Microsoft Identity And Access (Graph)
Microsoft Identity And Access (Graph) is the gateway to access Azure Active Directory (Azure AD) resources to enable scenarios like managing administrator (directory) roles, inviting external users to an organization
Connect Microsoft Identity And Access (Graph) with Devo SOARD
Navigate to Automations > Integrations.
Search for Microsoft Identity And Access.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
Tenant ID: Tenant ID of the app created in Azure Active Directory.
Client ID: Client ID of the app created in Azure Active Directory.
Client Secret: Client secret of the app created in Azure Active Directory.
After you've entered all the details, click Connect.
Note
These actions require "Azure AD Premium P1/P2 license".
Actions for Microsoft Identity And Access (Graph)
List Risk Detections
Get a list of the risk detection objects and their properties.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Custom OData query | Jinja-template for custom OData query to retrieve a list of alerts (Default is no filter). Example: riskState eq 'remediated'. | Optional |
Number of messages to be fetched | Number of messages to be fetched. It'll override $top provided in "Custom OData query" (Default is 10 messages if it is not provided in "Custom OData query" also). | Optional |
Output
json containing following items:
has_error: True/False
error: message/null
result: List of Risk Detections.
Get Risk Detection
Retrieve the properties and relationships of a risk detection object.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Risk Detection ID | Optional | Jinja-template for Unique identifier(id) of a risk detection object. |
Example: {{risk_detection_id_column}}. | Â | Â |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Risk Detection.
List Risky Users
Get a list of the risky user objects and their properties.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Custom OData query | Jinja-template for custom OData query to retrieve a list of alerts (Default is no filter). e.g. riskState eq 'remediated'. | Optional |
Number of messages to be fetched | Number of messages to be fetched. It'll override $top provided in "Custom OData query" (Default is 10 messages if it is not provided in "Custom OData query" also). | Optional |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: List of Risky Users
Get Risky User
Retrieve the properties and relationships of a risky user object.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Risky User ID | Jinja-template for Unique identifier(id) of a risky user object. | Â |
Example: {{risky_user_id_column}}. | Optional | Â |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Risky User
Confirm Compromised Risky User
Confirm one or more risky user objects as compromised. This action sets the targeted user's risk level to high.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Risky User Id's | Jinja-templated string containing comma separated risky user ids to confirm compromised. | Â |
Example: {{risky_user_id_column1}}, {{risky_user_id_column2}}. | Optional | Â |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Success/Failure
Dismiss Compromised Risky User
Dismiss the risk of one or more risky user objects. This action sets the targeted user's risk level to none.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Risky User Id's | Jinja-templated string containing comma separated risky user ids to confirm compromised. | Â |
Example: {{risky_user_id_column1}}, {{risky_user_id_column2}}. | Optional | Â |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Success/Failure
List User History
Get the risky user history items from the history navigation property.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Risky User ID | Jinja-template for Unique identifier(id) of a risky user object. | Â |
Example: {{risky_user_id_column}}. | Optional | Â |
History Item ID | Jinja-template for Unique identifier(id) of a history item object. | Â |
Example: {{history_item_id_column}}. | Optional | Â |
Custom OData query | Jinja-template for custom OData query to retrieve a list of alerts (Default is no filter). Example: riskState eq 'remediated'. | Optional |
Number of messages to be fetched | Number of messages to be fetched. It'll override $top provided in "Custom OData query" (Default is 10 messages if it is not provided in "Custom OData query" also). | Optional |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: List of User History
Get User History
Retrieve the properties and relationships of a risky user history item object
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Risky User ID | Jinja template for Unique identifier(id) of a risky user object. Example: {{risky_user_id_column}}. | Optional |
