Integrate Microsoft Entra ID with Google SecOps

This document provides guidance on how to integrate Microsoft Entra ID with Google Security Operations (Google SecOps).

Integration version: 17.0

This integration uses one or more open source components. You can download a zipped copy of the full source code of this integration from the Cloud Storage bucket .

Use cases

Integrating Microsoft Entra ID with Google SecOps can help you solve the following use cases:

User account management:use the Google SecOps capabilities to automate the disabling and enabling of user accounts in Microsoft Entra ID based on security events, such as suspected compromise or employee offboarding.
Password reset:use the Google SecOps capabilities to orchestrate password resets for compromised accounts or users locked out of their accounts. Resetting passwords can help you streamline the password recovery process and reduce help desk tickets.
Group management:use the Google SecOps capabilities to automate creating, modificating, and deleting Microsoft Entra ID groups.
Conditional access policy enforcement:use the Microsoft Entra ID conditional access policies within Google SecOps playbooks to dynamically control access based on context and allow for granular control over access to resources based on factors like location, device, and user risk.
Security alerting and incident response:integrate the Microsoft Entra ID security alerts into Google SecOps to automate incident response workflows.

Before you begin

Before configuring the integration in the Google SecOps platform, complete the following steps:

Configure network access.
Create the Microsoft Entra app.
Configure the API permissions for your app.
Create a client secret.

Configure network access

To enable the API access from Google SecOps to Microsoft Entra ID, allow the traffic over the 443 port.

Create Microsoft Entra application

Sign in to the Azure portal as a user administrator or a password administrator.
Select Microsoft Entra ID.
Go to App registrations > New registration.
Enter the name of the application.
Click Register.
Save the Application (client) IDand Directory (tenant) IDvalues to use them later when configuring the integration parameters .

Configure API permissions

Go to API Permissions > Add a permission.
Select Microsoft Graph > Application permissions.
In the Select Permissionssection, select the following permissions:
- Directory.Read.All
- Directory.ReadWrite.All
- Group.ReadWrite.All
- User.ReadWrite.All
  
  These permissions are not sufficient to run the password-related actions. To run the Force Password Update and Reset User Password actions, assign the Password Administrator role to your application using the Roles and administratorssearch in Microsoft Entra ID.
  
  For more details about permissions, see Microsoft Graph permissions reference and Sensitive actions .
Click Add permissions.
Click Grant admin consent for YOUR_ORGANIZATION_NAME .

When the Grant admin consent confirmationdialog appears, click Yes.

Create client secret

Navigate to Certificates and secrets > New client secret.
Provide a description for a client secret and set its expiration deadline.
Click Add.
Save the value of the client secret (not the secret ID) to use it as the Client Secret parameter value when configuring the integration. The client secret value is only displayed once.

Integrate Microsoft Entra ID with Google SecOps

The Microsoft Entra ID integration requires the following parameters:

Parameter	Description
`Client ID`	Required The application (client) ID value of your Microsoft Entra ID account.
`Client Secret`	Required The client secret value of your Microsoft Entra ID account.
`Directory ID`	Required The directory (tenant) ID value of your Microsoft Entra ID account.
`Verify SSL`	Optional If selected, the integration verifies that the SSL certificate used to connect to the Microsoft Entra ID server is valid. Selected by default.

For instructions about how to configure an integration in Google SecOps, see Configure integrations .

You can make changes at a later stage if needed. After you configure an integration instance, you can use it in playbooks. For more information about configuring and supporting multiple instances, see Supporting multiple instances .

Actions

For more information about actions, see Respond to pending actions from your workdesk and Perform a manual action .

Add User to a Group

Use the Add User to a Groupaction to add a user to the specific Microsoft Entra ID group. This action expects you to configure the User entity in the username@domain format.

This action runs on the Google SecOps User entity.

Action inputs

The Add User to a Groupaction requires the following parameters:

Parameter	Description
`Group ID`	Required The ID of the Microsoft Entra ID group to add the user to, such as `00e40000-1971-439d-80fc-d0e000001dbd` .

