Microsoft Entra ID (Azure Active Directory)
LAST UPDATED: DECEMBER 8, 2025
Overview
Microsoft Entra ID (previously Azure Active Directory) is a cloud-based identity and access management service to help users access internal and external resources.
D3 SOAR is providing REST operations to function with Microsoft Entra ID.
Microsoft Entra ID is available for use in:
Known Limitations
Microsoft Entra ID v2.0 is not supported for cloud-solution-provider apps. CSP apps must use the v1.0 endpoint to obtain tokens for Microsoft Graph, and D3 may introduce v2.0-based commands in the future.
Microsoft Entra ID does not allow creating a resource and an open extension in the same request. Create the resource first and then add the open extension in a separate POST request.
Microsoft Entra ID permits up to 100 schema-extension property values per resource instance.
Refer to Microsoft Entra ID Limits and Restrictions for detailed information.
Connection
Gather the following information to connect D3 SOAR to Microsoft Entra ID.
Parameter | Description | Example |
Default (Grant Type: Client Credentials) | ||
Tenant ID | The tenant ID to authenticate the API connection. | f62-*****-kY8 |
Grant Type | The grant type to authenticate the API connection. By default, the value is set to Client Credentials. | Client Credentials |
Client ID | The client ID to authenticate the API connection. | 9c8*****f8a |
Client Secret | The client secret to authenticate the API connection. | o14*****817 |
API Version | The version of the API to use for the connection. | v1.0 |
Grant Type: Authorization Code | ||
Authentication Code | The authorization code for OAuth2.0 authentication. Click the Get Authorization button on the Connection form to automatically generate an authorization code. | 2kP*****gAA |
Callback URL | The callback URL used for the Authentication Code grant type. Add this URL to the Azure app’s Redirect URIs. | https://*****/*****Callback.aspx |
Refresh Token | The refresh token for authentication used for the Authentication Code grant type. After obtaining an authorization code on the Connection form, click the Get Refresh Token button to generate it automatically. | 0.AX*****5Yg |
Permission Requirements
Each endpoint in the Microsoft Entra ID API requires certain permission scopes. Users should rely on the links in the API Reference column to confirm latest permission settings for each command.
Scopes: The Requirements column shows all permission scopes required for each command in the Scopes section, grouped into least-privileged and higher-privileged categories. Add the least-privileged scopes first and escalate only if the command fails to run with the desired parameters.
Roles: The Requirements column shows the Entra ID roles that can authorize the command in the Roles section. A single listed role represents the least-privileged option. When multiple roles appear, they are ordered from least to most privileged; add the top role first and escalate only if the command fails to run with the desired parameters.
If a role appears for the application permission type, that role must be assigned to the application's service principal. Refer to Assign a role to the application for instructions.
READER NOTE
When Microsoft Graph returns only id and @odata.type and other fields have a null value, the caller may lack read permissions for that object type.
For example, when @odata.type has the #microsoft.graph.group value, the Group.Read.All permission scope is required along with the command’s least-privilege permission to expand group properties.
Refer to Limited information returned for inaccessible member objects for more information.
Command | Permission Type | Requirements | API Reference |
|---|---|---|---|
Add Group Devices | Delegated | Scopes
Role (one required)
| |
Application | Scopes
| ||
Add Group Members | Delegated | Scopes: GroupMember.ReadWrite.All Role: Same as Add Group Devices. | |
Application | Scopes: GroupMember.ReadWrite.All | ||
Create User | Delegated | Scopes
Role: User Administrator | |
Application | Scopes
| ||
Delete OAuth2 Permission Grants | Delegated | Scopes
Role (one required):
| Delete oAuth2PermissionGrant (a delegated permission grant) - Microsoft Graph v1.0 |
Application | Scopes
| ||
Delete Users | Delegated | Scopes
Role: User Administrator READER NOTE To perform actions on administrator accounts, additional requirements apply:
| |
Application | Scopes
Role: User Administrator (assigned to the service principal) READER NOTE To perform actions on administrators accounts, the user or service principal must hold a directory role authorized to manage accounts at the target role's sensitivity level. Refer to Privileged permissions versus protected actions for more information. | ||
Disable User | Delegated | Scopes
Role: Authentication Administrator READER NOTE
| |
Application | Scopes
Role: Authentication administrator (assigned to the service principal) READER NOTE To perform actions on administrators accounts, the user or service principal must hold a directory role authorized to manage accounts at the target role's sensitivity level. Refer to Privileged permissions versus protected actions for more information. | ||
Enable User | Delegated | Same as Disable User. | |
Application | |||
Get Device | Delegated | Scopes
| |
Application | Scopes
| ||
Get Device Locations | Delegated | Scopes
Role (one required)
READER NOTE Signed-in users with any permissions can read their own sign-in logs. | |
Application | Scopes
| ||
Get Group | Delegated | Scopes
| |
Application | |||
Get Users | Delegated | Scopes
READER NOTE
| |
Application | Scopes
| ||
Get User Audit Logs | Delegated | Scopes
Role (one required):
| |
Application | Scopes
