
This property indicates whether or not to include pseudo columns as columns to the table.
This setting is particularly helpful in Entity Framework, which does not allow you to set a value for a pseudo column unless it is a table column. The value of this connection setting is of the format "Table1=Column1, Table1=Column2, Table2=Column3". You can use the "*" character to include all tables and all columns; for example, "*=*".
The value in seconds until the timeout error is thrown, canceling the operation.
If Timeout = 0, operations do not time out. The operations run until they complete successfully or until they encounter an error condition.
If Timeout expires and the operation is not yet complete, the Sync App throws an exception.
A filepath pointing to the JSON configuration file containing your custom views.
User Defined Views are defined in a JSON-formatted configuration file called UserDefinedViews.json. The Sync App automatically detects the views specified in this file.
You can also have multiple view definitions and control them using the UserDefinedViews connection property. When you use this property, only the specified views are seen by the Sync App.
This User Defined View configuration file is formatted as follows:
For example:
{
"MyView": {
"query": "SELECT * FROM DirectoryRoles WHERE MyColumn = 'value'"
},
"MyView2": {
"query": "SELECT * FROM MyTable WHERE Id IN (1,2,3)"
}
}
Use the UserDefinedViews connection property to specify the location of your JSON configuration file. For example:
"UserDefinedViews", C:\Users\yourusername\Desktop\tmp\UserDefinedViews.jsonNote that the specified path is not embedded in quotation marks.