Identities GraphQL API๐
Query๐
Description: Public queries
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| identity | Identity | Returns the identity with the external id on the given identity provider. If the provider is null, all of your providers will be searched. If there are multiple matches, one will be selected non-deterministically. It is highly recommended to provide the provider to avoid ambiguity. | id: ID, provider: ID |
| identities | IdentitiesQueryResponse | Returns all identities for the tenant-context. | input: IdentitiesQuery |
| identityFacets | IdentityFacetsResponse | Gets aggregated counts per facet for the identities based on the query parameters. | query: IdentitiesQuery |
| identityDevice | IdentityDevice | Returns the device with the external id on the given identity provider. If the provider is null, all of your providers will be searched. If there are multiple matches, one will be selected non-deterministically. It is highly recommended to provide the provider to avoid ambiguity. | id: ID, provider: ID |
| identityDevices | IdentityDevicesQueryResponse | Returns all identity devices for the tenant-context matching your query. | input: IdentityDevicesQuery |
| identityDeviceFacets | IdentityDeviceFacetsResponse | Gets aggregated counts per facet for the identity devices based on the query parameters. | query: IdentityDevicesQuery |
| identityGroup | IdentityGroup | Returns the group with the external id on the given provider. If the provider is null, all of your providers will be searched. If there are multiple matches, one will be selected non-deterministically. It is highly recommended to provide the provider to avoid ambiguity. | id: ID, provider: ID |
| identityGroups | IdentityGroupsQueryResponse | Returns all groups for the tenant-context matching your query. | query: IdentityGroupsQuery |
| identityGroupFacets | IdentityGroupFacetsResponse | Gets aggregated counts per facet for the identity groups based on the query parameters. | query: IdentityGroupsQuery |
| identityProviders | IdentityProvider | Returns all identity providers for the tenant-context. | |
| primaryIdentityProvider | IdentityProvider | Returns the primary identity provider for the tenant-context. If there is no primary identity provider, the result is null. | |
| identityHierarchy | IdentityHierarchy | Returns a list containing up to childLimit direct reports, up to parentLimit managers, and the identity itself. Use the manager field on the identity to determine the relationship between the identities. If the provider is null, all of your identity providers will be searched, and if there is only one, it will be used. If there are multiple, one will be selected non-deterministically. It is highly recommended to supply the provider to avoid ambiguity. | id: ID, provider: ID, childLimit: Int, parentLimit: Int |
| identityForLegacyEntities | Identity | Returns potential identities for the provided entities. It is possible for multiple identities to match for a single entity or none at all. Use the legacyEntities field on the identity to determine which entities the identity is associated with. If the provider is null, all of your identity providers will be searched. | entities: String, provider: ID |
| identityForLegacyEntitiesLookup | Map | Fast lookup for the identity of the given entities. It returns a map with a key for each input entity and a nullable IdentityReference of just an identity id and provider id. If the identity is not found, the value will be null. This is used for alert details to quickly check if any of the alert entities have identity context. If the provider is null, all of your identity providers will be searched. | entities: String, provider: ID |
| identityGenericProfiles | IdentityGenericProfiles | Gets recorded generic profiles for an identity over the given time period. If no time is specified, it defaults to the last seven days. If no provider is specified, all of your providers will be searched for a matching identity. If multiple identities match, one will be selected non-deterministically. It is highly recommended to supply the provider. | id: ID, provider: ID, startTime: Time, endTime: Time, feature: IdentityGenericProfileFeature |
| identitiesOverview | IdentitiesOverview | Gets the overview of the identities and identity ingestion in the tenant. | input: IdentitiesOverviewQuery |
| identityServicePrincipal | IdentityServicePrincipal | Returns the service principal with the id on the given identity provider. If the provider is null, all of your providers will be searched, and if there is only one, it will be used. If there are multiple, one will be selected non-deterministically. It is highly recommended to supply the provider to avoid ambiguity. | id: ID, provider: ID |
| identityServicePrincipals | IdentityServicePrincipalsQueryResponse | Returns all identity service principals for the tenant-context matching your query. | input: IdentityServicePrincipalsQuery |
| identityServicePrincipalFacets | IdentityServicePrincipalsFacetsResponse | Gets aggregated counts per facet for the service principals based on the query parameters. | input: IdentityServicePrincipalsQuery |
| identitiesByOpenAlerts | IdentityOpenAlerts | Returns identities with the most open alerts for the given time range. If no time range is specified the last 3 days is used. Not guaranteed to be all open alerts for the identity, only certain alerts are accounted for to improve performance. If the provider is null, all of your identity providers will be searched. | provider: ID, limit: Int, earliest: Time, latest: Time |
| identitiesByAlerts | IdentityOpenAlerts | Returns identities with the most alerts for the given time range. If no time range is specified the last 3 days is used. Not guaranteed to be all alerts for the identity, only certain alerts are accounted for to improve performance. If the provider is null, all of your identity providers will be searched. | provider: ID, limit: Int, earliest: Time, latest: Time |
| identityProviderHealth | IdentityProviderHealth | Gives a general health status of the identity provider | provider: ID |
| identitiesByReferences | Identity | Returns identities that match any of the provided references. | references: IdentityReferenceInput |
ID๐
Description: The ID scalar type represents a unique identifier, often used to refetch an object or as key for a cache. The ID type appears in a JSON response as a String; however, it is not intended to be human-readable. When expected as an input type, any string (such as "4") or integer (such as 4) input value will be accepted as an ID.