| ||
Get User Groups | Delegated | Scopes
| |
Application | Scopes
| ||
Get User Manager | Delegated | Scopes
| |
Application | |||
Get User Manager Chain | Delegated | Same as Get User Manager. | |
Application | |||
Get User SignIn Logs BETA | Delegated | Scopes
Role (one required):
| |
Application | Scopes
| ||
List Device Groups | Delegated | Scopes
Role (one required):
| |
Application | Scopes
| ||
List Devices | Delegated | Scopes
| |
Application | Scopes
| ||
List Groups | Delegated | Scopes
| |
Application | |||
List OAuth2 Permission Grants | Delegated | Scopes
Role (one required):
| |
Application | Scopes
| ||
List User Registration Details (v1) | Delegated | Scopes
Roles (one required):
| |
Application | Scopes
| ||
List User Registration Details (beta) BETA | Delegated | Scopes
Roles (one required):
| List credentialUserRegistrationDetails - Microsoft Graph beta |
Application | Scopes
| ||
List Users | Delegated | Scopes
Roles: N/A, but guest users must be assigned an administrator role to read all users. READER NOTE If using least-privileged scopes, additional scopes may be required to read certain fields. Refer to Permissions for specific scenarios for details. | |
Application | Scopes
| ||
Remove Group Devices | Delegated | Scopes
Role (one required):
| |
Application | Scopes
| ||
Remove Group Members | Delegated | Same as Remove Group Devices. | |
Application | |||
Reset Password | Delegated | Scopes
Role (one required):
READER NOTE
| |
Application | This command cannot be used with Client Credentials. | ||
Revoke Sign In Sessions | Delegated | Scopes
Role: User Administrator READER NOTE To perform actions on administrators accounts, the user or service principal must hold a directory role authorized to manage accounts at the target role's sensitivity level. Refer to Privileged permissions versus protected actions for more information. | |
Application | Scopes
| ||
Update User | Delegated | Scopes
Role: User Administrator READER NOTE
| |
Application | Scopes
LIMITATION Users authenticating with Client Credentials cannot modify the sensitive data of administrator users. Use Authorization Code instead. READER NOTE Additional scopes may be required to update certain fields. Refer to Permissions for specific scenarios for details. | ||
Test Connection | Delegated | Same as List Users. | |
Application | |||
Configuring Microsoft Entra ID to Work with D3 SOAR
Log in to the Azure Portal.
Navigate to the search bar at top and search "App registrations", then click App Registrations.
If you have already created Apps, you can use one of them and skip to step 6 to obtain the Client ID & Tenant ID.
If you do not have an App, click + New registration at the top left corner to create a new App.
Enter an App name. Choose the first option as your Supported account type if your target audience is internal within your organization. For a more detailed description of different options, you can click Help me choose…, then select Web from the Redirect URI dropdown list and paste the Callback URI you copied from the SOAR connection window into the URI field. Finally, click Register.
Note: To copy the Callback URI from SOAR Connection Window, please refer to Configuring D3 SOAR to Work with Microsoft Entra ID.You can also add a redirect URI later. Click Overview on the navigation column, then click Add a Redirect URI.
Click Add Platform, then select Web.
Input your Redirect URIs and click Configure.
In the App Overview tab, copy and save the Application(client) ID and Directory(tenant) ID for creating the SOAR connection.
Click Certificates & secrets on the left navigation column, then click + New client secret. Enter a description for the client secret, and select the client secret expiry period from the Expires dropdown menu. Please note that the client ID cannot access API resources if the client secret is expired. You MUST renew the client secret to keep the client ID effective. Click Add at the bottom.
Copy and save the Secret Value for the SOAR connection. Please note that you will only be able to view this Secret Value once after its initial creation. Store it in a secure location.
Configure the API permissions. Click API permissions on the left navigation column, then click + Add a permission. Click Microsoft Graph under the Microsoft APIs tab.
Select Delegated Permissions if you want to use the OAuth2 Authentication Code method. If you want to use the OAuth2 Client Credentials method, select Application permissions. For the Report Emails command, which will report an email as either spam or phishing, the permission must be the Delegated Permissions for the account.
Search for the permissions you need by using the search bar. Select your desired permissions, and choose Add permission.
Some permissions may need to be granted admin consent. Please check Grant admin consent for D3DevCyber to grant the API permissions. Ask your admin to grant consent if you do not have admin privileges.
Click Grant admin consent for D3DevCyber, then click Yes.
You will see a green checkmark under status. The permission is now successfully granted.
Configuring D3 SOAR to Work with Microsoft Entra ID
Log in to D3 SOAR.
Find the Microsoft Entra ID integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type Microsoft Entra ID in the search box to find the integration, then click it to select it.
Click + New Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Microsoft Entra ID.
Connection Name: The desired name for the connection.
Site: The site on which to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field is displayed when Share to Internal Sites is selected for the Site field, allowing selection of the internal site for deploying the integration connection.
