Each Entra ID object (user, group, administrative unit, role, service principal, and app registration) has a set of attributes (properties such as name or description) that we protect.
The following object attributes are protected:
User
| Attribute | Description |
| accountEnabled | Defines if account is enabled or not. |
| ageGroup | Age group of the user: minor, notAdult, adult |
| businessPhones | The telephone numbers for the user. |
| city | The city in which the user is located. |
| companyName | The company name which the user is associated. |
| consentProvidedForMinor | Sets whether consent has been obtained for minors: granted, denied, notRequired |
| country | The country/region in which the user is located. |
| createdDateTime | The date the user object was created. |
| creationType | If the user account was created as a local account for an Entra ID B2C tenant, the value is LocalAccount or nameCoexistence |
| deletedDateTime | For some Entra ID objects (user, group, application), if the object is deleted, it is first logically deleted, and this property is updated with the date and time when the object was deleted. Otherwise this property is null. If the object is restored, this property is updated to null. |
| department | The name for the department in which the user works. |
| employeeHireDate | The date and time when the user was hired or will start work in case of a future hire. |
| employeeId | The employee identifier assigned to the user by the organization. |
| employeeOrgData | Represents organization data (e.g. division and costCenter) associated with a user. |
| employeeType | Captures enterprise worker type (e.g. Contractor, Consultant, Employee) |
| externalUserState | For an external user invited to the tenant this property represents the invited user's invitation status. |
| externalUserState ChangeDateTime | Shows the timestamp for the latest change to the invitation status (externalUserState) property. |
| faxNumber | The fax number of the user. |
| givenName | The given name (first name) of the user. |
| identities | Represents the identities that can be used to sign in to this user account. An identity can be provided by Microsoft (also known as a local account), by organizations, or by social identity providers such as Facebook, Google, and Microsoft, and tied to a user account. |
| jobTitle | The user's job title. |
| lastPasswordChangeDateTime | The date the the user last changed their password. |
| The SMTP address for the user. | |
| mailNickname | The mail alias for the user. |
| mobilephone | The primary cellular telephone number for the user. |
| officeLocation | The office location in the user's place of business. |
| onPremisesImmutableId | This property is used to associate an on-premises user account to their Entra ID user object. |
| onPremisesProvisioningErrors | Errors when using Microsoft synchronization product during provisioning. |
| otherMails | A list of additional email addresses for the user |
| passwordPolicies | Specifies password policies for the user. |
| postalCode | The postal code for the user's postal address. |
| preferredDataLocation | The preferred data location for the user. |
| preferredLanguage | The preferred language for the user. |
| showInAddressList | If the Outlook global address list should contain this user. |
| state | The state or province in the user's address. |
| streetAddress | The street address of the user's place of business. |
| surname | The user's surname (family name or last name). |
| usageLocation | A two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. |
| userPrincipalName | The user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains. |
| userType | A string value that can be used to classify user types in your directory, such as "Member" and "Guest." |
Group
| Attribute | Description |
| classification | Describes a classification for the group (such as low, medium or high business impact). |
| deletedDateTime | For some Entra ID objects (user, group, application), if the object is deleted, it is first logically deleted, and this property is updated with the date and time when the object was deleted. Otherwise this property is null. If the object is restored, this property is updated to null. |
| description | An optional description for the group. |
| groupTypes | Specifies the group type and its membership. |
| deducedGroupType | Keepit's property which helps us to deduce the exact type of the group based on several properties (mailEnabled, securityEnabled, groupTypes). |
| mailEnabled | Specifies whether the group is mail-enabled. |
| mailNickname | The mail alias for the group, unique in the organization. Maximum length is 64 characters. |
| The SMTP address for the group, for example, "serviceadmins@contoso.onmicrosoft.com". | |
| membershipRule | The rule that determines members for this group if the group is a dynamic group. |
| membershipRule ProcessingState | Indicates whether the dynamic membership processing is on or paused. |
| preferredDataLocation | The preferred data location for the group. |
| preferredLanguage | The preferred language for a Microsoft 365 group. |
| resourceBehaviorOptions | Specifies the group behaviors that can be set for a Microsoft 365 group during creation. |
| resourceProvisioningOptions | Specifies the group resources that are provisioned as part of Microsoft 365 group creation, that are not normally part of default group creation. |
| securityEnabled | Specifies whether the group is a security group. |
| securityIdentifier | Security identifier of the group, used in Windows scenarios. |
| theme | Specifies a Microsoft 365 group's color theme. |
| visibility | Specifies the group join policy and group content visibility for groups. |
| isAssignableToRole | Indicates whether this group can be assigned to an Entra ID role or not. |
Administrative Unit
| Attribute | Description |
| description | An optional description for the administrative unit. |
| visibility | Controls whether the administrative unit and its members are hidden or public. |
Role
| Attribute | Description |
| description | Role description. |
| isBuiltIn | Flag indicating if the role is part of the default set included with the product or custom. |
| isEnabled | Flag indicating if the role is enabled for assignment. |
| rolePermissions | List of permissions included in the role. |
| templateId | Custom template identifier that can be set when isBuiltIn is false. |
| version | Indicates version of the role. |
| visibility | Controls whether the role is hidden or public. |
Service Principal
| Attribute | Description |
|---|---|
accountEnabled | true if the service principal account is enabled; otherwise, false. If set to false, then no users will be able to sign in to this app, even if they are assigned to it. |