Custom OData query | Jinja template for custom OData query to retrieve a list of alerts (Default is no filter). | Â |
Example: riskState eq 'remediated'. | Optional | Â |
Number of messages to be fetched | Number of messages to be fetched. It'll override $top provided in "Custom OData query" (Default is 10 messages if it is not provided in "Custom OData query" also). | Optional |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: User History
List IP Named Location
Get a list of namedLocation objects.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Explode Results | Explode each result in a separate row. (Default is No) | Optional |
Output
A JSON object containing multiple rows of result:
``` {json}{ "result": [ { "@odata.type": "#microsoft.graph.ipNamedLocation", "id": "0aab4fe7-d8ad-44cd-8c36-815fc0e82b24", "displayName": "1610469824546", "modifiedDateTime": "2022-04-11T07:20:08.871778Z", "createdDateTime": "2022-04-11T07:20:08.871778Z", "isTrusted": false, "ipRanges": [ { "@odata.type": "#microsoft.graph.iPv4CidrRange", "cidrAddress": "12.34.221.11/22" } ] }, { "@odata.type": "#microsoft.graph.ipNamedLocation", "id": "02e33bf8-c949-408e-950a-211b32223ce1", "displayName": "1610469824892", "modifiedDateTime": "2022-04-11T07:20:09.9641995Z", "createdDateTime": "2022-04-11T07:20:09.9641995Z", "isTrusted": false, "ipRanges": [ { "@odata.type": "#microsoft.graph.iPv4CidrRange", "cidrAddress": "12.34.221.11/22" } ] } ], "has_error": false, "error": null, "stdout": "", "stderr": "" }
## Create IP Named Location
Create namedLocation objects.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :----------- | :--------------------------------------------------------------------------------------------------------------------------------------------------- | :------- |
| Display Name | [Jinja-template](doc:jinja-template) for display name of IP named location | Required |
| IP Ranges | [Jinja-template](doc:jinja-template) for IP ranges. For example:[{"@odata.type": "#microsoft.graph.iPv4CidrRange","cidrAddress": "12.34.221.11/22"}] | Required |
| Is Trusted | [Jinja-template](doc:jinja-template) for is trusted (Default is False) | Optional |
### Output
A JSON object containing multiple rows of result:
``` {json}{
"displayName": "0b56b98b-e814-4405-99da-7bae69cb30d2",
"isTrusted": true,
"@odata.type": "#microsoft.graph.ipNamedLocation",
"has_error": false,
"id": "0c57cd3d-45ed-438a-9f01-d8666843c139",
"error": null,
"createdDateTime": "2022-04-11T09:55:13.4968154Z",
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/namedLocations/$entity",
"ipRanges": [
{
"@odata.type": "#microsoft.graph.iPv4CidrRange",
"cidrAddress": "12.34.221.11/22"
}
],
"modifiedDateTime": "2022-04-11T09:55:13.4968154Z"
}
Get IP Named Location
Get namedLocation object.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
IP Named Location ID | Jinja-template for IP named location Id. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: IP Named Location Object
``` {json}{ "result": { "@odata.type": "#microsoft.graph.ipNamedLocation", "id": "0aab4fe7-d8ad-44cd-8c36-815fc0e82b24", "displayName": "1610469824546", "modifiedDateTime": "2022-04-11T07:20:08.871778Z", "createdDateTime": "2022-04-11T07:20:08.871778Z", "isTrusted": false, "ipRanges": [ { "@odata.type": "#microsoft.graph.iPv4CidrRange", "cidrAddress": "12.34.221.11/22" } ] }, "has_error": false, "error": null, "stdout": "", "stderr": "" }
## Delete IP Named Location
Delete namedLocation objects.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :------------------- | :------------------------------------------------------------- | :------- |
| IP Named Location ID | [Jinja-template](doc:jinja-template) for IP named location Id. | Required |
### Output
A JSON object containing multiple rows of result:
``` {json}{
"result": "Deleted successfully.",
"error": null,
"has_error": false
}
Update IP Named Location
Update namedLocation objects.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
IP Named Location ID | Jinja-template for IP named location Id. | Required |
Display Name | Jinja-template for display name of IP named location | Optional |
IP Ranges | Jinja-template for IP ranges. For example:[{"@odata.type": "#microsoft.graph.iPv4CidrRange","cidrAddress": "12.34.221.11/22"}] | Required |
Is Trusted | Jinja-template for is trusted (Default is False) | Optional |
Output
A JSON object containing multiple rows of result:
{json}{
"result": "Updated successfully.",
"error": null,
"has_error": false
}
Release Notes
v2.0.0
- Updated architecture to support IO via filesystemv1.1.1
- Added 5 new actions:List IP NamedLocation
,Create IP NamedLocation
,Get IP NamedLocation
,Update IP NamedLocation
andDelete IP NamedLocation
.