Action outputs

The Add User to a Groupaction provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Output messages

The Add User to a Groupaction can return the following output messages:

Output message Message description

Output message	Message description
`Member USER_ID was added to the group GROUP_ID successfully.` `Some errors occurred. Please check the logs.`	The action succeeded.
`Member could not be added successfully.`	The action failed. Check the connection to the server, input parameters, or credentials.

Member USER_ID was added to the group GROUP_ID successfully.

Some errors occurred. Please check the logs.

The action succeeded.

Member could not be added successfully.

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Add User to a Groupaction:

Script result name	Value
`is_success`	`True` or `False`

Disable Account

Use the Disable Accountaction to disable an account in Microsoft Entra ID. This action expects you to configure the User entity in the username@domain format.

To run the Disable Accountaction, grant administrative privileges to the Microsoft Entra ID account that you use in the integration.

This action runs on the Google SecOps User entity.

Configure additional permissions

The Disable Accountaction requires you to additionally configure the following API permission for the application:

User.EnableDisableAccount.All

For guidance on how to configure API permissions in Microsoft Entra ID, see the Configure API permissions section of this document.

Action inputs

None.

Action outputs

The Disable Accountaction provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Output messages

The Disable Accountaction can return the following output messages:

Output message Message description

Output message	Message description
`User account disabled successfully.` `Some errors occurred. Please check the logs.`	The action succeeded.
`Disable user account was not successful.`	The action failed. Check the connection to the server, input parameters, or credentials.

User account disabled successfully.

Some errors occurred. Please check the logs.

The action succeeded.

Disable user account was not successful.

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Disable Accountaction:

Script result name	Value
`is_success`	`True` or `False`

Enable Account

Use the Enable Accountaction to enable an account in Microsoft Entra ID. This action expects you to configure the User entity in the username@domain format.

This action runs on the Google SecOps User entity.

Configure additional permissions

The Enable Accountaction requires you to additionally configure the following API permission for the application:

User.EnableDisableAccount.All

For guidance on how to configure API permissions in Microsoft Entra ID, see the Configure API permissions section of this document.

Action inputs

None.

Action outputs

The Enable Accountaction provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Output messages

The Enable Accountaction can return the following output messages:

Output message Message description

Output message	Message description
`User account was enabled successfully.` `Some errors occurred. Please check the logs.`	The action succeeded.
`Enable user account was not successful.`	The action failed. Check the connection to the server, input parameters, or credentials.

User account was enabled successfully.

Some errors occurred. Please check the logs.

The action succeeded.

Enable user account was not successful.

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Enable Accountaction:

Script result name	Value
`is_success`	`True` or `False`

Enrich Host

Use the Enrich Hostaction to enrich the Google SecOps Host entity with information from Microsoft Entra ID. This action finds a match for a provided Host entity using on the device displayName field in Microsoft Entra ID.

This action runs on the Google SecOps Host entity.

Action inputs

None.

Action outputs

The Enrich Hostaction provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Entity enrichment table	Available
JSON result	Available
Output messages	Available
Script result	Available

Entity enrichment table

The Enrich Hostaction supports the following entity enrichment:

Enrichment field	Logic
`AAD_Name`	Returns if it exists in the JSON result.
`AAD_Enabled`	Returns if it exists in the JSON result.
`AAD_Property Device ID`	Returns if it exists in the JSON result.
`AAD_OS`	Returns if it exists in the JSON result.
`AAD_Version`	Returns if it exists in the JSON result.
`AAD_Profile Type`	Returns if it exists in the JSON result.
`AAD_Compliant`	Returns if it exists in the JSON result.
`AAD_Last Sign In`	Returns if it exists in the JSON result.