Int๐
Description: The Int scalar type represents non-fractional signed whole numeric values. Int can represent values between -(2^31) and 2^31 - 1.
String๐
Description: The String scalar type represents textual data, represented as UTF-8 character sequences. The String type is most often used by GraphQL to represent free-form human-readable text.
Mutation๐
Description: Public mutations
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| setupIdentityProvider | SetupIdentityProviderResponse | Setup an identity provider. This will start ingestion of identities and posture. The credentials must match a known structure for the given provider type. If a provider using the same credentials already exists, this will return an error. Caller tenant must have the identity service enabled. If the credentials contains a field called "keyId" it will be look for a private key matching that key generated from the generateIdentityCertificate mutation. | type: IdentityProviderType, credentials: Map, options: IdentityProviderCreationOptions |
| startIdentityProviderSetup | StartIdentityProviderSetupResponse | Intended to be used for Sophos or brand new Taegis customers. Assumes no pre-existing TRIP integrations or connections for playbooks. This will automatically install the Microsoft Graph Ingestor and Identity Azure apps using the Sophos Master app. | type: IdentityProviderType, options: StartIdentityProviderSetupOptions |
| setupIdentityProviderResponseActions | SetupIdentityProviderResponseActionsResponse | Sets up the required orchestration connection and playbooks to execute pre-configured response actions. | provider: ID |
| setPrimaryIdentityProvider | Boolean | Sets the given identity provider as the default provider for the tenant. The previous primary provider will be set to non-primary. Returns true if the provider was successfully set as primary. False if the provider doesn't exist. | id: ID |
| renameIdentityProvider | Boolean | Renames the identity provider. Returns true if the provider was successfully renamed. False if the provider doesn't exist. | id: ID, name: String |
| disableIdentityProvider | Boolean | Disable an identity provider. This will stop any ingestion of identities or posture. Returns true if the provider was successfully disabled. False if the provider doesn't exist. | id: ID |
| enableIdentityProvider | Boolean | Enables a previously disabled identity provider. This will restart ingestion of identities Caller tenant must have the identity service enabled. Returns true if the provider was successfully enabled. False if the provider doesn't exist. | id: ID |
| deleteIdentityProvider | Boolean | Deletes the identity provider and all its identities. Returns true if the provider was successfully deleted. False if the provider wasn't disabled or doesn't exist. This is not reversible, use with caution. | id: ID |
| generateIdentityCertificate | IdentityCertificate | Generates a public/private key pair for the tenant-context. If the private key id is not provided, a new key pair will be generated and assigned an id. The privateKeyId from the output certificate can be used in the setupIdentityProvider mutation to associate the private key with the identity provider. If the expiration is not provided, the certificate will be valid for 365 days. | privateKeyID: ID, expiration: Time |
| updateIdentityProviderCredentials | Boolean | Updates the credentials for the identity provider. The credentials must match a known structure for the given provider type. If the credentials contains a field called "keyId" it will be look for a private key matching that key generated from the generateIdentityCertificate mutation. Returns true if the provider was successfully updated. False if not. | id: ID, credentials: Map |
Boolean๐
Description: The Boolean scalar type represents true or false.
Time๐
Description: A timestamp type.
Map๐
Description: A map type.
IdentityProviderType๐
Description: An identity provider type.
