Microsoft Graph Identity & Access

Use the Microsoft Graph Identity and Access integration to manage roles and members.

Configure MicrosoftGraphIdentityandAccess on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for MicrosoftGraphIdentityandAccess.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Application IDTrue
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

msgraph-identity-auth-start#


Run this command to start the authorization process and follow the instructions in the command results.

msgraph-identity-auth-complete#


Run this command to complete the authorization process. Should be used after running the msgraph-identity-auth-start command.

msgraph-identity-auth-reset#


Run this command if for some reason you need to rerun the authentication process.

msgraph-identity-auth-test#


Tests connectivity to Microsoft.

msgraph-identity-directory-roles-list#


Lists the roles in the directory.

Base Command#

msgraph-identity-directory-roles-list

Input#

Argument NameDescriptionRequired
limitMaximum number of results to fetch. Default is 10.Optional

Context Output#

PathTypeDescription
MSGraphIdentity.Role.deletedDateTimeDateThe time when a role was deleted. Displays only if a role was deleted.
MSGraphIdentity.Role.descriptionStringThe description of the directory role.
MSGraphIdentity.Role.displayNameStringThe display name of the directory role.
MSGraphIdentity.Role.idStringThe unique identifier of the directory role.
MSGraphIdentity.Role.roleTemplateIdStringThe ID of the directory role template on which the role is based.

Command Example#

!msgraph-identity-directory-roles-list limit=1

Context Example#

{
"MSGraphIdentity": {
"Role": {
"deletedDateTime": null,
"description": "Can create and manage all aspects of app registrations and enterprise apps.",
"displayName": "Application Administrator",
"id": ":id:",
"roleTemplateId": "role-template-id"
}
}
}

Human Readable Output#

Directory roles:#

iddisplayNamedescriptionroleTemplateId
idApplication AdministratorCan create and manage all aspects of app registrations and enterprise apps.role-template-id

msgraph-identity-directory-role-activate#


Activates a role by its template ID.

Base Command#

msgraph-identity-directory-role-activate

Input#

Argument NameDescriptionRequired
role_template_idID of the role template to activate. Can be retrieved using the msgraph-identity-directory-roles-list command.Required

Context Output#

PathTypeDescription
MSGraphIdentity.Role.deletedDateTimeDateThe time when the role was deleted. Displays only if the role was deleted.
MSGraphIdentity.Role.descriptionStringThe description of the directory role.
MSGraphIdentity.Role.displayNameStringThe display name of the directory role.
MSGraphIdentity.Role.idStringThe unique identifier of the directory role.
MSGraphIdentity.Role.roleTemplateIdStringThe ID of the directory role template on which this role is based.

Command Example#

!msgraph-identity-directory-role-activate role_template_id=role-template-id

Context Example#

{
"MSGraphIdentity": {
"Role": {
"deletedDateTime": null,
"description": "Can create and manage all aspects of app registrations and enterprise apps.",
"displayName": "Application Administrator",
"id": ":id:",
"roleTemplateId": "role-template-id"
}
}
}

Human Readable Output#

Role has been activated#

idroleTemplateIddisplayNamedescriptiondeletedDateTime
idrole-template-idApplication AdministratorCan create and manage all aspects of app registrations and enterprise apps.

msgraph-identity-directory-role-members-list#


Gets all members in a role ID.

Base Command#

msgraph-identity-directory-role-members-list

Input#

Argument NameDescriptionRequired
role_idThe ID of the application for which to get its role members list. Can be retrieved using the msgraph-identity-directory-roles-list command.Required
limitThe maximum number of members to fetch. Default is 10.Optional

Context Output#

PathTypeDescription
MSGraphIdentity.RoleMember.user_idStringThe unique identifier of the user in the role.
MSGraphIdentity.RoleMember.role_idStringThe unique identifier of the role specified in the input.

Command Example#

!msgraph-identity-directory-role-members-list role_id=:role:

Context Example#

{
"MSGraphIdentity": {
"RoleMember": {
"role_id": ":role:",
"user_id": [
"70585180-517a-43ea-9403-2d80b97ab19d",
"5d9ed8e5-be5c-4aaf-86f8-c133c5cd19de"
]
}
}
}

Human Readable Output#

Role ':role:' members:#

role_iduser_id
:role:70585180-517a-43ea-9403-2d80b97ab19d,
5d9ed8e5-be5c-4aaf-86f8-c133c5cd19de,
"id",
a7cedb37-c4e5-4cfb-a327-7bafb34a1f49

msgraph-identity-directory-role-member-add#


Adds a user to a role.

Base Command#

msgraph-identity-directory-role-member-add

Input#

Argument NameDescriptionRequired
role_idThe ID of the role to add the user to. Can be retrieved using the msgraph-identity-directory-roles-list command.Required
user_idThe ID of the user to add to the role. Can be retrieved using the msgraph-identity-directory-role-members-list command.Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-identity-directory-role-member-add role_id=:role: user_id=:id:

Human Readable Output#

User ID ๐Ÿ†” has been added to role :role:

msgraph-identity-directory-role-member-remove#


Removes a user from a role.

Base Command#

msgraph-identity-directory-role-member-remove

Input#

Argument NameDescriptionRequired
role_idID of the role from which to remove the user. Can be retrieved using the msgraph-identity-directory-roles-list command.Required
user_idID of the user to remove from the role. Can be retrieved using the msgraph-identity-directory-role-members-list command.Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-identity-directory-role-member-remove role_id=:role: user_id=:id:

Human Readable Output#

User ID ๐Ÿ†” has been removed from role :role: