azure.entraid-group

EntraID Group resource for managing Azure AD groups.

Supports filtering by group properties, membership analysis, and security monitoring. See Common EntraID Examples section for basic patterns.

Available filters: value, member-count, owner-count, member-types, group-type

Permissions: See Graph API Permissions Reference section.

example:

Find groups without owners:

policies:
  - name: groups-no-owners
    resource: azure.entraid-group
    filters:
      - type: owner-count
        count: 0
        op: equal

Filters

• advisor-recommendation

• diagnostic-settings

• event

• group-type

• list-item

• member-count

• member-types

• owner-count

• reduce

• value

advisor-recommendation

Filter resources by Azure Advisor Recommendations

Select all categories with ‘all’

example:

policies:
  - name: disks-with-cost-recommendations
    resource: azure.disk
    filters:
      - type: advisor-recommendation
        category: Cost
        key: '[].properties.recommendationTypeId'
        op: contains
        value: '48eda464-1485-4dcf-a674-d0905df5054a'

properties:
  category:
    type: string
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - advisor-recommendation
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- category
- type

group-type

Filter groups by type (security, distribution, dynamic, etc.).

example:

Find security groups:

policies:
  - name: security-groups
    resource: azure.entraid-group
    filters:
      - type: group-type
        group-type: security

example:

Find dynamic groups:

policies:
  - name: dynamic-groups
    resource: azure.entraid-group
    filters:
      - type: group-type
        group-type: dynamic

properties:
  group-type:
    enum:
    - security
    - distribution
    - dynamic
    - unified
    - admin
    type: string
  type:
    enum:
    - group-type
required:
- type

member-types

Filter groups based on member types (internal vs external users).

Required permissions: GroupMember.Read.All, User.Read.All

example:

Find groups with external members:

policies:
  - name: groups-external-members
    resource: azure.entraid-group
    filters:
      - type: member-types
        include-external: true

properties:
  include-external:
    type: boolean
  include-guests:
    type: boolean
  members-only:
    type: boolean
  type:
    enum:
    - member-types
required:
- type

owner-count

Filter groups based on owner count.

Required permission: Group.Read.All

example:

Find groups without owners:

policies:
  - name: groups-no-owners
    resource: azure.entraid-group
    filters:
      - type: owner-count
        count: 0
        op: equal

properties:
  count:
    type: number
  op:
    enum:
    - greater-than
    - less-than
    - equal
    type: string
  type:
    enum:
    - owner-count
required:
- type

Actions

• logic-app

• notify

• webhook