Microsoft Entra ID
Microsoft Entra ID, formerly known as Azure Active Directory, is Microsoft's enterprise cloud-based identity and access management (IAM) solution. It serves as the backbone of the Office 365 system and can synchronize with on-premises systems.
Supported Actions and Example Prompts
The following table lists the supported actions and prompt examples for an action:
Action Name | Description | Prompt Example |
|---|---|---|
Delete User | This action deletes a user. For more information, see Action: Delete User. | Delete the user 9797b127-13f2-4b0d-bfa0-446b3269b537 from Microsoft Entra ID. |
Get SignIn Details | This action retrieves the details of a sign-in using the audit logs API. For more information, see Action: Get Sign-in Details. | Get the sign-in details of the sign ID 8ff2a417-4d3f-44a5-94a3-1faf73515c01 from Microsoft Entra ID. |
Get User Details | The action retrieves details of a particular user. For more information, see Action: Get User Details. | Get the user details of the user 018005a6-6592-4668-b879-acc2fb264160 from Microsoft Entra ID. |
List Risky Users | This action retrieves the list of all risky users. For more information, see Action: List Risky Users. | List risky users from Microsoft Entra ID. |
List SignIns | This action retrieves a list of sign-ins using the audit logs API. For more information, see Action: List Sign-ins. | List sign-ins from Microsoft Entra ID. |
Revoke Session of a User | This action revokes a session of a user. For more information, see Action: Revoke Session of a User. | Revoke session of the user eb61a8b6-a72f-4024-a694-44a7f9e8b1e8. |
Install and Configure the App
Install and configure the required apps to enable Quarterback AI to perform various security-related tasks and provide relevant responses. After installing an app, you must create an instance that will be used to communicate with the app endpoints. An app can have multiple instances, and you can set a default instance from the configured instance list.
Before you Start
Ensure that you have the API token to authenticate with the Microsoft Entra ID app.
Steps
To install and configure an app, follow these steps:
Go to the application, in the left pane, select Quarterback AI.
In Apps, select Microsoft Entra ID and click Install.
After the app is installed, click Configure App and enter the following details to create an instance:
Instance Name: Enter a name for the instance.
Instance Description: Enter a description for the instance.
Expiry: Select an expiry date for the instance.
Set as default instance: Select this option to set this instance as the default instance. By default, this instance will be used to perform actions from this app.
Tenant ID: Enter the tenant ID.
Client ID: Enter the GUID that was assigned to your client application during the registration. This is also known as an application ID.
Client Secret: Enter the secret key of the client.
Click Done.
The instance is created, and you can view it in Instances. To create another instance, click Add Instance.
Action: Delete User
This action deletes a specific user based on the user ID. When deleted, user resources are moved to a temporary container and can be restored within 30 days. After that time, they are permanently deleted. You must have the User.ReadWrite.All permission to delete users.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
User ID | Enter the user ID to delete a user. Example: 9797b127-13f2-4b0d-bfa0-446b3269b537 | Text | Required |
Example Request
[
{
"userid": "9797b127-13f2-4b0d-bfa0-446b3269b537"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
HTTP/1.1 204 No Content | Status Code | Indicates that the request was successful but there is no content to send in the response. |
Action: Get Sign-in Details
This action retrieves the details of a sign-in using the audit logs API.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
SignIn ID | Enter a sign-in ID. Example: 8ff2a417-4d3f-44a5-94a3-1faf73515c01 | Text | Required | You can retrieve the sign-in ID using the List Sign-ins action. |
Example Request
[
{
"signin_id": "8ff2a417-4d3f-44a5-94a3-1faf73515c01"
}
]Action: Get User Details
The action retrieves the details of a user.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
User ID | Enter the User ID or user principal name. Examples:
| Text | Required |
Example Request
[
{
"userid": "john@testdomain.com"
}
]Action Input Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.response | Object | Contains a detailed response from the Microsoft Entra ID API. |
app_instance.response.businessPhones | Array | List the user's business phone numbers. |
app_instance.response.displayName | String | Display name of the user. Example: "John Doe". |
app_instance.response.givenName | String | Given name of the user. Example: "John". |
app_instance.response.id | String | Unique identifier of the user. Example: "857fa008-db40-4264-a1a2-953c43ca60a4". |
app_instance.response.jobTitle | String | Job title of the user. Example: Security Analyst. |
app_instance.response.mail | String | Email address of the user. Example: "johndoe@exampledomain.onmicrosoft.com". |
app_instance.response.mobilePhone | String | Mobile phone number of the user. Example: “+1 425 555 0109” |
app_instance.response.officeLocation | String | Office location of the user. Example: “18/2111” |
app_instance.response.preferredLanguage | String | Preferred language of the user. Example: “en-US”. |
app_instance.response.surname | String | Surname of the user. Example: “Doe”. |
app_instance.response.userPrincipalName | String | User principal name (UPN) of the user. Example: "johndoe@exampledomain.onmicrosoft.com". |
app_instance.status_code | Integer | HTTP status code of the response. Example: 200. |
Action: List Risky Users
This action retrieves the list of all risky users.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Filters | Enter the filters to retrieve the list of users identified as risky. Example: filter=startsWith(displayName,'J') | Text | Optional |
Example Request
[
{
"filters": "filter=startsWith(displayName,'J')"
}
]Action: List Sign-ins
This action retrieves a list of sign-ins using the audit logs API.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filter | Enter the filters to apply in the search response. Example: userDisplayName eq ‘Isabella Simonsen’ | Text | Optional | |
Limit | Enter the number of results to retrieve. Example: 1000 | Integer | Optional |
Example Request
[
{
"filter": "userDisplayName eq 'Isabella Simonsen'",
"top": 1000
}
]Action: Revoke Session of a User
The action revokes a user session. It invalidates all the refresh tokens issued to applications for a user (as well as session cookies in a user's browser), by resetting the signInSessionsValidFromDateTime user property to the current date-time. Typically, this operation is performed (by the user or an administrator) if the user has a lost or stolen device. This operation prevents access to the organization's data through applications on the device by requiring the user to sign in again to all applications that they have previously consented to, independent of the device.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
User ID | Enter the user ID to revoke a session for the user. Example: eb61a8b6-a72f-4024-a694-44a7f9e8b1e8 | Text | Required |
Example Request
[
{
"userid": "eb61a8b6-a72f-4024-a694-44a7f9e8b1e8"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.@odata.context | String | The OData context URL. Example: "https://graph.microsoft.com/v1.0/$metadata#Edm.Boolean" |
app_instance.value | Boolean | The boolean value returned by the API. Example: true |