Agent Name (Optional): The proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): The description for the connection.
Tenant (Optional): When configuring the connection from a master tenant site, users can choose the specific tenant sites with which to share the connection. Once this setting is enabled, users can filter and select the desired tenant sites from the dropdowns to share the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: The checkbox that enables the connection to be used when selected.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
Grant Type: Client Credentials
Use the Client Credentials grant type when authenticating with application permissions.
1. Input the Tenant ID.
2. Select the Grant Type.
3. Input the Client ID.
4. Input the Client Secret.
5. Input the API Version. The default value is v1.0.
Grant Type: Authorization Code
Use the Authorization Code grant type when authenticating with delegated permissions. For this grant type, complete the same steps required for Grant Type: Client Credentials, plus the following additional steps.
6. Click Get Authorization to automatically retrieve the authorization code and populate the field.
7. Copy the Callback URL. Refer to step 2d in Registering an Azure App and Collecting Credentials.
8. Click the Get Refresh Token button.
Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.
Connection Health Check: Periodically checks the connection status by scheduling the Test Connection command at the specified interval (in minutes). Available only for active connections, this feature also allows configuring email notifications for failed attempts.
Test the connection.
Click on the Test Connection button to verify credentials and connectivity. A success alert displays Passed with a green checkmark. If the connection fails, review the parameters and retry.
Click OK to close the alert window.
Click + Add to create and add the configured connection.
Commands
Microsoft Entra ID includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command function, users can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the Microsoft Entra ID API, refer to the Microsoft Entra ID API reference.
READER NOTE
Certain permissions are required for each command. Refer to the Permission Requirements and Configuring Microsoft Entra ID to Work with D3 SOAR for details.
Note for Time-related parameters
The input format of time-related parameters may vary based on user account settings, which may cause the sample data in commands to differ from what is displayed. To adjust the time format, follow these steps:
Navigate to Configuration > Application Settings. Select Date/Time Format.
Choose the desired date and time format, then click on the Save button.
The selected time format will now be visible when configuring Date/Time command input parameters.
Add Group Devices
Adds devices to a specified group. Up to 20 devices can be added in a single request.
READER NOTE
Group ID and Device IDs are required parameters to run this command.
Run the Get Group command to obtain the Group ID. Group IDs can be found in the raw data at $.value[*].id.
Run the List Devices command to obtain the Device IDs. Device IDs can be found in the raw data at $.value[*].id.
Use the value of the id field, not the deviceId field.
Input
Input Parameter | Required/Optional | Description | Example |
Group ID | Required | The ID of the group to which devices are added. Group IDs can be obtained using the List Groups command. | ***** |
Device IDs | Required | The IDs of the devices to add to the group. Devices IDs can be obtained using the List Devices command. The request uses the device's id property, not the deviceId property. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Add Group Device failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Invalid object identifier. |
Error Sample Data Add Group Device failed. Status Code: 400. Message: Invalid object identifier. |
Add Group Members
Adds users to a specified group. Up to 20 members can be added in a single request.
READER NOTE
Group ID and User IDs are required parameters to run this command.
Run the List Groups command to obtain the Group ID. Group IDs can be found in the raw data at $.value[*].id.
Run the List Users command to obtain the User IDs. User IDs can be found in the raw data at $.value[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Group ID | Required | The ID of the group to which users are added. Group ID can be obtained using the List Groups command. | ***** |
User IDs | Required | The IDs of the users to add to the group. User IDs can be obtained using the List Users command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Add Group Members failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource does not exist. |
Error Sample Data Add Group Members failed. Status Code: 404. Message: Resource does not exist. |
Create User
Creates a new user in Azure.
Input
Input Parameter | Required/Optional | Description | Example |
Account Enabled | Required | Indicates whether to enable the user account. | True |
Display Name | Required | The name to display in the address book for the user. | ***** |
Force Change Password Next Sign In | Optional | Indicates whether to require the user to change their password at the next sign-in. By default, the value is set to False. | False |
Mail Nickname | Required | The mail alias for the user. By default, the value is derived from the name portion of the User Principal Name. For example, if the User Principal Name is alex.smith@contoso.com, the mailNickname value is alex.smith. | alex.smith |
Password | Required | The password for the user account. The password must satisfy minimum requirements defined by the passwordPolicies property. | ***** |
User Principal Name | Required | The user principal name (e.g., alex.smith@contoso.com). The domain portion must be a verified domain in the organization. The user principal name follows the Internet-style login-name format defined in RFC 822 and, by convention, maps to the user's email name. | alex.smith@contoso.com |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create User failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Another object with the same value for property userPrincipalName already exists. |
Error Sample Data Create User failed. Status Code: 400. Message: Another object with the same value for property userPrincipalName already exists. |
Delete OAuth2 Permission Grants
Deletes delegated permission grants. Existing access tokens remain valid for their lifetime, but newly issued tokens exclude the delegated permissions associated with the deleted oAuth2PermissionGrant.
READER NOTE
Grant IDs is a required parameter to run this command.
