Overview
Published on May 25th, 2026Introduction
The Context Store has several Entra ID templated Data Sources to allow users to quickly pull relevant data into their Data Store. These templates are a starting point and often you'll want to apply filters or chained Data Sources to modify these templates to suit your needs.
Authentication
In order to pull data from Microsoft Graph you need to establish an application and then add the following secrets to the Context Store:
- Azure AD client ID
- Azure AD client secret
- Azure AD tenant ID
Microsoft docs on setting up applications can be found here .
Pre-built Data Sources
This table lists the Microsoft Graph application permissions (app-only / client credentials) needed for the Entra ID data source seeds currently defined in this repo.
These are Graph application permissions, not delegated permissions.
Admin consent is required in Entra ID for app-only access.
If you prefer one broad read permission set for all of the above, Directory.Read.All is commonly used, but the least-privilege approach is to grant only the endpoint-specific permissions listed in the table.
| Data source seed | Graph endpoint(s) used | Recommended app permission(s) |
|---|---|---|
Entra ID users | GET /v1.0/users and chained GET /v1.0/users/{id}/memberOf/microsoft.graph.group | User.Read.All, GroupMember.Read.All |
Entra ID groups | GET /v1.0/groups | Group.Read.All |
Entra ID applications | GET /v1.0/applications | Application.Read.All |
Entra ID service principals | GET /v1.0/servicePrincipals | Application.Read.All |
Entra ID agent identities | GET /v1.0/servicePrincipals?$filter=servicePrincipalType eq 'ManagedIdentity' | Application.Read.All |
Entra ID devices | GET /v1.0/devices | Device.Read.All |
Entra ID directory roles | GET /v1.0/directoryRoles | RoleManagement.Read.Directory |
Entra ID domains | GET /v1.0/domains | Domain.Read.All |