IdentityReference๐
Description: A reference/key to an identity.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| providerId | ID | The identity provider id this identity is associated with. | |
| externalId | String | External ID of the identity. |
IdentityReferenceInput๐
Description: An input used to reference/key an identity.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| providerId | ID | The identity provider id this identity is associated with. | |
| externalId | String | External ID of the identity. |
IdentitiesQuery๐
Description: Query options for identities.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| idpId | ID | Optional filter to restrict the query to a specific identity provider. Otherwise all identity providers are included. Deprecated, use providers instead. | |
| providers | ID | Optional filter to restrict the query to specific identity providers. Otherwise all identity providers are included. | |
| offset | IdentityOffsetInput | Paging offset. | |
| sortBy | IdentitySortBy | The field to sort by. | |
| sortOrder | IdentitySortOrder | The sort order. | |
| displayNameContains | String | Optional filter to restrict the query to identities with a display name containing the provided substring. Otherwise all display names are included. | |
| fuzzySearch | String | Optional filter to restrict the query to identities with a display name, givenName, surName, email, or username containing the provided substring. Otherwise all identities are included. | |
| allowedStatus | IdentityStatus | Deprecated. Use status instead. | |
| status | IdentityStatus | Optional filter to restrict the query to identities with a specific status. Otherwise all statuses are included. | |
| department | String | Optional filter to restrict the query to identities with a specific department. Otherwise all departments are included. An empty string will search for both null and empty departments. | |
| employeeType | String | Optional filter to restrict the query to identities with a specific employee type. Otherwise all employee types are included. An empty string will search for both null and empty employee types. | |
| isAdmin | Boolean | Optional filter to restrict the query to identities that are or are not admins. Otherwise all identities are included | |
| hasMfa | Boolean | Optional filter to restrict the query to identities with or without MFA enabled. Otherwise all MFA statuses are included. | |
| hasPasswordlessMfa | Boolean | Optional filter to restrict the query to identities with or without passwordless MFA enabled. Otherwise all passwordless MFA statuses are included. | |
| primaryMfaMethod | String | Optional filter to restrict the query to identities with a specific primary MFA method. Otherwise all primary MFA methods are included. A null value will search for identities with no primary MFA method. | |
| stale | Boolean | Optional filter to restrict the query to identities that are or are not considered stale. Otherwise all identities are included. | |
| country | String | Optional filter to restrict the query to identities with a specific country code. Otherwise all country codes are included. An empty string will search for both null and empty country codes. | |
| region | String | Optional filter to restrict the query to identities with a specific region. Otherwise all regions are included. An empty string will search for both null and empty regions. | |
| isGuest | Boolean | Optional filter to restrict the query to identities that are or are not guests. Otherwise all identities are included. | |
| mfaMethod | String | Optional filter to restrict the query to identities with a specific MFA method. Otherwise all MFA methods are included. A null value will search for identities with no MFA method. | |
| hasLoggedIn | Boolean | Optional filter to restrict the query to identities that have logged in at least once. Otherwise all identities are included. | |
| isCompromised | Boolean | Optional filter to restrict the query to identities that are or are not considered compromised. Otherwise all identities are included. | |
| isCloudOnly | Boolean | Optional filter to restrict the query to identities that are or are not considered cloud only. Otherwise all identities are included. | |
| isVip | Boolean | Optional filter to restrict the query to identities that are or are not considered VIP. Otherwise all identities are included. |
IdentityStringFacet๐
Description: Count of a value for a facet.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| value | String | The string value | |
| count | Int | The count of findings with this value |
IdentityStatusFacet๐
Description: Count of a value for a facet.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| value | IdentityStatus | The status | |
| count | Int | The count of identities with this status |
IdentityServicePrincipalStatusFacet๐
Description: Count of a value for a facet.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| value | IdentityServicePrincipalStatus | The status | |
| count | Int | The count of identities with this status |
IdentityBoolFacet๐
Description: Count of a value for a facet.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| value | Boolean | The boolean value | |
| count | Int | The count of findings with this value |
IdentityDeviceStateFacet๐
Description: Count of a value for a facet.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| value | IdentityDeviceState | The state | |
| count | Int | The count of devices with this state |
IdentityDeviceBYODStatusFacet๐
Description: Count of a value for a facet.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| value | IdentityDeviceBYODStatus | The BYOD status | |
| count | Int | The count of devices with this BYOD status |
IdentityDeviceOSFacet๐
Description: Count of a value for a facet.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| value | IdentityDeviceOS | The OS | |
| count | Int | The count of devices with this OS |
IdentityDeviceArchFacet๐
Description: Count of a value for a facet.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| value | IdentityDeviceArch | The architecture | |
| count | Int | The count of devices with this architecture |
IdentityProviderFacet๐
Description: Count of a value for a facet.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| value | IdentityProvider | The provider | |