Run the List OAuth2 Permission Grants command to obtain the Grant IDs. Grant IDs can be found in the raw data at $.value[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Grant IDs | Required | The IDs of the OAuth2 permission grants to delete. Grant IDs can be obtained using the List OAuth2 Permission Grants command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Delete OAuth2 Permission Grants failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Azure Active Directory portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: You must have a valid Support account to call this API. |
Error Sample Data Delete OAuth2 Permission Grants failed. Status Code: 403. Message: You must have a valid Support account to call this API. |
Delete Users
Deletes specified users. Deleted user resources are moved to a temporary container and can be restored within 30 days. After 30 days, the resources are permanently deleted.
READER NOTE
IDs Or Principal Names is a required parameter to run this command.
Run the List Users command to obtain the IDs Or Principal Names.
User IDs can be found in the raw data at $.value[*].id.
User Principal Names can be found in the raw data at $.value[*].userPrincipalName.
Input
Input Parameter | Required/Optional | Description | Example |
IDs Or Principal Names | Required | The IDs or Principle Names of the users to delete. User IDs and Principal Names can be obtained using the List Users command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Delete Users failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource does not exist or one of its queried reference-property objects is not present. |
Error Sample Data Delete Users failed. Status Code: 404. Message: Resource does not exist or one of its queried reference-property objects is not present. |
Disable User
Disables the specified user accounts.
READER NOTE
IDs Or Principal Names is a required parameter to run this command.
Run the List Users command to obtain the IDs Or Principal Names.
User IDs can be found in the raw data at $.value[*].id.
User Principal Names can be found in the raw data at $.value[*].userPrincipalName.
Input
Input Parameter | Required/Optional | Description | Example |
IDs Or Principal Names | Required | The IDs or Principle Names of the users to disable. User IDs and Principal Names can be obtained using the List Users command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Disable User failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource does not exist or one of its queried reference-property objects are not present. |
Error Sample Data Disable User failed. Status Code: 404. Message: Resource does not exist or one of its queried reference-property objects are not present. |
Enable Users
Enables the specified user accounts.
READER NOTE
IDs Or Principal Names is a required parameter to run this command.
Run the List Users command to obtain the IDs Or Principal Names.
User IDs can be found in the raw data at $.value[*].id.
User Principal Names can be found in the raw data at $.value[*].userPrincipalName.
Input
Input Parameter | Required/Optional | Description | Example |
IDs Or Principal Names | Required | The IDs or Principle Names of the users to enable. User IDs and Principal Names can be obtained using the List Users command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Enable User failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource does not exist or one of its queried reference-property objects are not present. |
Error Sample Data Enable User failed. Status Code: 404. Message: Resource does not exist or one of its queried reference-property objects are not present. |
Get Device
Retrieves details of specified devices.
READER NOTE
IDs or Device Names is a required parameter to run this command.
Run the List Devices command to obtain the IDs or Device Names.
Device IDs can be found in the raw data at $.value[*].id.
Device Names can be found in the raw data at $.value[*].displayName.
Use the value of the id field, not the deviceId field.
Input
Input Parameter | Required/Optional | Description | Example |
IDs or Device Names | Required | The IDs or names of the devices to retrieve. IDs and names can be obtained using the List Devices command. The request uses the device's id property, not the deviceId property. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Device failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: '***************************************' is not found. |
Error Sample Data Get Device failed. Status Code: 404. Message: '***************************************' is not found. |
Get Device Locations
Retrieves the latest locations of devices that have signed in since the specified time in Microsoft Entra ID.
READER NOTE
Device Names is a required parameter to run this command.
Run the List Devices command to obtain the Device Names. Device Names can be found in the raw data at $.value[*].displayName.
Input
Input Parameter | Required/Optional | Description | Example |
Device Names | Required | The names of the devices to search for sign-in logs. Device Names can be obtained using the List Devices command. |
JSON
|
Sign In Since | Required | The start time used to filter the returned sign-in logs | 2023-09-09 00:00 |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Device Locations failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Device is not found. |
Error Sample Data Get Device Locations failed. Status Code: 404. Message: Device is not found. |
Get Groups
Retrieves the properties and relationships of the specified groups.
READER NOTE
IDs Or Group Names is a required parameter to run this command.
Run the List Groups command to obtain the IDs Or Group Names.
Group IDs can be found in the raw data at $.value[*].id.
Group Names can be found in the raw data at $.value[*].displayName.
Input
Input Parameter | Required/Optional | Description | Example |
IDs Or Group Names | Required | The IDs or names of the groups to retrieve. Group IDs and names can be obtained using the List Groups command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Group failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource does not exist or one of its queried reference-property objects is not present. |
Error Sample Data Get Group failed. Status Code: 404. Message: Resource does not exist or one of its queried reference-property objects is not present. |
Get Users
Retrieves the properties and relationships of specified user objects.
READER NOTE
IDs Or Principal Names is a required parameter to run this command.
Run the List Users command to obtain the IDs Or Principal Names.