| addIns | Defines custom behavior that a consuming service can use to call an app in specific contexts. |
| displayName | The display name for the service principal. |
| alternativeNames | Used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities. |
| appDescription | The description exposed by the associated application. |
| appDisplayName | The display name exposed by the associated application. |
appId | The unique identifier for the associated application (its appId property). |
| applicationTemplateId | Unique identifier of the applicationTemplate that the servicePrincipal was created from. |
| appOwnerOrganizationId | Contains the tenant id where the application is registered. |
appRoleAssignmentRequired | Specifies whether users or other service principals need to be granted an app role assignment for this service principal before users can sign in or apps can get tokens. |
| appRoles | The roles exposed by the application which this service principal represents. |
| deletedDateTime | The date and time the service principal was deleted. |
| description | Free text field to provide an internal end-user facing description of the service principal. |
| disabledByMicrosoftStatus | Specifies whether Microsoft has disabled the registered application. |
| homepage | Home page or landing page of the application. |
| info | Basic profile information of the acquired application such as app's marketing, support, terms of service and privacy statement URLs. |
keyCredentials | The collection of key credentials associated with the service principal. |
| loginUrl | Specifies the URL where the service provider redirects the user to Entra ID to authenticate. |
| logoutUrl | Specifies the URL that will be used by Microsoft's authorization service to logout an user using OpenId Connect front-channel, back-channel or SAML logout protocols. |
| notes | Free text field to capture information about the service principal, typically used for operational purposes. |
| notificationEmailAddresses | Specifies the list of email addresses where Entra ID sends a notification when the active certificate is near the expiration date. |
| oauth2PermissionScopes | The delegated permissions exposed by the application. |
| passwordCredentials | The collection of password credentials associated with the application. |
preferredSingleSignOnMode | Specifies the single sign-on mode configured for this application. Entra ID uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Entra ID My Apps. |
| replyUrls | The URLs that user tokens are sent to for sign in with the associated application, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to for the associated application. |
resourceSpecificApplicationPermissions | The resource-specific application permissions exposed by this application. |
| samlSingleSignOnSettings | The collection for settings related to saml single sign-on. |
| servicePrincipalNames | Contains the list of identifiersUris, copied over from the associated application. |
| servicePrincipalType | Identifies whether the service principal represents an application, a managed identity, or a legacy application. |
| signInAudience | Specifies the Microsoft accounts that are supported for the current application. |
tokenEncryptionKeyId | Specifies the keyId of a public key from the keyCredentials collection. |
| tags | Custom strings that can be used to categorize and identify the service principal. |
| verifiedPublisher | Specifies the verified publisher of the application which this service principal represents. |
App Registration
| Attribute | Description |
|---|---|
| addIns | Defines custom behavior that a consuming service can use to call an app in specific contexts. |
| displayName | The display name for the application. |
| api | Specifies settings for an application that implements a web API. |
applicationTemplateId | Unique identifier of the applicationTemplate. |
appRoles | The collection of roles defined for the application. |
certification | Specifies the certification status of the application. |
createdDateTime | The date and time the application was registered. |
deletedDateTime | The date and time the application was deleted. |
description | Free text field to provide a description of the application object to end users. |
disabledByMicrosoftStatus | Specifies whether Microsoft has disabled the registered application. |
groupMembershipClaims | Configures the groups claim issued in a user or OAuth 2.0 access token that the application expects. |
identifierUris | Also known as App ID URI, this value is set when an application is used as a resource app. |
info | Basic profile information of the application such as app's marketing, support, terms of service and privacy statement URLs. |
isDeviceOnlyAuthSupported | Specifies whether this application supports device authentication without a user. |
isFallbackPublicClient | Specifies the fallback application type as public client, such as an installed application running on a mobile device. |
keyCredentials | The collection of key credentials associated with the application. |
notes | Notes relevant for the management of the application. |
oauth2RequiredPostResponse | Specifies whether, as part of OAuth 2.0 token requests, Entra ID allows POST requests, as opposed to GET requests. |
optionalClaims | Application developers can configure optional claims in their Entra ID applications to specify the claims that are sent to their application by the Microsoft security token service. |
parentalControlSettings | Specifies parental control settings for an application. |
passwordCredentials | The collection of password credentials associated with the application. Not nullable. |
publicClient | Specifies settings for installed clients such as desktop or mobile devices. |
publisherDomain | The verified publisher domain for the application. |
requiredResourceAccess | Specifies the resources that the application needs to access. |
samlMetadataUrl | The URL where the service exposes SAML metadata for federation. |
serviceManagementReference | References application or service contact information from a Service or Asset Management database. |
signInAudience | Specifies the Microsoft accounts that are supported for the current application. |
spa | Specifies settings for a single-page application, including sign out URLs and redirect URIs for authorization codes and access tokens. |
tags | Custom strings that can be used to categorize and identify the application. |
tokenEncryptionKeyId | Specifies the keyId of a public key from the keyCredentials collection. |
verifiedPublisher | Specifies the verified publisher of the application. |
web | Specifies settings for a web application. |