Forum Discussion
Solved
Azure AD User attributes from KQL
Is it possible to query Azure AD using KQL. For example to fetch group membership or other user attributes within a KQL query.
- Yes it is possible. Depending on your exact needs you may with to make a REST call to the Graph API, or you might want to consider a repeatable import model.
To answer your exact question you could query Azure AD via the http_request plugin. To use this you first need to enable a callout policy that permits the target API. https://learn.microsoft.com/en-us/azure/data-explorer/kusto/management/calloutpolicy
One the Callout policy is in place you would use the http_request plugin to execute your query against Azure AD. https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/http-request-plugin?pivots=azuredataexplorer
It is a little more complex than just calling away. Most times I have had to do this in two steps. First I have needed to execute a https_request_post to https://login.microsoftonline.com/{{tenantId}}/oauth2/token, set my app identity and secret. The response from the call contains a value for "access_token". That access token gets passed in the http_request call to Graph to return the data to you.
Having laid all of that out, depending on your needs there may be a more appropriate model. Graph Data Connect lets you import a wide variety of data from Graph, and refresh it on a scheduled basis. https://learn.microsoft.com/en-us/graph/data-connect-concept-overview. Although all of the examples talk about blob storage, you have a lot of options on where you choose to put the data.
1 Reply
- Yes it is possible. Depending on your exact needs you may with to make a REST call to the Graph API, or you might want to consider a repeatable import model.
To answer your exact question you could query Azure AD via the http_request plugin. To use this you first need to enable a callout policy that permits the target API. https://learn.microsoft.com/en-us/azure/data-explorer/kusto/management/calloutpolicy
One the Callout policy is in place you would use the http_request plugin to execute your query against Azure AD. https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/http-request-plugin?pivots=azuredataexplorer
It is a little more complex than just calling away. Most times I have had to do this in two steps. First I have needed to execute a https_request_post to https://login.microsoftonline.com/{{tenantId}}/oauth2/token, set my app identity and secret. The response from the call contains a value for "access_token". That access token gets passed in the http_request call to Graph to return the data to you.
Having laid all of that out, depending on your needs there may be a more appropriate model. Graph Data Connect lets you import a wide variety of data from Graph, and refresh it on a scheduled basis. https://learn.microsoft.com/en-us/graph/data-connect-concept-overview. Although all of the examples talk about blob storage, you have a lot of options on where you choose to put the data.