User IDs can be found in the raw data at $.value[*].id.
User Principal Names can be found in the raw data at $.value[*].userPrincipalName.
Input
Input Parameter | Required/Optional | Description | Example |
IDs Or Principal Names | Required | The IDs or Principal Names of the users to retrieve. User IDs and Principal Names can be obtained using the List Users command. |
JSON
|
Select | Optional | The option to specify which group properties are returned. Available properties include businessPhones, displayName, givenName, jobTitle, mail, mobilePhone, officeLocation, preferredLanguage, surname, userPrincipalName, and id. If not defined, only default properties are returned. Only the specified properties are included when Select is defined. Refer to Properties for all available properties. | userPrincipalName, displayName, id |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Users failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource does not exist or one of its queried reference-property objects are not present. |
Error Sample Data Get Users failed. Status Code: 404. Message: Resource does not exist or one of its queried reference-property objects are not present. |
Get User Audit Logs
Retrieves audit logs for the specified Azure users. By default, the most recent audit logs are returned first. Only audit logs within the default Microsoft Entra ID retention period are available. For retention details, see How long does Microsoft Entra ID store the data?
READER NOTE
Initiated User ID Or User Principal Name and Target User IDs Or User Principal Names are required parameters to run this command.
Run the List Users command to obtain the User IDs and Principal Names.
User IDs can be found in the raw data at $.value[*].id.
User Principal Names can be found in the raw data at $.value[*].userPrincipalName.
Input
Input Parameter | Required/Optional | Description | Example |
Initiated User ID Or User Principal Name | Optional | The User IDs or Principal Names of the users who initiated the activities. User IDs and Principal Names can be obtained using the List Users command. |
JSON
|
Categories | Optional | The resource categories targeted by the activities. Examples include UserManagement, GroupManagement, ApplicationManagement, RoleManagement, DirectoryManagement, and DeviceManagement. For category definitions, refer to Microsoft Entra audit log categories and activities. |
JSON
|
Activity Since | Optional | The start time used to filter returned activity logs. By default, the value is 24 hours before the Activity Till time. | 09/26/2023 00:29 AM |
Activity Till | Optional | The end time used to filter returned activity logs. By default, the value is the current time. | 09/26/2023 00:29 AM |
Application Names | Optional | The names of the applications from which the activities originated. |
JSON
|
Target User IDs Or User Principal Names | Optional | The User IDs or Principal Names of the users who were the targets of the activities. User IDs and Principal Names can be obtained using the List Users command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get User Audit Logs failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Azure Active Directory portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: You must have a valid Support account to call this API. |
Error Sample Data Get User Audit Logs failed. Status Code: 403. Message: You must have a valid Support account to call this API. |
Get User Groups
Retrieves the groups, directory roles, and administrative units of which the specified users are direct members.
READER NOTE
IDs Or Principal Names is a required parameter to run this command.
Run the List Users command to obtain the IDs Or Principal Names.
User IDs can be found in the raw data at $.value[*].id.
User Principal Names can be found in the raw data at $.value[*].userPrincipalName.
Input
Input Parameter | Required/Optional | Description | Example |
IDs Or Principal Names | Required | The IDs or Principal Names of the users to retrieve group information. User IDs and Principal Names can be obtained using the List Users command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get User Groups failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource does not exist or one of its queried reference-property objects is not present. |
Error Sample Data Get User Groups failed. Status Code: 404. Message: Resource does not exist or one of its queried reference-property objects is not present. |
Get User Manager
Returns the user or organizational contact assigned as the specified users' direct reporting manager. To return the specified users' manager chains up to the root node, use the Get User Manager Chain command.
READER NOTE
IDs Or Principal Names is a required parameter to run this command.
Run the List Users command to obtain the IDs Or Principal Names.
User IDs can be found in the raw data at $.value[*].id.
User Principal Names can be found in the raw data at $.value[*].userPrincipalName.
Input
Input Parameter | Required/Optional | Description | Example |
IDs Or Principal Names | Required | The IDs or principal names of the users whose manager information will be retrieved. User IDs and principal names can be obtained using the List Users command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get User Manager failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource does not exist or one of its queried reference-property objects is not present. |
Error Sample Data Get User Manager failed. Status Code: 404. Message: Resource does not exist or one of its queried reference-property objects is not present. |
Get User Manager Chain
Returns the specified users' manager chains up to the root node.
READER NOTE
IDs Or Principal Names is a required parameter to run this command.
Run the List Users command to obtain the IDs Or Principal Names.
User IDs can be found in the raw data at $.value[*].id.
User Principal Names can be found in the raw data at $.value[*].userPrincipalName.