| count | Int | The count of elements with this provider |
IdentityDeviceFacetsResponse๐
Description: Response for facets of identity devices.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| providers | IdentityProviderFacet | The providers of devices in the query | |
| state | IdentityDeviceStateFacet | State of devices in the query | |
| byodStatus | IdentityDeviceBYODStatusFacet | BYOD status of devices in the query | |
| os | IdentityDeviceOSFacet | OS of devices in the query | |
| architecture | IdentityDeviceArchFacet | Architecture of devices in the query | |
| manufacturer | IdentityStringFacet | Manufacturer of devices in the query | |
| model | IdentityStringFacet | Model of devices in the query | |
| isCompliant | IdentityBoolFacet | Facet counts for devices in the query by compliance | |
| isManaged | IdentityBoolFacet | Facet counts for devices in the query by management | |
| isRooted | IdentityBoolFacet | Facet counts for devices in the query by rooted status | |
| isStale | IdentityBoolFacet | Facet count of devices in the query by stale status |
IdentityFacetsResponse๐
Description: Facet counts for an identity query.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| providers | IdentityProviderFacet | The providers of identities in the query | |
| status | IdentityStatusFacet | Statuses of identities in the query | |
| department | IdentityStringFacet | Departments of identities in the query | |
| employeeType | IdentityStringFacet | Employee types of identities in the query | |
| isAdmin | IdentityBoolFacet | Countries of identities in the query | |
| stale | IdentityBoolFacet | Count of identities that are/aren't considered stale | |
| hasMfa | IdentityBoolFacet | Count of identities with/without MFA enabled | |
| hasPasswordlessMfa | IdentityBoolFacet | Count of identities with/without passwordless MFA enabled | |
| primaryMfaMethod | IdentityStringFacet | Count of identities with each primary MFA method | |
| country | IdentityStringFacet | Countries of identities in the query per country | |
| region | IdentityStringFacet | Regions of identities in the query per region | |
| isGuest | IdentityBoolFacet | Count of identities that are/aren't guests | |
| mfaMethod | IdentityStringFacet | Count of identities by mfa methods | |
| isCompromised | IdentityBoolFacet | Count of identities that are/aren't compromised | |
| isCloudOnly | IdentityBoolFacet | Count of identities that are cloud only or hybrid if false selected |
IdentitySortBy๐
Description: Input for sorting identities in queries.
IdentitySortOrder๐
Description: Sort direction for identities in queries.
IdentityOffsetInput๐
Description: Input paginating identities.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| offset | Int | Start index for the query, inclusive, starting from 0 | |
| limit | Int | End index for the query, exclusive |
IdentityStatus๐
Description: Status of an identity on an external identity provider.
IdentityIcon๐
Description: Icon representing the identity.
IdentityEntityReference๐
Description: A reference to an entity for an identity.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| label | String | Type of entity | |
| id | ID | ID of the entity |
IdentitiesQueryResponse๐
Description: Identities matching the query and the total number of identities across all pages.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| identities | Identity | The identities that match the query | |
| total | Int | The total number of identities that match the query |
Identity๐
Description: An identity on an external identity provider.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| provider | IdentityProvider | The identity provider this identity is associated with. | |
| manager | ID | External ID of the manager for this identity. May be null if not available from the identity provider or they have no manager. | |
| externalId | String | The IdP ID of this identity. | |
| displayName | String | Display name taken from the IdP or inferred if not available. | |
| givenName | String | First name | |
| surname | String | Last name | |
| status | IdentityStatus | Current status of this identity. May be unknown if not available from the identity provider. | |
| title | String | Job title associated with this identity. May be empty if not available. | |
| department | String | Department associated with this identity. May be empty if not available. | |
| emails | String | Email addresses associated with this identity. May be empty if not available. | |
| phoneNumbers | String | Phone numbers associated with this identity. May be empty if not available. | |
| userNames | String | Usernames associated with this identity. May be empty if not available. | |
| primaryEntity | IdentityEntityReference | The primary entity representing this identity. This entity is guaranteed to exist in the graph and should be used for response actions. | |
| entities | IdentityEntityReference | Potential entities this identity is associated with. | |
| legacyEntities | String | Potential legacy entities this identity is associated with. e.g., targetUserName:john.doe |
|
| createdAt | Time | The time this identity was created on the external identity provider. May be null if not available from the identity provider. | |
| ingestedAt | Time | When Taegis first started tracking this identity. | |
| lastUpdated | Time | The time this identity was last updated from the external identity provider. Only increments if the identity is updated on the external identity provider as well. | |
| employeeType | String | The type of employee the user is, could be full-time, part-time, contractor, etc. May be empty if not available. | |
| hireDate | Time | The date the user was hired. May be empty if not available. | |
| leaveDate | Time | The date the user is expected to leave. May be empty if not available. | |
| lastPasswordChangeAt | Time | When the user last changed their password. May be empty if not available. | |
| isAdmin | Boolean | whether the user is an admin in their environment. Can be false if not available. | |
| isGuest | Boolean | whether the user is a guest in their environment | |
| hasMfa | Boolean | whether the user has MFA enabled. Can be false if not available. | |
| hasPasswordlessMfa | Boolean | whether the user has passwordless MFA enabled. Can be false if not available. | |