JSON result

The following example shows the JSON result output received when using the Enrich Hostaction:

  [ 
  
 { 
  
 "EntityResult" 
 : 
  
 { 
  
 "deletedDateTime" 
 : 
  
 "1234569" 
 , 
  
 "complianceExpirationDateTime" 
 : 
  
 "1234567" 
 , 
  
 "profileType" 
 : 
  
 "RegisteredDevice" 
 , 
  
 "key" 
 : 
  
 "007" 
 , 
  
 "if" 
 : 
 "889922-aaaa-123123" 
  
 }, 
  
 "Entity" 
 : 
  
 "us-lt-v13001" 
  
 } 
 ]

Output messages

The Enrich Hostaction can return the following output messages:

Output message Message description

Output message	Message description
`Host details were fetched successfully: HOSTNAME .` `Some errors occurred. Please check log.`	The action succeeded.
`Host details were not found.`	The action failed. Check the connection to the server, input parameters, or credentials.

Host details were fetched successfully: HOSTNAME .

Some errors occurred. Please check log.

The action succeeded.

Host details were not found.

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Enrich Hostaction:

Script result name	Value
`is_success`	`True` or `False`

Enrich User

Use the Enrich Useraction to enrich the Google SecOps User entity with information from Microsoft Entra ID. This action expects you to configure the User entity in the username@domain format.

This action runs on the Google SecOps Host entity.

Action inputs

None.

Action outputs

The Enrich Useraction provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Entity enrichment table	Available
JSON result	Available
Output messages	Available
Script result	Available

Entity enrichment table

The Enrich Useraction supports the following entity enrichment:

Enrichment field	Logic
`AAD_Name`	Returns if it exists in the JSON result.
`AAD_Mobile Phone`	Returns if it exists in the JSON result.
`AAD_Preferred Language`	Returns if it exists in the JSON result.
`AAD_Job Title`	Returns if it exists in the JSON result.
`AAD_Username`	Returns if it exists in the JSON result.

JSON result

The following example shows the JSON result output received when using the Enrich Useraction:

  [ 
  
 { 
  
 "EntityResult" 
 : 
  
 { 
  
 "displayName" 
 : 
  
 "Test User" 
 , 
  
 "mobilePhone" 
 : 
  
 "(800) 555-0175" 
 , 
  
 "preferredLanguage" 
 : 
  
 "English" 
 , 
  
 "jobTitle" 
 : 
  
 "Engineer" 
 , 
  
 "userPrincipalName" 
 : 
 "ser@example.com" 
  
 }, 
  
 "Entity" 
 : 
  
 "user@example.com" 
  
 } 
 ]

Output messages

The Enrich Useraction can return the following output messages:

Output message Message description

Output message	Message description
`User details were fetched successfully: USERNAME .` `Some errors occurred. Please check the logs.`	The action succeeded.
`Users list fetch was not successful.`	The action failed. Check the connection to the server, input parameters, or credentials.

User details were fetched successfully: USERNAME .

Some errors occurred. Please check the logs.

The action succeeded.

Users list fetch was not successful.

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Enrich Useraction:

Script result name	Value
`is_success`	`True` or `False`

Force Password Update

Use the Force Password Updateaction to force a password update for the user. This action requires the user to change their password on the next sign-in attempt.

The Force Password Updateaction expects you to configure the User entity in the username@domain format.

This action runs on the Google SecOps User entity.

Configure additional permissions

The Force Password Updateaction requires you to additionally configure the following API permission for the application:

User-PasswordProfile.ReadWrite.All

For guidance on how to configure API permissions in Microsoft Entra ID, see the Configure API permissions section of this document.

Assign a role to your application

The Force Password Updateaction requires you to assign the Password Administrator role to your application.

To assign the Password Administrator role to your application, complete the following steps:

Sign in to the Azure portal using your Microsoft account.
In Microsoft Entra ID, search for Roles and administrators.
Select or search for the Password Administrator role from the list.
Click Add Assignment.
Select an account (member) that you use in the integration and click Next.
Enter justification for assigning a role.
Click Assign.

Action inputs

None.

