Microsoft 365 (MS365) MQL Resource Pack Reference
The Microsoft 365 (MS365) resource pack lets you use MQL to query and assess the security of your Microsoft 365 identities and configuration.
Resources included in this pack:
| ID | DESCRIPTION |
|---|---|
| microsoft | Microsoft |
| microsoft.application | Microsoft Entra ID application registration |
| microsoft.application.permission | Microsoft Service Principal Permission |
| microsoft.application.role | Microsoft Entra ID app roles are custom roles to assign permissions to users or apps |
| microsoft.applications | List of Microsoft Entra ID application registrations |
| microsoft.conditionalAccess | Microsoft Conditional Access Policies |
| microsoft.conditionalAccess.countryNamedLocation | Microsoft Conditional Access Country named location |
| microsoft.conditionalAccess.ipNamedLocation | Microsoft Conditional Access IP named location |
| microsoft.conditionalAccess.namedLocations | Container for Microsoft Conditional Access Named Locations |
| microsoft.conditionalAccess.policy | Represents a Microsoft Entra Conditional Access policy. Conditional access policies are custom rules that define an access scenario. |
| microsoft.conditionalAccess.policy.conditions | Represents the type of conditions that govern when the policy applies. |
| microsoft.conditionalAccess.policy.conditions.applications | Represents the applications and user actions included in and excluded from the conditional access policy. |
| microsoft.conditionalAccess.policy.conditions.authenticationFlows | Represents the authentication flows in scope for the policy. |
| microsoft.conditionalAccess.policy.conditions.clientApplications | Represents client applications (service principals and workload identities) included in and excluded from the policy scope. |
| microsoft.conditionalAccess.policy.conditions.locations | Represents locations included in and excluded from the scope of a conditional access policy. Locations can be countries and regions or IP addresses. |
| microsoft.conditionalAccess.policy.conditions.platforms | Platforms included in and excluded from the policy scope. |
| microsoft.conditionalAccess.policy.conditions.users | Represents users, groups, and roles included in and excluded from the policy scope. |
| microsoft.conditionalAccess.policy.grantControls | Represents grant controls that must be fulfilled to pass the policy. |
| microsoft.conditionalAccess.policy.grantControls.authenticationStrength | A collection of settings that define specific combinations of authentication methods and metadata. |
| microsoft.conditionalAccess.policy.sessionControls | Microsoft Conditional Access Policy Session Controls |
| microsoft.conditionalAccess.policy.sessionControls.applicationEnforcedRestrictions | Session control to enforce application restrictions. |
| microsoft.conditionalAccess.policy.sessionControls.cloudAppSecurity | Session control used to enforce cloud app security checks. |
| microsoft.conditionalAccess.policy.sessionControls.persistentBrowser | Session control to define whether to persist cookies or not. |
| microsoft.conditionalAccess.policy.sessionControls.signInFrequency | Session control to enforce sign-in frequency. |
| microsoft.device | Microsoft device |
| microsoft.devicemanagement | Microsoft device management |
| microsoft.devicemanagement.devicecompliancepolicy | Microsoft device compliance policy |
| microsoft.devicemanagement.deviceconfiguration | Microsoft device configuration |
| microsoft.devices | List of Microsoft Entra devices |
| microsoft.domain | Microsoft domain |
| microsoft.domaindnsrecord | Microsoft domain DNS record |
| microsoft.group | Microsoft group |
| microsoft.groups | Microsoft groups |
| microsoft.keyCredential | Microsoft Entra AD Application certificate |
| microsoft.passwordCredential | Microsoft Entra AD Application secrets |
| microsoft.policies | Microsoft policies |
| microsoft.rolemanagement | Deprecated: use microsoft.roles instead |
| microsoft.rolemanagement.roleassignment | Microsoft role assignment |
| microsoft.rolemanagement.roledefinition | Microsoft role definition |
| microsoft.roles | List of Microsoft Entra role definitions with optional filters |
| microsoft.security | Microsoft Security |
| microsoft.security.riskyUser | Microsoft Entra users who are at risk |
| microsoft.security.securityscore | Microsoft Secure Score |
| microsoft.serviceprincipal | Microsoft service principal (Enterprise application) |
| microsoft.serviceprincipal.assignment | Microsoft Service Principal Assignment |
| microsoft.tenant | Microsoft Entra tenant |
| microsoft.user | Microsoft Entra ID user |
| microsoft.user.assignedLicense | A single license assigned to a user |
| microsoft.user.auditlog | Microsoft user audit log |
| microsoft.user.authenticationMethods | Microsoft Entra authentication methods |
| microsoft.user.identity | Microsoft user identity |
| microsoft.user.signin | Microsoft user sign-in |
| microsoft.users | List of Microsoft Entra users with optional filters |
| ms365.exchangeonline | Microsoft 365 Exchange Online |
| ms365.exchangeonline.exoMailbox | Microsoft 365 Exchange Online Mailbox |
| ms365.exchangeonline.externalSender | Microsoft 365 Exchange Online External Sender |
| ms365.exchangeonline.reportSubmissionPolicy | Report Submission Policy configuration |
| ms365.exchangeonline.teamsProtectionPolicy | Teams Protection Policy configuration |
| ms365.sharepointonline | Microsoft 365 SharePoint Online |
| ms365.sharepointonline.site | Microsoft 365 SharePoint Site |
| ms365.teams | Microsoft 365 Teams |
| ms365.teams.teamsMeetingPolicyConfig | Microsoft 365 Teams meeting policy configuration |
| ms365.teams.teamsMessagingPolicyConfig | Teams meeting policy configuration |
| ms365.teams.tenantFederationConfig | Microsoft 365 Teams tenant federation configuration |