Input
Input Parameter | Required/Optional | Description | Example |
IDs Or Principal Names | Required | The IDs or principal names of the users whose manager chains will be retrieved. User IDs and principal names can be obtained using the List Users command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get User Manager Chain failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: IDs Or Principal Names does not exist or one of its queried reference-property objects are not present. |
Error Sample Data Get User Manager Chain failed. Status Code: 404. Message: IDs Or Principal Names does not exist or one of its queried reference-property objects are not present. |
Get User SignIn Logs
Retrieves Azure AD user sign-ins for the tenant. Interactive sign-ins and successful federated sign-ins are included in the returned logs. By default, the most recent sign-ins are returned first. Only sign-ins within the default Microsoft Entra ID retention period are available. For retention details, see How long does Microsoft Entra ID store the data?
READER NOTE
This command is available only in the Beta API version.
User Principal Names is a required parameter to run this command.
Run the List Users command to obtain the User Principal Names. User Principal Names can be found in the raw data at $.value[*].userPrincipalName.
Input
Input Parameter | Required/Optional | Description | Example |
User Principal Names | Required | The principal names of the users whose sign-ins are retrieved. User Principal Names can be obtained using the List Users command. |
JSON
|
Sign In Since | Optional | The start time for filtering sign-in logs. By default, the value is 24 hours before the Sign In Till time. | 09/26/2023 00:28 AM |
Sign In Till | Optional | The end time for filtering sign-in logs. By default, the value is the current time. | 09/26/2023 00:29 AM |
Authentication Requirement | Optional | Filters sign-ins by authentication requirement. Valid options are:
By default, all sign-in logs are returned regardless of their authentication requirement. | Multi-Factor Authentication |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get User SignIn Logs failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Azure Active Directory portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: You must have a valid Support account to call this API. |
Error Sample Data Get User SignIn Logs failed. Status Code: 403. Message: You must have a valid Support account to call this API. |
List Device Groups
Lists the groups and administrative units of which the specified device is a direct member.
READER NOTE
Device ID is a required parameter to run this command.
Run the List Devices command to obtain the Device IDs. Device IDs can be found in the raw data at $.value[*].id.
Use the value of the id field, not the deviceId field.
Input
Input Parameter | Required/Optional | Description | Example |
Device ID | Required | The ID of the device whose group memberships will be listed. Device IDs can be obtained using the List Devices command. The request uses the device’s id property, not its deviceId property. | ***** |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Device Groups failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: The device is not found. |
Error Sample Data List Device Groups failed. Status Code: 404. Message: The device is not found. |
List Devices
Retrieves a list of device objects registered in the organization.
Input
Input Parameter | Required/Optional | Description | Example |
Filter | Optional | The query used to filter the returned devices. See Use the $filter query parameter for available operators and syntax. | startswith(displayName, 'Desktop') |
Top | Optional | The maximum number of devices to return. By default, all devices will be returned. | 5 |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Devices failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Invalid page size specified: '1000'. Must be between 1 and 999 inclusive. |
Error Sample Data List Devices failed. Status Code: 400. Message: Invalid page size specified: '1000'. Must be between 1 and 999 inclusive. |
List Group Members
Retrieves a list of the specified group's direct members. A group can include users, organizational contacts, devices, service principals, and other groups.
READER NOTE
Group ID is a required parameter to run this command.
Run the List Groups command to obtain the Group ID. Group IDs can be found in the raw data at $.value[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Group ID | Required | The ID of the group whose members will be retrieved. Group IDs can be obtained using the List Groups command. | ***** |
Group Member Type | Optional | Filters results by type. Valid options are:
By default, all group members are returned regardless of their type. | Group |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Group Members failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Invalid Group ID. |
Error Sample Data List Group Members failed. Status Code: 400. Message: Invalid Group ID. |
List Groups
Retrieves a list of groups in the organization and returns their members. The list is sorted by group display name in ascending order.
READER NOTE
Select is an optional parameter to run this command.
Available properties include: id, deletedDateTime, classification, createdDateTime, creationOptions, description, displayName, expirationDateTime, groupTypes, isAssignableToRole, mail, mailEnabled, mailNickname, membershipRule, membershipRuleProcessingState, onPremisesDomainName, onPremisesLastSyncDateTime, onPremisesNetBiosName, onPremisesSamAccountName, onPremisesSecurityIdentifier, onPremisesSyncEnabled, preferredDataLocation, preferredLanguage, proxyAddresses, renewedDateTime, resourceBehaviorOptions, resourceProvisioningOptions, securityEnabled, securityIdentifier, theme, visibility, and onPremisesProvisioningErrors.
If the Select parameter is defined, only the specified properties are returned. As a result, Key Fields such as GroupDisplayNames and GroupIDs might return null when they are not included in the Select parameter.
Input
Input Parameter | Required/Optional | Description | Example |
Select | Optional | The option to specify which group properties are returned. If not defined, only default properties are returned. Only the specified properties are included when Select is defined. | displayName, id, mail, description,visibility,groupTypes |
Group Name | Optional | Filters results by full or partial group name. | D3lab |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Groups failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Access is denied to the requested resource. The user might not have enough permission. |
Error Sample Data List Groups failed. Status Code: 403. Message: Access is denied to the requested resource. The user might not have enough permission. |
List OAuth2 Permission Grants
Retrieves OAuth2PermissionGrant entities that represent delegated permissions granted to a client application to access an API on behalf of users.