Action outputs

The Force Password Updateaction provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Output messages

The Force Password Updateaction can return the following output messages:

Output message Message description

Output message	Message description
`Force password update on the user was successful.` `Some errors occurred. Please check the logs.`	The action succeeded.
`Attempt to Force user password update was not successful.`	The action failed. Check the connection to the server, input parameters, or credentials.

Force password update on the user was successful.

Some errors occurred. Please check the logs.

The action succeeded.

Attempt to Force user password update was not successful.

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Force Password Updateaction:

Script result name	Value
`is_success`	`True` or `False`

Get Manager Contact Details

Use the Get Manager Contact Detailsaction to obtain the manager contact details for the user.

The Get Manager Contact Detailsaction expects you to configure the User entity in the username@domain format.

This action runs on the Google SecOps User entity.

Action inputs

None.

Action outputs

The Get Manager Contact Detailsaction provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Available
Entity enrichment table	Available
JSON result	Available
Output messages	Available
Script result	Available

Case wall table

The Get Manager Contact Detailsaction can return the following table in Google SecOps:

Table name: Manager contact

Columns:

Name
Phone number

Entity enrichment table

The Get Manager Contact Detailsaction supports the following entity enrichment:

Enrichment field	Logic
`Display Name`	Returns if it exists in the JSON result.
`Mobile Phone`	Returns if it exists in the JSON result.
`@odata.context`	Returns if it exists in the JSON result.
`AAD_Job Title`	Returns if it exists in the JSON result.
`AAD_Username`	Returns if it exists in the JSON result.

JSON result

The following example shows the JSON result output received when using the Get Manager Contact Detailsaction:

  [ 
  
 { 
  
 "EntityResult" 
 : 
  
 { 
  
 "displayName" 
 : 
  
 "manager@example.com" 
 , 
  
 "mobilePhone" 
 : 
  
 "(800) 555-0175" 
 , 
  
 "@odata.context" 
 : 
  
 "graph.microsoft.com" 
  
 }, 
  
 "Entity" 
 : 
  
 "user@example.com" 
  
 } 
 ]

Output messages

The Get Manager Contact Detailsaction can return the following output messages:

Output message Message description

Output message	Message description
`User manager details were fetched successfully.` `Some errors occurred. Please check the logs.`	The action succeeded.
`Could not fetch user manager's details successfully.`	The action failed. Check the connection to the server, input parameters, or credentials.

User manager details were fetched successfully.

Some errors occurred. Please check the logs.

The action succeeded.

Could not fetch user manager's details successfully.

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Get Manager Contact Detailsaction:

Script result name	Value
`is_success`	`True` or `False`

Is User in Group

Use the Is User in Groupaction to check if the user has membership in a specific Microsoft Entra ID group. This action expects you to configure the User entity in the username@domain format.

This action runs on the Google SecOps User entity.

Action inputs

The Is User in Groupaction requires the following parameters:

Parameter	Description
`Group ID`	Required The ID of the Microsoft Entra ID group to add the user to, such as `00e40000-1971-439d-80fc-d0e000001dbd` .

Action outputs

The Is User in Groupaction provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

JSON result

The following example shows the JSON result output received when using the Is User in Groupaction:

  [ 
  
 { 
  
 "EntityResult" 
 : 
  
 "true" 
 , 
  
 "Entity" 
 : 
  
 "user@example.com" 
  
 } 
 ]

Output messages

The Is User in Groupaction can return the following output messages:

Output message Message description

Output message	Message description
`The following user was found in the group: USER_ID .` `Some errors occurred. Please check the logs.`	The action succeeded.
`User was not found in the group.`	The action failed. Check the connection to the server, input parameters, or credentials.

The following user was found in the group: USER_ID .

Some errors occurred. Please check the logs.

The action succeeded.

User was not found in the group.

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Is User in Groupaction:

Script result name	Value
`is_success`	`True` or `False`

List Groups

Use the List Groupsaction to list Microsoft Entra ID groups using the specified search criteria.

