Microsoft Cloud — Identity Tools
The 22 identity tools query your Entra ID tenant — users, groups, service principals, directory roles, administrative units, and Privileged Identity Management. They form the bedrock of identity assessments: who has access to what, which accounts are over-privileged, where MFA is missing, and which roles are eligible vs. active.
All identity tools accept an optional connection_id to target a specific tenant. Omit it to use the default Entra connection. See entra_connection_list for multi-tenant scenarios.
Tools are grouped by what they audit: users, groups, service principals and apps, directory roles, administrative units, and PIM.
Users
mscloud_identity_list_users
Lists users in the Entra ID tenant. Supports OData query parameters and $search (which requires ConsistencyLevel: eventual). The key tool for identity assessments — enumerate all accounts, find stale users, check license assignments. Compose with mscloud_identity_get_user, mscloud_service_get_user_license_details, and mscloud_security_list_sign_ins for a complete user profile.
| Parameter | Type | Required | Description |
|---|---|---|---|
connection_id | string | — | Target Entra tenant. |
filter | string | — | OData $filter, e.g. accountEnabled eq false. |
search | string | — | OData $search (requires ConsistencyLevel: eventual). |
select | string | — | Comma-separated property list. |
top | number | — | Page size; users endpoint allows up to 999. Smaller pages reduce timeout risk. |
skiptoken | string | — | From the previous response. |
Example prompt.
"List all disabled user accounts in the tenant."
mscloud_identity_get_user
Returns a single user by ID or UPN. Use select to request specific fields like signInActivity, onPremisesSyncEnabled, assignedLicenses, or accountEnabled.
| Parameter | Type | Required | Description |
|---|---|---|---|
user_id | string | ✓ | User ID (GUID) or UPN. |
connection_id | string | — | Target Entra tenant. |
select | string | — | Comma-separated property list. |
Example prompt.
"Show me the full profile for stefan.hayduk@example.com — include sign-in activity and licenses."
mscloud_identity_list_user_auth_methods
Lists authentication methods registered for a user — password, phone, FIDO2, Microsoft Authenticator, email, software OATH, temporary access pass, and so on. Essential for MFA coverage audits: identify users with only password auth, missing strong methods, or excessive methods.
Pair with mscloud_identity_get_user and mscloud_security_list_sign_ins for a full authentication profile.
| Parameter | Type | Required | Description |
|---|---|---|---|
user_id | string | ✓ | User ID (GUID) or UPN. |
connection_id | string | — | Target Entra tenant. |
Example prompt.
"What authentication methods does stefan.hayduk@example.com have registered?"
Groups
mscloud_identity_list_groups
Lists groups in the tenant. Supports OData filtering and $search. Compose with mscloud_identity_list_group_members and mscloud_identity_list_group_owners to inspect membership and governance.
| Parameter | Type | Required | Description |
|---|---|---|---|
connection_id | string | — | Target Entra tenant. |
filter | string | — | OData $filter. |
search | string | — | OData $search (requires ConsistencyLevel: eventual). |
select | string | — | Comma-separated property list. |
top | number | — | Page size, max 100. |
skiptoken | string | — | From the previous response. |
Example prompt.
"Find all security groups whose name contains 'admin'."
mscloud_identity_get_group
Returns a single group by ID — type (security/M365/mail-enabled), membership rules, and sync status.
| Parameter | Type | Required | Description |
|---|---|---|---|
group_id | string | ✓ | Group ID (GUID). |
connection_id | string | — | Target Entra tenant. |
select | string | — | Comma-separated property list. |
Example prompt.
"Show me everything about the 'IT Admins' group."
mscloud_identity_list_group_members
Lists members of a group. Essential for auditing who has access to resources protected by group membership. Cross-reference with mscloud_identity_list_directory_role_members and mscloud_security_list_ca_policies for full access analysis.
| Parameter | Type | Required | Description |
|---|---|---|---|
group_id | string | ✓ | Group ID (GUID). |
connection_id | string | — | Target Entra tenant. |
top | number | — | Page size, max 100. |
skiptoken | string | — | From the previous response. |
Example prompt.