| primaryMfaMethod | String | The primary MFA method for this identity, if any. | |
| mfaMethods | String | All MFA methods enabled for this identity. | |
| lastActiveAt | Time | The last time this identity was active, based on login events. Can be inaccurate. | |
| properties | Map | Custom properties associated with this identity that are unique to the IdP or tenant. | |
| country | String | Country of the identity. May be empty if not available. | |
| region | String | The state or province of the identity. May be empty if not available. | |
| city | String | The city of the identity. May be empty if not available. | |
| zipCode | String | The postal code of the identity. May be empty if not available. | |
| officeLocation | String | Full address of the identities primary office location. May be empty if not available. | |
| officeZipCode | String | The zip code of the identities primary office location. May be empty if not available. | |
| usageLocation | String | The primary usage country code of the identity. May be empty if not available. | |
| icon | IdentityIcon | Primary icon/tag representing the identity | |
| tags | IdentityIcon | Other tags/icons representing the identity | |
| groups | IdentityGroupsQueryResponse | List of groups this user belongs to | search: String, offset: IdentityOffsetInput |
| ownedServicePrincipals | IdentityServicePrincipalsQueryResponse | List of service principals this user is an owner of | search: String, offset: IdentityOffsetInput |
| devices | IdentityDevicesQueryResponse | List of devices this user is associated with | query: IdentityDevicesQuery |
| isCompromised | Boolean | Whether the user is has compromised credentials | |
| isVip | Boolean | Whether the user is a VIP identity, tagged as VIP in the compromise settings |
IdentityProvider๐
Description: A configured identity provider that we are syncing identities against.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | The unique identifier for this identity provider within Taegis | |
| name | String | The display name for this identity provider | |
| primary | Boolean | If this IdP is the primary provider for this tenant. Only one IdP can be primary. | |
| type | IdentityProviderType | The type of identity provider | |
| tenant | String | Tenant associated with this identity provider | |
| createdAt | Time | The time this identity provider was created | |
| updatedAt | Time | The time this identity provider was last updated | |
| disabledAt | Time | The time this identity provider was disabled, if disabled | |
| status | IdentityProviderStatus | The status of this identity provider | |
| playbookConnector | ID | The playbook connector associated with this identity provider | |
| tripIntegration | ID | The trip integration associated with this identity provider | |
| publicHash | String | Hash of the environment details for this idp | |
| expiration | Time | If this IdP is using credentials that can expire, this is the expiration time. | |
| license | IdentityProviderLicense | Information about the identity provider license | |
| integrations | Int | The telemetry ingest TRIP integrations |
SetupIdentityProviderResponse๐
Description: Response for attempting to setup an identity provider.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| provider | IdentityProvider | The created provider, null if an error occurred |
IdentityProviderStatus๐
Description: Status of an identity provider.
IdentityProviderCreationOptions๐
Description: Optional configurations for creating an identity provider.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| name | String | Display name for the identity provider. If not provided the generated id will be used. | |
| tripIngestionName | String | Optional display name for trip ingestion, defaults to the provider id if not specified. |
IdentityApplicationType๐
Description: The installed application type in customers environment.
StartIdentityProviderSetupOptions๐
Description: Configurations for creating and provisioning an identity provider.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| providerTenantId | ID | The tenant ID of the provider to provision apps and resources in. For MS Entra, this is the Azure tenant ID. | |
| name | String | Display name for the identity provider | |
| provisionTelemetryIngest | Boolean | Option to provision telemetry ingest | |
| provisionResponseActions | Boolean | Option to provision response action playbooks and associated connection |
IdentityApplication๐
Description: Installed application in customer provider environment.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| application | IdentityApplicationType | The type of the application | |
| applicationId | ID | The ID of the application | |
| authorizationUrl | String | The URL the client can navigate to to authorize the installed application in the customer provider environment |
StartIdentityProviderSetupResponse๐
Description: Returns created identity provider and list of applications installed in customer environment.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| provider | IdentityProvider | The created Identity Provider model | |
| applications | IdentityApplication | List of installed applications in customer provider environment |
SetupIdentityProviderResponseActionsResponse๐
Description: Returns created orchestration connection ID and associated installed application in customer environment.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| connectionId | String | The ID of the orchestration connection that was created | |
| application | IdentityApplication | The application that was created and installed in the customer environment |
IdentityHierarchy๐
Description: Organization hierarchy of an identity.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| identity | Identity | The identity | |
| managers | Identity | The managers of the identity and their managers, up to the parentLimit. Ordered from the identity's manager to the top of the hierarchy. | |
| directReports | Identity | The direct reports of the identity | |
| numDirectReports | Int | Total number of direct reports, including those not returned in the directReports field |
IdentityGenericProfileFeature๐
Description: Types of profiles captured by the generic profiles system.