For the List Groupsaction, filtering works with the Name field.

This action doesn't run on Google SecOps entities.

Action inputs

The List Groupsaction requires the following parameters:

Parameter

Description

Order By

Optional

The order to sort the returned groups by their name.

The default value is ASC .

The possible values are as follows:

DESC
ASC

Results Limit

Optional

The maximum number of groups to return.

Filter Logic

Optional

The logic to filter groups by their name.

The default value is Equal .

The possible values are as follows:

Equal
Contains

Filter Value

Optional

The value to filter groups using the selected filter logic. This value applies to the group name.

If you select Equal , the action attempts to find the exact match among results. If you select Contain , the action attempts to find results that contain the provided substring.

If you don't set a value, the filter doesn't apply.

Action outputs

The List Groupsaction provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Available
Entity enrichment table	Available
JSON result	Available
Output messages	Available
Script result	Available

Case wall table

The List Groupsaction can return the following table in Google SecOps:

Table name: Groups

Columns:

Name
ID
Description
Mail
Created Time
Group Type

Entity enrichment table

The List Groupsaction supports the following entity enrichment:

Enrichment field	Logic
`Group Type`	Returns if it exists in the JSON result.
`ID`	Returns if it exists in the JSON result.
`Name`	Returns if it exists in the JSON result.
`Description`	Returns if it exists in the JSON result.
`Created Time`	Returns if it exists in the JSON result.

JSON result

The following example shows the JSON result output received when using the List Groupsaction:

  [ 
  
 { 
  
 "Group Type" 
 : 
  
 "managed" 
 , 
  
 "Id" 
 : 
  
 " ID 
" 
 , 
  
 "Name" 
 : 
  
 "Example" 
 , 
  
 "Description" 
 : 
  
 "Example" 
 , 
  
 "Created Time" 
 : 
 "2019-10-24T19:10:18Z" 
  
 } 
 ]

Output messages

The List Groupsaction can return the following output messages:

Output message Message description

Output message	Message description
`Groups list was fetched successfully.` `Some errors occurred. Please check the logs.`	The action succeeded.
`Groups list fetch was not successful.`	The action failed. Check the connection to the server, input parameters, or credentials.

Groups list was fetched successfully.

Some errors occurred. Please check the logs.

The action succeeded.

Groups list fetch was not successful.

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the List Groupsaction:

Script result name	Value
`is_success`	`True` or `False`

List Members in the Group

Use the List Members in the Groupaction to list members in the specified Microsoft Entra ID group.

The filtering logic works based on the Filter Key parameter value.

This action doesn't run on Google SecOps entities.

Action inputs

The List Members in the Groupaction requires the following parameters:

Parameter

Description

Max Records To Return

Optional

The maximum number of records to return.

The default value is 50.

Group Name

Optional

The name of the Microsoft Entra ID group to list members.

Group ID

Optional

The ID of the Microsoft Entra ID group to list members. If you configure both the Group Name and Group ID parameters, the action uses the Group ID parameter value.

Filter Key

Optional

The field to filter group members by, such as User Display Name .

The possible values are as follows:

Select One
User Display Name
User Principal Name
User Mail Name

Filter Logic

Optional

The logic to apply to the filter.

The possible values are as follows:

Not Specified
Equal
Contains

Filter Value

Optional

The value to use for filtering group members based on the selected Filter Key and Filter Logic parameter values.

If you select Equal , the action attempts to find the exact match among results. If you select Contain , the action attempts to find results that contain the provided substring.

If you don't set a value, the filter doesn't apply.