READER NOTE
User Principal Name is a required parameter to run this command.
Run the List Users command to obtain the User Principal Name. User Principal Names can be found in the raw data at $.value[*].userPrincipalName.
Input
Input Parameter | Required/Optional | Description | Example |
User Principal Name | Required | The principal name of the user whose OAuth2PermissionGrants are listed. User Principal Name can be obtained using the List Users command. | *****@*****.com |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List OAuth2 Permission Grants failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Azure Active Directory portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: You must have a valid Support account to call this API. |
Error Sample Data List OAuth2 Permission Grants failed. Status Code: 403. Message: You must have a valid Support account to call this API. |
List User Registration Details (beta)
Returns user registration details. Details include user information, registration status, self-service password reset activity, multi-factor authentication status, and authentication methods. The credential user registration details API is deprecated and will stop returning data on June 30, 2024. Use List User Registration Details v1 instead.
DEPRECATION NOTICE
The credential user registration details API is deprecated and stopped returning data on June 30, 2024. Use List User Registration Details v1 instead.
Input
Input Parameter | Required/Optional | Description | Example |
Filters | Optional | The filter expression used to refine the returned user registration details. Supported properties include userDisplayName, userPrincipalName, authMethods, isRegistered, isEnabled, isCapable, and isMfaRegistered. For userDisplayName and userPrincipalName, eq and startswith() are supported. For other properties, only eq is supported. Logical operators and and or can be used. | authMethods/any(t:t eq microsoft.graph.registrationAuthMethod'email') or userPrincipalName eq '*****@*****.com'and isRegistered eq true and isEnabled eq true and isCapable eq true and isMfaRegistered eq true |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List User Registration Details (beta) failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Azure Active Directory portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: You must have a valid Support account to call this API. |
Error Sample Data List User Registration Details (beta) failed. Status Code: 403. Message: You must have a valid Support account to call this API. |
List User Registration Details (v1)
Returns the authentication methods registered for users.
READER NOTE
User Principal Names is a required parameter to run this command.
Run the List Users command to obtain the User Principal Names. User Principal Names can be found in the raw data at $.value[*].userPrincipalName.
Input
Input Parameter | Required/Optional | Description | Example |
User Principal Names | Optional | Filters results by user principal names. User Principal Names can be obtained using the List Users command. |
JSON
|
Filters | Optional | Filters the list of user registration details. Refer to List userRegistrationDetails for supported filter properties and syntax. | startswith(userDisplayName, 'Adam') |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List User Registration Details (v1) failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Invalid filter clause. |
Error Sample Data List User Registration Details (v1) failed. Status Code: 400. Message: Invalid filter clause. |
List Users
Retrieves a list of user objects. The user list is sorted by user display name in ascending order.
READER NOTE
Select is an optional parameter to run this command.
Available properties include: businessPhones, displayName, givenName, jobTitle, mail, mobilePhone, officeLocation, preferredLanguage, surname, userPrincipalName, and id.
If the Select parameter is defined, only the specified properties are returned. As a result, Key Fields such as userPrincipalName and userIDs might return null when they are not included in the Select parameter.
Input
Input Parameter | Required/Optional | Description | Example |
Select | Optional | The option to specify which user properties are returned. If not defined, only default properties are returned. Only the specified properties are included when Select is defined. Refer to Properties for all available properties. | userPrincipalName, displayName, id |
User Name | Optional | Filters results by full or partial user name. | doraemon |
Search Condition | Optional | The additional search criteria applied to the results. If User Name is defined, this parameter is combined with it using the OR operator. Field and value pairs must be quoted. | ( "displayName: abcd" AND "mail:xyz") |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Users failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Get Token Fail, reason: unauthorized_client. |
Error Sample Data List Users failed. Status Code: 400. Message: Get Token Fail, reason: unauthorized_client. |
Remove Group Devices
Removes devices from a specified security group.
READER NOTE
Group ID and Device IDs are required parameters to run this command.
Run the List Groups command to obtain the Group ID. Group IDs can be found in the raw data at $.value[*].id.
Run the List Group Members or List Devices command to obtain the Device IDs. Device IDs can be found in the raw data at $.value[*].id.
Use the value of the id field, not the deviceId field.
Ensure the input devices belong to the specified group.
Run the List Groups command to identify the group.
Use the List Group Members command with the group ID and Group Member Type set to Group to confirm the devices are members.
Use the verified group-device pair to run this command.
Input
Input Parameter | Required/Optional | Description | Example |
Group ID | Required | The ID of the security group from which devices will be removed. Group IDs can be obtained using the List Groups command. | ***** |
Device IDs | Required | The IDs of the devices to remove from the group. Device IDs can be obtained using the List Group Members or List Devices command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Remove Group Device failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource does not exist or one of its queried reference-property objects is not present. |
Error Sample Data Remove Group Device failed. Status Code: 404. Message: Resource does not exist or one of its queried reference-property objects is not present. |
Remove Group Members
Removes users from a specified group.
