Overview

Published on May 25th, 2026

Introduction

The Context Store has several Entra ID templated Data Sources to allow users to quickly pull relevant data into their Data Store. These templates are a starting point and often you'll want to apply filters or chained Data Sources to modify these templates to suit your needs.

Authentication

In order to pull data from Microsoft Graph you need to establish an application and then add the following secrets to the Context Store:

  • Azure AD client ID
  • Azure AD client secret
  • Azure AD tenant ID

Microsoft docs on setting up applications can be found here .

Pre-built Data Sources

This table lists the Microsoft Graph application permissions (app-only / client credentials) needed for the Entra ID data source seeds currently defined in this repo.

These are Graph application permissions, not delegated permissions.

Admin consent is required in Entra ID for app-only access.

If you prefer one broad read permission set for all of the above, Directory.Read.All is commonly used, but the least-privilege approach is to grant only the endpoint-specific permissions listed in the table.

Data source seedGraph endpoint(s) usedRecommended app permission(s)
Entra ID usersGET /v1.0/users and chained GET /v1.0/users/{id}/memberOf/microsoft.graph.groupUser.Read.All, GroupMember.Read.All
Entra ID groupsGET /v1.0/groupsGroup.Read.All
Entra ID applicationsGET /v1.0/applicationsApplication.Read.All
Entra ID service principalsGET /v1.0/servicePrincipalsApplication.Read.All
Entra ID agent identitiesGET /v1.0/servicePrincipals?$filter=servicePrincipalType eq 'ManagedIdentity'Application.Read.All
Entra ID devicesGET /v1.0/devicesDevice.Read.All
Entra ID directory rolesGET /v1.0/directoryRolesRoleManagement.Read.Directory
Entra ID domainsGET /v1.0/domainsDomain.Read.All