Action outputs

The List Members in the Groupaction provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

Case wall table

The List Members in the Groupaction can return the following table in Google SecOps:

Table name: Available members of the group

Columns:

ID
User Principal Name
Display Name
Surname
Given Name
Mail
Job Title
Business Phones
Mobile Phone
Office Location
Preferred Language

JSON result

The following example shows the JSON result output received when using the List Members in the Groupaction:

  { 
  
 "@odata.context" 
 : 
  
 "https://graph.microsoft.com/v1.0/$metadata#Collection(Edm.String)" 
 , 
  
 "value" 
 : 
  
 [ 
  
 " ID 
" 
 , 
  
 " ID 
" 
 , 
  
 " ID 
" 
 , 
  
 ] 
 }

Output messages

The List Members in the Groupaction can return the following output messages:

Output message Message description

Output message	Message description
`Successfully found members for the provided criteria in Azure AD group.` `No members were found for the provided criteria in Azure AD group.` `The filter was not applied, because parameter "Filter Value" has an empty value.`	The action succeeded.
`Error executing action "List Members in the Group". Reason: ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully found members for the provided criteria in Azure AD group.

No members were found for the provided criteria in Azure AD group.

The filter was not applied, because parameter "Filter Value" has an empty value.

The action succeeded.

Error executing action "List Members in the Group". Reason: ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the List Members in the Groupaction:

Script result name	Value
`is_success`	`True` or `False`

List User's Groups Membership

Use the List User's Groups Membershipaction to list the Microsoft Entra ID groups of which the user is a member.

You can provide the username as an entity or an action input parameter. If you configure the username as both the entity and the input parameter, the action uses the input parameter.

To configure the username, follow the username@domain format.

This action runs on the Google SecOps Username entity.

Action inputs

The List User's Groups Membershipaction requires the following parameters:

Parameter

Description

User Name

Optional

A comma-separated list of usernames to retrieve group memberships for, such as username@domain . If you don't set a value, the action uses the user identifiers from the Username entity.

Return Only Security Enabled Groups

Optional

If selected, the action returns only security-enabled groups to which the user belongs.

Not selected by default.

Return Detailed Groups Information

Optional

If selected, the action returns detailed information about the Microsoft Entra ID groups.

Not selected by default.

Filter Key

Optional

The key to use for filtering groups.

The default value is Select One .

The possible values are as follows:

Select One
Group Display Name
Group Description

Filter Logic

Optional

The logic to apply when filtering the groups.

The default value is Not Specified .

Possible values are as follows:

Not Specified
Equal
Contains

Filter Value

Optional

The value to use for filtering groups.

If you select Equal , the action attempts to find the exact match among results. If you select Contain , the action attempts to find results that contain the provided substring.

If you don't set a value, the filter doesn't apply.

Max Records To Return

Optional

The maximum number of records to return. If you don't set a value, the action returns 50 records by default.

Action outputs

The List User's Groups Membershipaction provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

Case wall table

The List User's Groups Membershipaction can return the following table in Google SecOps:

Table name: Group Memberships

Columns:

ID
Display Name
Description
Security Enabled
Security Identifier
Created DateTime
Classification
Visibility
Mail
Mail Enabled
Mail Nickname

JSON result

The following example shows the JSON result output received when using the List User's Groups Membershipaction:

  { 
  
 "@odata.context" 
 : 
  
 "https://graph.microsoft.com/v1.0/$metadata#Collection(Edm.String)" 
 , 
  
 "value" 
 : 
  
 [ 
  
 " ID 
" 
 , 
  
 " ID 
" 
 , 
  
 " ID 
" 
 , 
  
 ] 
 }

Output messages

The List User's Groups Membershipaction can return the following output messages:

Output message Message description

Output message	Message description
`Successfully found groups for the provided criteria for the following entities: ENTITY_ID` `The following entities were not found in the Azure AD: ENTITY_ID` `No groups were found in Azure Active Directory for the following entities: ENTITY_ID` `The filter was not applied, because parameter "Filter Value" has an empty value.`	The action succeeded.
`Error executing action "List User's Groups Membership". Reason: ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully found groups for the provided criteria for the following entities: ENTITY_ID

The following entities were not found in the Azure AD: ENTITY_ID

No groups were found in Azure Active Directory for the following entities: ENTITY_ID

The filter was not applied, because parameter "Filter Value" has an empty value.

