azure.entraid-user

EntraID User resource for managing users.

Supports filtering by user properties, authentication methods, group memberships, and security settings. See Common EntraID Examples section for additional patterns.

Available filters: value, auth-methods, risk-level, last-sign-in, group-membership, password-age Available actions: disable, require-mfa

Permissions: See Graph API Permissions Reference section.

example:

Find users with multiple security issues:

policies:
  - name: high-risk-users-no-mfa
    resource: azure.entraid-user
    filters:
      - type: mfa-enabled
        value: false
      - type: risk-level
        value: high
    actions:
      - type: require-mfa

Filters

• advisor-recommendation

• auth-methods

• diagnostic-settings

• event

• group-membership

• last-sign-in

• list-item

• password-age

• reduce

• risk-level

• value

advisor-recommendation

Filter resources by Azure Advisor Recommendations

Select all categories with ‘all’

example:

policies:
  - name: disks-with-cost-recommendations
    resource: azure.disk
    filters:
      - type: advisor-recommendation
        category: Cost
        key: '[].properties.recommendationTypeId'
        op: contains
        value: '48eda464-1485-4dcf-a674-d0905df5054a'

properties:
  category:
    type: string
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - advisor-recommendation
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- category
- type

group-membership

Filter users based on group membership.

Required permission: GroupMember.Read.All or Directory.Read.All

example:

Find users in admin groups:

policies:
  - name: admin-group-members
    resource: azure.entraid-user
    filters:
      - type: group-membership
        groups: ['Global Administrators', 'User Administrators']
        match: any

properties:
  groups:
    items:
      type: string
    type: array
  match:
    enum:
    - any
    - all
    type: string
  type:
    enum:
    - group-membership
required:
- type

last-sign-in

Filter users based on last sign-in activity.

example:

Find users who haven’t signed in for 90+ days:

policies:
  - name: inactive-users
    resource: azure.entraid-user
    filters:
      - type: last-sign-in
        days: 90
        op: greater-than

properties:
  days:
    type: number
  op:
    enum:
    - greater-than
    - less-than
    - equal
    type: string
  type:
    enum:
    - last-sign-in
required:
- type

password-age

Filter users based on password age.

example:

Find users with passwords older than 180 days:

policies:
  - name: old-password-users
    resource: azure.entraid-user
    filters:
      - type: password-age
        days: 180
        op: greater-than

properties:
  days:
    type: number
  op:
    enum:
    - greater-than
    - less-than
    - equal
    type: string
  type:
    enum:
    - password-age
required:
- type

risk-level

Filter users by Identity Protection risk level.

Requires: IdentityRiskyUser.Read.All

example:

filters:
  - type: risk-level
    value: high

properties:
  type:
    enum:
    - risk-level
  value:
    enum:
    - none
    - low
    - medium
    - high
    type: string
required:
- type

Actions

• disable

• logic-app

• notify

• require-mfa

• webhook

disable

Disable EntraID users.

example:

Disable inactive users:

policies:
  - name: disable-inactive-users
    resource: azure.entraid-user
    filters:
      - type: last-sign-in
        days: 90
        op: greater-than
    actions:
      - type: disable

properties:
  type:
    enum:
    - disable
required:
- type

Permissions - User.ReadWrite.All

require-mfa

Check MFA status for EntraID users and provide guidance.

This action checks if users have MFA methods configured and provides recommendations for Conditional Access policy creation rather than attempting direct MFA enforcement.

example:

Check MFA status for admin users:

policies:
  - name: admin-mfa-status
    resource: azure.entraid-user
    filters:
      - type: group-membership
        groups: ['Global Administrators']
    actions:
      - type: require-mfa

properties:
  type:
    enum:
    - require-mfa
required:
- type

Permissions - UserAuthenticationMethod.Read.All