"Who is a member of the 'IT Admins' group?"
mscloud_identity_list_group_owners
Lists owners of a group. Owners can manage membership and settings — critical for access governance audits. Check whether owners are appropriate for the group's sensitivity level.
| Parameter | Type | Required | Description |
|---|---|---|---|
group_id | string | ✓ | Group ID (GUID). |
connection_id | string | — | Target Entra tenant. |
Example prompt.
"Who owns the 'IT Admins' group?"
Service Principals & Apps
mscloud_identity_list_service_principals
Lists service principals (enterprise apps) in the tenant. Supports OData filtering and $search. Compose with mscloud_identity_list_sp_app_role_assignments to audit permissions.
| Parameter | Type | Required | Description |
|---|---|---|---|
connection_id | string | — | Target Entra tenant. |
filter | string | — | OData $filter. |
search | string | — | OData $search (requires ConsistencyLevel: eventual). |
select | string | — | Comma-separated property list. |
top | number | — | Page size, max 100. |
skiptoken | string | — | From the previous response. |
Example prompt.
"Find all enterprise apps whose name contains 'Azure'."
mscloud_identity_get_service_principal
Returns a single service principal — app permissions, credential expiry, sign-in audience.
| Parameter | Type | Required | Description |
|---|---|---|---|
sp_id | string | ✓ | Service principal object ID (GUID). |
connection_id | string | — | Target Entra tenant. |
select | string | — | Comma-separated property list. |
Example prompt.
"Show me the full configuration of service principal
<sp-guid>."
mscloud_identity_list_sp_app_role_assignments
Lists app role assignments for a service principal — which API permissions (e.g. Mail.Read, Directory.ReadWrite.All) have been granted. Critical for identifying over-permissioned apps during security assessments.
| Parameter | Type | Required | Description |
|---|---|---|---|
sp_id | string | ✓ | Service principal object ID. |
connection_id | string | — | Target Entra tenant. |
Example prompt.
"What API permissions does this service principal hold?"
Directory Roles
mscloud_identity_list_directory_roles
Lists currently activated directory roles in the tenant. Pair with mscloud_identity_list_directory_role_members to audit privileged access, and mscloud_identity_list_pim_eligibility_schedules for PIM-eligible roles. Takes only an optional connection_id.
Example prompt.
"Which directory roles are activated in this tenant?"
mscloud_identity_list_directory_role_templates
Lists all directory role templates, including roles that have not yet been activated. Useful for understanding the full set of available admin roles. Takes only an optional connection_id.
Example prompt.
"What directory role templates exist that we haven't activated yet?"
mscloud_identity_list_directory_role_members
Lists members of an activated directory role. The cornerstone of privileged access audits — who is Global Administrator, Exchange Administrator, and so on. Cross-reference with mscloud_security_list_risky_users to flag any privileged users at risk. Pass role_id.
Example prompt.
"Who has the Global Administrator role?"
mscloud_identity_list_role_definitions
Lists custom and built-in role definitions (RBAC). Shows the permissions each role grants. Use with mscloud_identity_list_role_assignments to map who has which permissions and compare against least-privilege recommendations.
| Parameter | Type | Required | Description |
|---|---|---|---|
connection_id | string | — | Target Entra tenant. |
filter | string | — | OData $filter. |
Example prompt.
"List all custom role definitions."
mscloud_identity_list_role_assignments
Lists role assignments — who has which role, scoped to which resource. Critical for privileged access reviews. Filter by principalId to check a specific user's roles, or enumerate all to find over-privileged accounts.
| Parameter | Type | Required | Description |
|---|---|---|---|
connection_id | string | — | Target Entra tenant. |
filter | string | — | OData $filter, e.g. principalId eq '<guid>'. |
top | number | — | Page size, max 100. |
skiptoken | string | — | From the previous response. |
Example prompt.