The action succeeded.

Error executing action "List User's Groups Membership". Reason: ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the List User's Groups Membershipaction:

Script result name	Value
`is_success`	`True` or `False`

List Users

Use the List Usersaction to list Microsoft Entra ID users using the specified search criteria.

For the List Usersaction, filtering works with the Username ( userPrincipalName ) field.

This action doesn't run on Google SecOps entities.

Action inputs

The List Usersaction requires the following parameters:

Parameter

Description

Filter

Optional

The fields to include in the results.

The default value is All Fields .

The possible values are as follows:

All Fields
displayName
userPrincipalName
id
jobTitle
mail
mobilePhone
preferredLanguage
surname
givenName

Order By Field

Optional

The field to order the results by.

The default value is displayName .

The possible values are as follows:

displayName
userPrincipalName

Order By

Optional

The order of the results (ascending or descending).

The default value is ASC .

The possible values are as follows:

DESC
ASC

Results Limit

Optional

The maximum number of users to return.

Advanced Filter Logic

Optional

The logic to use for advanced filtering that applies to the Username ( userPrincipalName ) field.

The default value is Equal .

Possible values are as follows:

Equal
Contains

Advanced Filter Value

Optional

The value to use in the advanced filter for the Username ( userPrincipalName ) field.

If you select Equal , the action attempts to find the exact match among results. If you select Contain , the action attempts to find results that contain the provided substring.

If you don't set a value, the filter doesn't apply.

Action outputs

The List Usersaction provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Available
Entity enrichment table	Available
JSON result	Available
Output messages	Available
Script result	Available

Case wall table

The List Usersaction can return the following table in Google SecOps:

Table name: Users

Columns:

Name
Username
ID
Given name
Preferred language
Mail
Mobile Phone
Surname
Job Title

Entity enrichment table

The List Usersaction supports the following entity enrichment:

Enrichment field	Logic
`Username`	Returns if it exists in the JSON result.
`Surname`	Returns if it exists in the JSON result.
`Name`	Returns if it exists in the JSON result.
`Job Title`	Returns if it exists in the JSON result.
`Mail`	Returns if it exists in the JSON result.

JSON result

The following example shows the JSON result output received when using the List Usersaction:

  [ 
  
 { 
  
 "Group Type" 
 : 
  
 "managed" 
 , 
  
 "Id" 
 : 
  
 " ID 
" 
 , 
  
 "Name" 
 : 
  
 "Example" 
 , 
  
 "Description" 
 : 
  
 "Example" 
 , 
  
 "Created Time" 
 : 
 "2019-10-24T19:10:18Z" 
  
 } 
 ]

Output messages

The List Usersaction can return the following output messages:

Output message Message description

Output message	Message description
`List of users was fetched successfully.` `Some errors occurred. Please check the logs.`	The action succeeded.
`User list fetch was not successful.`	The action failed. Check the connection to the server, input parameters, or credentials.

List of users was fetched successfully.

Some errors occurred. Please check the logs.

The action succeeded.

User list fetch was not successful.

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the List Usersaction:

Script result name	Value
`is_success`	`True` or `False`

Ping

Use the Pingaction to test the connectivity to Microsoft Entra ID.

This action runs on all Google SecOps entities.

Action inputs

None.

Action outputs

The Pingaction provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Output messages

The Pingaction can return the following output messages:

Output message Message description

Output message	Message description
`Connection established successfully.`	The action succeeded.
`Connection could not be established successfully.`	The action failed. Check the connection to the server, input parameters, or credentials.

Connection established successfully.

The action succeeded.

Connection could not be established successfully.

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Pingaction:

Script result name	Value
`is_success`	`True` or `False`

Remove User from the Group

Use the Remove User from the Groupaction to remove a user from the specified group in Microsoft Entra ID.

You can provide the username as an entity or an action input parameter. If you configure the username as both the entity and the input parameter, the action uses the input parameter.

To configure the username, follow the username@domain format.

