Microsoft Entra · Arazzo Workflow

Microsoft Entra Audit User Memberships

Version 1.0.0

Find a user by UPN, read its profile, and list its group memberships.

1 workflow 1 source API 1 provider
View Spec View on GitHub Access ManagementAuthenticationAzure ADEntraIdentityIdentity GovernanceMicrosoftNetwork SecuritySecurityZero TrustArazzoWorkflows

Provider

microsoft-entra

Workflows

audit-user-memberships
Resolve a user by UPN, get the user, then list memberOf.
Finds a user by userPrincipalName, fetches the user object, and enumerates its direct memberships for an access review.
3 steps inputs: accessToken, userPrincipalName outputs: displayName, memberships, userId
1
findUser
listUsers
Filter the users collection on userPrincipalName to resolve the user's object id.
2
getUser
getUser
Retrieve the full user object for the audit record.
3
listMemberships
listUserMemberOf
List the groups, directory roles, and administrative units the user is a direct member of.

Source API Descriptions

openapi
graphIdentityApi https://raw.githubusercontent.com/api-evangelist/microsoft-entra/refs/heads/main/openapi/microsoft-entra-graph-identity-openapi.yml

Arazzo Workflow Specification

microsoft-entra-audit-user-memberships-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Microsoft Entra Audit User Memberships
  summary: Find a user by UPN, read its profile, and list its group memberships.
  description: >-
    Produces an access audit snapshot for a user in Microsoft Entra ID. The
    user is located by filtering the users collection on userPrincipalName, the
    full user object is retrieved by id, and the user's memberOf relationship is
    listed to enumerate the groups, directory roles, and administrative units
    the user belongs to. Every request is inlined so the chain reads end to end.
  version: 1.0.0
sourceDescriptions:
- name: graphIdentityApi
  url: ../openapi/microsoft-entra-graph-identity-openapi.yml
  type: openapi
workflows:
- workflowId: audit-user-memberships
  summary: Resolve a user by UPN, get the user, then list memberOf.
  description: >-
    Finds a user by userPrincipalName, fetches the user object, and enumerates
    its direct memberships for an access review.
  inputs:
    type: object
    required:
    - accessToken
    - userPrincipalName
    properties:
      accessToken:
        type: string
        description: OAuth 2.0 bearer token with User.Read.All and Directory.Read.All.
      userPrincipalName:
        type: string
        description: UPN of the user to audit (e.g. [email protected]).
  steps:
  - stepId: findUser
    description: >-
      Filter the users collection on userPrincipalName to resolve the user's
      object id.
    operationId: listUsers
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    - name: $filter
      in: query
      value: "userPrincipalName eq '$inputs.userPrincipalName'"
    - name: $top
      in: query
      value: 1
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      matchedUserId: $response.body#/value/0/id
    onSuccess:
    - name: userFound
      type: goto
      stepId: getUser
      criteria:
      - context: $response.body
        condition: $.value.length > 0
        type: jsonpath
  - stepId: getUser
    description: Retrieve the full user object for the audit record.
    operationId: getUser
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    - name: user-id
      in: path
      value: $steps.findUser.outputs.matchedUserId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      displayName: $response.body#/displayName
      accountEnabled: $response.body#/accountEnabled
  - stepId: listMemberships
    description: >-
      List the groups, directory roles, and administrative units the user is a
      direct member of.
    operationId: listUserMemberOf
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    - name: user-id
      in: path
      value: $steps.findUser.outputs.matchedUserId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      memberships: $response.body#/value
  outputs:
    userId: $steps.findUser.outputs.matchedUserId
    displayName: $steps.getUser.outputs.displayName
    memberships: $steps.listMemberships.outputs.memberships