Azure AD User attributes from KQL


Is it possible to query Azure AD using KQL. For example to fetch group membership or other user attributes within a KQL query.

1 Reply
best response confirmed by Rajtoor (Contributor)
Yes it is possible. Depending on your exact needs you may with to make a REST call to the Graph API, or you might want to consider a repeatable import model.

To answer your exact question you could query Azure AD via the http_request plugin. To use this you first need to enable a callout policy that permits the target API.

One the Callout policy is in place you would use the http_request plugin to execute your query against Azure AD.

It is a little more complex than just calling away. Most times I have had to do this in two steps. First I have needed to execute a https_request_post to{{tenantId}}/oauth2/token, set my app identity and secret. The response from the call contains a value for "access_token". That access token gets passed in the http_request call to Graph to return the data to you.

Having laid all of that out, depending on your needs there may be a more appropriate model. Graph Data Connect lets you import a wide variety of data from Graph, and refresh it on a scheduled basis. Although all of the examples talk about blob storage, you have a lot of options on where you choose to put the data.