This action runs on the Google SecOps Username entity.

Action inputs

The Remove User from the Groupaction requires the following parameters:

Parameter Description

Parameter	Description
`User Name`	Optional A comma-separated string of usernames to remove from the specified group. To configure this parameter value, use the `username@domain` format. If you don't set a value, the action runs on the usernames of the user entities from an action incident.
`Group Name`	Optional The name of the group to remove the user from.
`Group ID`	Optional The ID of the group to remove the user from. If you set both the `Group Name` and `Group ID` parameters, the action prioritizes the `Group ID` value.

User Name

Optional

A comma-separated string of usernames to remove from the specified group. To configure this parameter value, use the username@domain format.

If you don't set a value, the action runs on the usernames of the user entities from an action incident.

Group Name

Optional

The name of the group to remove the user from.

Group ID

Optional

The ID of the group to remove the user from.

If you set both the Group Name and Group ID parameters, the action prioritizes the Group ID value.

Action outputs

The Remove User from the Groupaction provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Output messages

The Remove User from the Groupaction can return the following output messages:

Output message Message description

Output message	Message description
`Successfully removed the following entities from the Azure AD group: ENTITY_ID` `The following entities were not found in the Azure AD: ENTITY_ID` `No usernames were removed from the Azure AD group.`	The action succeeded.
`Error executing action "Remove User from the Group". Reason: ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully removed the following entities from the Azure AD group: ENTITY_ID

The following entities were not found in the Azure AD: ENTITY_ID

No usernames were removed from the Azure AD group.

The action succeeded.

Error executing action "Remove User from the Group". Reason: ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Remove User from the Groupaction:

Script result name	Value
`is_success`	`True` or `False`

Reset User Password

Use the Reset User Passwordaction to reset the user password to the one that you specify in the action. This action requires the user to change their password on the next sign-in attempt.

The Reset User Passwordaction expects you to configure the User entity in the username@domain format.

This action runs on the Google SecOps User entity.

Assign a role to your application

The Reset User Passwordaction requires you to assign the Password Administrator role to your application.

To assign the Password Administrator role to your application, complete the following steps:

Sign in to the Azure portal using your Microsoft account.
In Microsoft Entra ID, search for Roles and administrators.
Select or search for the Password Administrator role from the list.
Click Add Assignment.
Select an account (member) that you use in the integration and click Next.
Enter justification for assigning a role.
Click Assign.

Action inputs

The Reset User Passwordaction requires the following parameters:

Parameter	Description
`Password`	Required The new password to set for the user.

Action outputs

The Reset User Passwordaction provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Output messages

The Reset User Passwordaction can return the following output messages:

Output message Message description

User password was reset successfully.

Some errors occurred. Please check the logs.

The action succeeded.

User password reset was not successful.

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Reset User Passwordaction:

Script result name	Value
`is_success`	`True` or `False`

Revoke User Session

Use the Revoke User Sessionaction to revoke a user session.

This action runs on the following Google SecOps entities:

Username
Email Address

Action inputs

None.

Action outputs

The Revoke User Sessionaction provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

JSON result

The following examples show the JSON result outputs received when using the Revoke User Sessionaction:

If the user exists:

  { 
  
 "@odata.context" 
 : 
  
 "https://graph.microsoft.com/v1.0/$metadata#Edm.Boolean" 
 , 
  
 "value" 
 : 
  
 true 
 }

If the user is not found:

  { 
  
 "error" 
 : 
  
 "User not found." 
 }

Output messages

The Revoke User Sessionaction can return the following output messages:

Output message Message description

Successfully revoked sessions for the following users in Azure AD: ENTITY_ID

Action wasn't able to find the following users in Azure AD: ENTITY_ID

None of the provided users were found in Azure AD.

The action succeeded.

Error executing action "Revoke User Session". Reason: ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Revoke User Sessionaction:

Script result name	Value
`is_success`	`True` or `False`

Need more help? Get answers from Community members and Google SecOps professionals.