IdentityGenericProfiles๐
Description: All the generic profiles for an identity within a given time range.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| feature | IdentityGenericProfileFeature | The feature of the generic profiles | |
| profiles | IdentityGenericProfile | The profiles for the feature within the time range |
IdentityGenericProfile๐
Description: Single window generic profile for an identity.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| value | String | The value of the profile | |
| startTime | Time | Start time window of the profile | |
| endTime | Time | End time window of the profile | |
| count | Int | How many times the profile was seen in the time window |
IdentitiesOverviewQuery๐
Description: Parameters for the identities overview query.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| changedSince | Time | For statistics of changes to data in the last X days. Defaults to 7 days ago. |
IdentitiesOverview๐
Description: General statistics about identities and identity ingestion.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| totalIdentities | Int | Total number of identities | |
| totalIdentitiesAdded | Int | Total number of identities added in the time period specified in input | |
| totalDevices | Int | Total number of devices | |
| totalDevicesAdded | Int | Total number of devices added (registered) in the time period specified in input | |
| totalServicePrincipals | Int | Total number of service principals | |
| totalServicePrincipalsAdded | Int | Total number of service principals added in the time period specified in input | |
| domainList | String | Total number of domains | |
| totalGroups | Int | Total number of groups | |
| totalGroupsAdded | Int | Total number of groups added in the time period specified in input |
IdentityCertificate๐
Description: A certificate and its associated key.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| certificate | String | The certificate in PEM format | |
| keyId | ID | Reference to the key associated with the certificate |
IdentityDeviceBYODStatus๐
Description: Classification for device ownership.
IdentityDeviceState๐
Description: Classification for device state.
IdentityDeviceProperty๐
Description: Classification for device properties/flags.
IdentityDeviceOS๐
Description: Classification for device operating system.
IdentityDeviceArch๐
Description: Classification for device architecture.
IdentityDeviceSortBy๐
Description: Options for sorting devices query.
IdentityDevicesQuery๐
Description: Input options for querying devices.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| idpId | ID | Optional filter to restrict the query to a specific identity provider. Otherwise all identity providers are included. Deprecated, use providers instead. | |
| providers | ID | Optional filter to restrict the query to specific identity providers. Otherwise all identity providers are included. | |
| offset | IdentityOffsetInput | Paging offset | |
| sortBy | IdentityDeviceSortBy | The field to sort by | |
| sortOrder | IdentitySortOrder | The sort order | |
| displayNameContains | String | Optional filter to restrict the query to devices with a display name containing the provided substring. Otherwise all display names are included. | |
| allowedState | IdentityDeviceState | Optional filter to restrict the query to devices with a specific state. Otherwise all states are included. | |
| allowedBYODStatus | IdentityDeviceBYODStatus | Optional filter to restrict the query to devices with a specific BYOD status. Otherwise all BYOD statuses are included. | |
| allowedOS | IdentityDeviceOS | Optional filter to restrict the query to devices with a specific OS. Otherwise all OSes are included. | |
| allowedArchitecture | IdentityDeviceArch | Optional filter to restrict the query to devices with a specific architecture. Otherwise all architectures are included. | |
| allowedManufacturer | String | Optional filter to restrict the query to devices with a specific manufacturer. Otherwise all manufacturers are included. | |
| allowedModel | String | Optional filter to restrict the query to devices with a specific model. Otherwise all models are included. | |
| identities | ID | Optional filter to restrict the query to devices associated with at least one of the provided identities. | |
| isRooted | Boolean | Optional filter to restrict the query to devices that are/aren't rooted. Otherwise all devices are included. | |
| isManaged | Boolean | Optional filter to restrict the query to devices that are/aren't managed. Otherwise all devices are included. | |
| isCompliant | Boolean | Optional filter to restrict the query to devices that are/aren't compliant. Otherwise all devices are included. | |
| externalIds | String | Optional filter to restrict the query to devices with a specific external ID. Otherwise all external IDs are included. | |
| isStale | Boolean | Optional filter to restrict the query to identities that are or are not considered stale. Otherwise all identities are included. Considered stale if not active since 90 days. |
IdentityDevicesQueryResponse๐
Description: Query response for devices.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| devices | IdentityDevice | The devices that match the query | |
| total | Int | The total number of devices that match the query |
IdentityDevice๐
Description: A device from an identity provider that manages devices.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| externalId | String | The unique identifier for this device on the identity provider | |
| provider | IdentityProvider | The identity provider this device is associated with | |
| associatedIdentities | ID | Any identities associated with this device | |
| displayName | String | Display name of the device. May be inferred if not available from the identity provider. | |
| state | IdentityDeviceState | State of the device | |
| properties | IdentityDeviceProperty | Management properties of the device | |
| isRooted | Boolean | Whether the device is rooted/jailbroken | |