"List every role this user is assigned to."
Administrative Units
mscloud_identity_list_admin_units
Lists administrative units in the directory. Supports OData filtering and $search. Compose with mscloud_identity_list_admin_unit_members to inspect membership.
| Parameter | Type | Required | Description |
|---|---|---|---|
connection_id | string | — | Target Entra tenant. |
filter | string | — | OData $filter. |
search | string | — | OData $search (requires ConsistencyLevel: eventual). |
select | string | — | Comma-separated property list. |
top | number | — | Page size, max 100. |
skiptoken | string | — | From the previous response. |
Example prompt.
"List all administrative units in the directory."
mscloud_identity_get_admin_unit
Returns a single administrative unit — properties and scope configuration. Use with mscloud_identity_list_admin_unit_members to see which users, groups, or devices are scoped to this AU.
| Parameter | Type | Required | Description |
|---|---|---|---|
admin_unit_id | string | ✓ | Administrative unit ID. |
connection_id | string | — | Target Entra tenant. |
select | string | — | Comma-separated property list. |
Example prompt.
"Show me the full configuration of the Finance administrative unit."
mscloud_identity_list_admin_unit_members
Lists members of an administrative unit. Useful for validating delegation boundaries in multi-admin environments.
| Parameter | Type | Required | Description |
|---|---|---|---|
admin_unit_id | string | ✓ | Administrative unit ID. |
connection_id | string | — | Target Entra tenant. |
top | number | — | Page size, max 100. |
skiptoken | string | — | From the previous response. |
Example prompt.
"Which users and groups are scoped to the Finance administrative unit?"
Privileged Identity Management (PIM)
The four PIM tools cover both eligibility (who is allowed to activate which role) and active assignments (who is currently using the role).
mscloud_identity_list_pim_eligibility_schedules
Lists PIM role eligibility schedules — who is eligible for which role.
| Parameter | Type | Required | Description |
|---|---|---|---|
connection_id | string | — | Target Entra tenant. |
filter | string | — | OData $filter, e.g. principalId eq '{userId}'. |
select | string | — | Comma-separated property list. |
top | number | — | Page size, max 100. |
skiptoken | string | — | From the previous response. |
Example prompt.
"Show me everyone eligible to activate Global Administrator."
mscloud_identity_list_pim_eligibility_requests
Lists PIM role eligibility schedule requests.
| Parameter | Type | Required | Description |
|---|---|---|---|
connection_id | string | — | Target Entra tenant. |
filter | string | — | OData $filter, e.g. status eq 'PendingApproval'. |
select | string | — | Comma-separated property list. |
top | number | — | Page size, max 100. |
skiptoken | string | — | From the previous response. |
Example prompt.
"Are there any pending PIM eligibility requests?"
mscloud_identity_list_pim_assignment_schedules
Lists active PIM role assignment schedules — who is currently using which role.
| Parameter | Type | Required | Description |
|---|---|---|---|
connection_id | string | — | Target Entra tenant. |
filter | string | — | OData $filter. |
select | string | — | Comma-separated property list. |
top | number | — | Page size, max 100. |
skiptoken | string | — | From the previous response. |
Example prompt.
"List all currently active PIM role assignments."
mscloud_identity_list_pim_assignment_requests
Lists PIM role assignment schedule requests (activation requests).
| Parameter | Type | Required | Description |
|---|---|---|---|
connection_id | string | — | Target Entra tenant. |
filter | string | — | OData $filter, e.g. status eq 'PendingApproval'. |
select | string | — | Comma-separated property list. |
top | number | — | Page size, max 100. |
skiptoken | string | — | From the previous response. |
Example prompt.
"Are there any pending PIM activation requests right now?"
See Also
For tenant-level platform context (subscriptions, app registrations, GDAP), see Microsoft Cloud — Platform. For risky users, sign-ins, and Conditional Access, see Microsoft Cloud — Security. For licensing and Microsoft 365 services, see Microsoft Cloud — Services.