READER NOTE
Group ID and User IDs are required parameters to run this command.
Run the List Groups command to obtain the Group ID. Group IDs can be found in the raw data at $.value[*].id.
Run the List Group Members or List Users command to obtain the User IDs. User IDs can be found in the raw data at $.value[*].id.
Ensure the input users belong to the specified group.
Run the List Groups command to identify the group.
Use the List Group Members command with the group ID and Group Member Type set to User to confirm the users are members.
Use the verified group-user pair to run this command.
Input
Input Parameter | Required/Optional | Description | Example |
Group ID | Required | The ID of the group from which users will be removed. Group IDs can be obtained using the List Groups command. | ***** |
User IDs | Required | The IDs of the users to remove from the group. User IDs can be obtained using the List Group Members or List Users command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Remove Group Members failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource does not exist or one of its queried reference-property objects is not present. |
Error Sample Data Remove Group Members failed. Status Code: 404. Message: Resource does not exist or one of its queried reference-property objects is not present. |
Reset Password
Resets the password of a specified user and sends a system-generated temporary password to the defined email address. Only connections using the authorization code grant type can run this command. This action cannot be performed on the user's own account. The user will be prompted to change the temporary password at the next sign-in. For hybrid accounts, password writeback must be configured.
READER NOTE
User ID or User Principal Name is a required parameter to run this command.
Run the List Users command to obtain the User ID or User Principal Name.
User IDs can be found in the raw data at $.value[*].id.
User Principal Names can be found in the raw data at $.value[*].userPrincipalName.
For security purposes, the email address cannot match the value provided in User ID or User Principal Name parameter, because these values correspond to the user's own email address. An error will be returned if they match.
Input
Input Parameter | Required/Optional | Description | Example |
User ID or User Principal Name | Required | The ID or principal name of the user whose password will be reset. User IDs and principal names can be obtained using the List Users command. | *****@*****.com |
Email Address | Required | The email address that will receive the system-generated temporary password. This value cannot match the user's ID or user principal, and an error will be returned if they match. The user will be prompted to change this temporary password at the next sign-in. | *****@*****.com |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Reset Password failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Connector Error: Grant Type should be authorization_code. |
Error Sample Data Reset Password failed. Status Code: 400. Message: Connector Error: Grant Type should be authorization_code. |
Revoke SignIn Sessions
Invalidates all refresh tokens issued to the specified user's applications. This includes session cookies in the user's browser. The operation resets the signInSessionsValidFromDateTime property to the current date and time, forcing the user to reauthenticate to all previously consented applications regardless of the device.
READER NOTE
User ID or User Principal Name is a required parameter to run this command.
Run the List Users command to obtain the User ID or User Principal Name.
User IDs can be found in the raw data at $.value[*].id.
User Principal Names can be found in the raw data at $.value[*].userPrincipalName.
Input
Input Parameter | Required/Optional | Description | Example |
User ID Or User Principal Name | Required | The IDs or principal names of the users whose sign-in sessions will be revoked. User IDs and principal names can be obtained using the List Users command. | *****@*****.com |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Revoke SignIn Sessions failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource does not exist or one of its queried reference-property objects is not present. |
Error Sample Data Revoke SignIn Sessions failed. Status Code: 404. Message: Resource does not exist or one of its queried reference-property objects is not present. |
Update User
Updates properties of a user object. Members and Guests cannot update all properties with their default permissions and may require administrator roles. Refer to Compare member and guest default permissions for more information.
READER NOTE
User IDs or User Principal Names is a required parameter to run this command.
Run the List Users command to obtain the User IDs or User Principal Names.
User IDs can be found in the raw data at $.value[*].id.
User Principal Names can be found in the raw data at $.value[*].userPrincipalName.
Input
Input Parameter | Required/Optional | Description | Example |
User IDs Or User Principal Names | Required | The IDs or Principal Names of the users to update. User IDs and principal names can be obtained using the List Users command. |
JSON
|
Updated Fields | Required | The updated user field values. Include only properties that require changes. Properties omitted from the request will retain their existing values or be recalculated based on related updates. Refer to Request body for available user fields. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Update User failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Access is denied to the requested resource. The user might not have enough permission. |
Error Sample Data Update User failed. Status Code: 403. Message: Access is denied to the requested resource. The user might not have enough permission. |
Test Connection
Allows users to perform a health check on an integration connection. Users can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Output Type | Description | Return Data Type |
Return Data | Indicates one of the possible command execution states: Successful or Failed. The Failed state can be triggered by any of the following errors:
More details about an error can be viewed in the Error tab. | String |
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Test Connection failed. Failed to check the connector. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Entra ID portal. Refer to the Microsoft Graph error responses and resource types for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Access is denied to the requested resource. The user might not have enough permission. |
Error Sample Data Test Connection failed. Failed to check the connector. Status Code: 403. Message: Access is denied to the requested resource. The user might not have enough permission. |