| isManaged | Boolean | Whether the device is managed by InTune | |
| isCompliant | Boolean | Whether the device is compliant with InTune | |
| byodStatus | IdentityDeviceBYODStatus | BYOD status of the device | |
| customLabels | Map | Custom labels associated with this device that are unique to the IdP or tenant | |
| os | IdentityDeviceOS | OS of the device | |
| osVersion | String | OS version of the device | |
| architecture | IdentityDeviceArch | Architecture of the device | |
| manufacturer | String | Manufacturer of the device | |
| model | String | Model of the device | |
| lastUsedAt | Time | When this device was last used - can be delayed from actual last use | |
| createdAt | Time | The time this device was registered on the external identity provider. May be null if not available from the identity provider. | |
| updatedAt | Time | The time this device was last updated from the external identity provider. Only increments if the device is updated on the external identity provider as well. | |
| aliases | String | Other possible identifiers for the device | |
| entities | IdentityEntityReference | Potential entities this device is associated with | |
| legacyEntities | String | Potential legacy entities this device is associated with. e.g., hostName:JohnDoes-Macbook-Pro |
IdentityServicePrincipalsQuery๐
Description: Query options for service principals.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| idpId | ID | Optional filter to restrict the query to a specific identity provider. Otherwise all identity providers are included. Deprecated, use providers instead. | |
| providers | ID | Optional filter to restrict the query to specific identity providers. Otherwise all identity providers are included. | |
| offset | IdentityOffsetInput | Paging offset | |
| sortBy | IdentityServicePrincipalSortBy | The field to sort by | |
| sortOrder | IdentitySortOrder | The sort order | |
| displayNameContains | String | Optional filter to restrict the query to service principals with a display name containing the provided substring. Otherwise all display names are included. | |
| status | IdentityServicePrincipalStatus | Optional filter to restrict the query to service principals with a specific status. Otherwise all statuses are included. | |
| hasPasswordCredentials | Boolean | Optional filter to restrict the query to service principals having password credentials. Otherwise all service principals are included. | |
| hasKeyCredentials | Boolean | Optional filter to restrict the query to service principals having key credentials. Otherwise all service principals are included. | |
| applicationId | String | Optional filter to restrict the query to service principals with having the specific applicationId. Otherwise all service principals are included. |
IdentityServicePrincipalsQueryResponse๐
Description: Query response for service principals.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| servicePrincipals | IdentityServicePrincipal | The service principals that match the query | |
| total | Int | The total number of service principals that match the query |
IdentityServicePrincipalSortBy๐
Description: Sort options for service principals.
IdentityServicePrincipalStatus๐
Description: Status of a service principal on an external identity provider.
IdentityServicePrincipal๐
Description: Installed entra applications (Service Principals) from an identity provider.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | String | The unique identifier for this device on the identity provider | |
| provider | IdentityProvider | The identity provider this device is associated with | |
| displayName | String | The display name of the service principal | |
| applicationId | String | The applicationId of the service principal, Null if the service principal doesn't have one. | |
| status | IdentityServicePrincipalStatus | The status of the service principal. May be unknown if not available from the identity provider. | |
| createdAt | Time | When the service principal was created on the identity provider. May be null if not available from the identity provider. | |
| updatedAt | Time | When the service principal was last updated from the external identity provider | |
| deletedAt | Time | The time this service principal was deleted on the external identity provider. Null if not deleted | |
| ingestedAt | Time | When we first started tracking this service principal | |
| userOwners | IdentitiesQueryResponse | Gets users that belong to this group. Search is an optional search for caseless text matching against the user's display name. | search: String, offset: IdentityOffsetInput |
| servicePrincipalOwners | IdentityServicePrincipalsQueryResponse | Gets service principals that own this group. Search is an optional search for caseless text matching against the service principal's display name. | search: String, offset: IdentityOffsetInput |
IdentityServicePrincipalsFacetsResponse๐
Description: Facet counts for a service principal query.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| providers | IdentityProviderFacet | The providers of applications in the query | |
| status | IdentityServicePrincipalStatusFacet | Statuses of applications in the query | |
| hasPasswordCredentials | IdentityBoolFacet | Count of applications with/without password credentials | |
| hasKeyCredentials | IdentityBoolFacet | Count of applications with/without key credentials |
IdentityOpenAlerts๐
Description: An identity alongside how many alerts they have. Note that while it says OpenAlerts its no longer just open alerts but depends on the query.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| identity | Identity | The identities with alerts | |
| critical | Int | The number of critical alerts for the identity | |
| high | Int | The number of high alerts for the identity | |
| medium | Int | The number of medium alerts for the identity | |
| low | Int | The number of low alerts for the identity | |
| info | Int | The number of informational alerts for the identity |
IdentityGroup๐
Description: A group from an identity provider.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | String | The unique identifier for this group on the identity provider | |
| provider | IdentityProvider | The identity provider this group is associated with | |
| displayName | String | The display name of the service principal | |
| description | String | The description of the group, if available | |
| isAssignableToRoles | Boolean | Indicates whether this group can be assigned to a Microsoft Entra role | |
| isMailEnabled | Boolean | Specifies whether the group is mail-enabled | |
| isSecurityEnabled | Boolean | Specifies whether the group is a security group | |
| isDeleted | Boolean | Specifies whether the group is deleted | |
| onPremiseSID | String | The security identifier of the group for on prem-AD | |
| securityIdentifier | String | The security identifier of the group | |
| expirationTime | Time | When the group will expire. Null if not set. | |
| deletedAt | Time | When the group was deleted on the identity provider. May be null if not available from the identity provider or the group is not deleted. | |
| createdAt | Time | When the group was created on the identity provider. May be null if not available from the identity provider. | |
| updatedAt | Time | When the group was last updated from the external identity provider | |
| ingestedAt | Time | When we first started tracking this group | |
| userMembers | IdentitiesQueryResponse | Gets users that belong to this group. Search is an optional search for caseless text matching against the user's display name. | search: String, offset: IdentityOffsetInput |
| servicePrincipalMembers | IdentityServicePrincipalsQueryResponse | Gets service principals that belong to this group. Search is an optional search for caseless text matching against the service principal's display name. | search: String, offset: IdentityOffsetInput |
| groupMembers | IdentityGroupsQueryResponse | Gets groups that belong to this group. Search is an optional search for caseless text matching against the group's display name. | search: String, offset: IdentityOffsetInput |
IdentityGroupFacetsResponse๐
Description: Facet counts for groups query.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| providers | IdentityProviderFacet | The identity providers of the groups in the query | |
| isAssignableToRoles | IdentityBoolFacet | The number of groups that are assignable to roles | |
| isMailEnabled | IdentityBoolFacet | The number of groups that are mail enabled | |
| isSecurityEnabled | IdentityBoolFacet | The number of groups that are security enabled | |
| isDeleted | IdentityBoolFacet | The number of groups that are deleted |
IdentityGroupSortBy๐
Description: Sort options for groups.
IdentityGroupsQuery๐
Description: Query options for service principals.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| idpId | ID | Optional filter to restrict the query to a specific identity provider. Otherwise all identity providers are included. Deprecated, use providers instead. | |
| providers | ID | Optional filter to restrict the query to specific identity providers. Otherwise all identity providers are included. | |
| offset | IdentityOffsetInput | Paging offset | |
| sortBy | IdentityGroupSortBy | The field to sort by | |
| sortOrder | IdentitySortOrder | The sort order | |
| fuzzySearch | String | Optional filter to restrict the query to service principals with a display name or SID containing the provided substring | |
| isAssignableToRoles | Boolean | If defined, only groups that are/aren't assignable to roles will be returned. | |
| isMailEnabled | Boolean | If defined, only groups that are/aren't mail enabled will be returned. | |
| isSecurityEnabled | Boolean | If defined, only groups that are/aren't security enabled will be returned. | |
| isDeleted | Boolean | If defined, only groups that are/aren't deleted will be returned. |
IdentityGroupsQueryResponse๐
Description: Groups matching the query and the total number of groups across all pages.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| groups | IdentityGroup | The groups that match the query | |
| total | Int | The total number of groups that match the query |
IdentityProviderHealth๐
Description: General health status of an identity provider setup. This does not report on the health of the ingestion or posture.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| health | IdentityProviderHealthStatus | Overall health summary | |
| credentialExpiration | Time | If the provided credentials expire, this is the time they will expire. | |
| integrations | IdentityProviderIntegrationHealth | Ingestion integrations | |
| missingPermissions | IdentityProviderPermission | Any permissions we expect to have but are missing. Note that this is a relatively expensive. | |
| extraPermissions | IdentityProviderPermission | Any permissions we have that we don't expect to have but are present on the credentials. |
IdentityProviderHealthStatus๐
Description: Health status for an identity provider.
IdentityProviderIntegrationHealth๐
Description: Proxy for a TRIP integration health related to an identity provider.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| integrationId | Int | The ID of the integration in TRIP | |
| status | IdentityProviderHealthStatus | The status of the integration | |
| name | String | The name of the integration |
IdentityProviderPermission๐
Description: A permission for an application or integration used by a service principal.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| id | ID | The id of the permission | |
| displayName | String | The display name of the permission |
IdentityProviderLicense๐
Description: License information for an identity provider.
Fields๐
| Field | Type | Description | Arguments |
|---|---|---|---|
| name | String | The license name | |
| status | String | The license status | |
| isTrial | Boolean | If the license is in trial | |
| totalLicenses | Int | The total number of licenses | |
| createdAt | Time | The license created time | |
| expiration | Time | The license expiration time |