Microsoft 365 (M365) MQL Resource Pack Reference
The Microsoft 365 (M365) resource pack lets you use MQL to query and assess the security of your Microsoft 365 identities and configuration.
Resources included in this pack:
| ID | DESCRIPTION |
|---|---|
| microsoft | Microsoft |
| microsoft.adminConsentRequestPolicy | Policy for enabling or disabling the Microsoft Entra admin consent workflow |
| microsoft.application | Microsoft Entra ID application registration |
| microsoft.application.permission | Microsoft Service Principal Permission |
| microsoft.application.role | Microsoft Entra ID app roles are custom roles to assign permissions to users or apps |
| microsoft.applications | List of Microsoft Entra ID application registrations |
| microsoft.conditionalAccess | Microsoft Entra Conditional Access Policies |
| microsoft.conditionalAccess.authenticationMethodConfiguration | Configuration for a specific authentication method |
| microsoft.conditionalAccess.authenticationMethodsPolicy | The tenant-wide policy that controls which authentication methods are allowed |
| microsoft.conditionalAccess.countryNamedLocation | Microsoft Entra Conditional Access Country named location |
| microsoft.conditionalAccess.ipNamedLocation | Microsoft Entra Conditional Access IP named location |
| microsoft.conditionalAccess.namedLocations | Container for Microsoft Entra Conditional Access Named Locations |
| microsoft.conditionalAccess.policy | A Microsoft Entra Conditional Access policy. Conditional access policies are custom rules that define an access scenario. |
| microsoft.conditionalAccess.policy.conditions | Represents the type of conditions that govern when the policy applies |
| microsoft.conditionalAccess.policy.conditions.applications | Represents the applications and user actions included in and excluded from the conditional access policy |
| microsoft.conditionalAccess.policy.conditions.authenticationFlows | The authentication flows in scope for a Microsoft Entra Conditional Access policy |
| microsoft.conditionalAccess.policy.conditions.clientApplications | Represents client applications (service principals and workload identities) included in and excluded from the policy scope |
| microsoft.conditionalAccess.policy.conditions.locations | Locations included in and excluded from the scope of a Microsoft Entra Conditional Access policy. Locations can be countries and regions or IP addresses. |
| microsoft.conditionalAccess.policy.conditions.platforms | Platforms included in and excluded from the policy scope |
| microsoft.conditionalAccess.policy.conditions.users | Users, groups, and roles included in and excluded from a Microsoft Entra Conditional Access policy scope |
| microsoft.conditionalAccess.policy.grantControls | Represents grant controls that must be fulfilled to pass the policy |
| microsoft.conditionalAccess.policy.grantControls.authenticationStrength | A collection of settings that define specific combinations of authentication methods and metadata |
| microsoft.conditionalAccess.policy.sessionControls | Microsoft Entra Conditional Access Policy Session Controls |
| microsoft.conditionalAccess.policy.sessionControls.applicationEnforcedRestrictions | Session control to enforce application restrictions |
| microsoft.conditionalAccess.policy.sessionControls.cloudAppSecurity | Session control used to enforce cloud app security checks |
| microsoft.conditionalAccess.policy.sessionControls.persistentBrowser | Session control to define whether to persist cookies or not |
| microsoft.conditionalAccess.policy.sessionControls.signInFrequency | Session control to enforce sign-in frequency |
| microsoft.device | Microsoft device |
| microsoft.devicemanagement | Microsoft device management |
| microsoft.devicemanagement.deviceEnrollmentConfiguration | Microsoft Device Enrollment Configuration |
| microsoft.devicemanagement.devicecompliancepolicy | Microsoft device compliance policy |
| microsoft.devicemanagement.deviceconfiguration | Microsoft device configuration |
| microsoft.devicemanagement.manageddevice | Microsoft managed device |
| microsoft.devices | List of Microsoft Entra devices |
| microsoft.domain | Microsoft domain |
| microsoft.domaindnsrecord | Microsoft domain DNS record |
| microsoft.graph.accessReviewReviewerScope | List of reviewers for the admin consent |
| microsoft.group | Microsoft group |
| microsoft.groupLifecyclePolicy | Microsoft group lifecycle policy |
| microsoft.groups | Microsoft groups |
| microsoft.identityAndAccess | A container resource for identity and access policies that can be filtered |
| microsoft.identityAndAccess.identityAndSignIn | Container for identity and sign-in policies |
| microsoft.identityAndAccess.identityAndSignIn.policies | Container for various identity and sign-in policies |
| microsoft.identityAndAccess.identityAndSignIn.policies.identitySecurityDefaultsEnforcementPolicy | Identity security defaults enforcement policy |
| microsoft.identityAndAccess.policy | A PIM role management policy for Microsoft Entra ID roles |
| microsoft.identityAndAccess.policy.rule | A rule defined for a PIM role management policy |
| microsoft.identityAndAccess.policy.ruleTarget | Defines details of the scope that's targeted by role management policy rule |
| microsoft.identityAndAccess.roleEligibilityScheduleInstance | Represents an instance of a role eligibility in PIM |
| microsoft.keyCredential | Microsoft Entra AD Application certificate |
| microsoft.passwordCredential | Microsoft Entra AD Application secrets |
| microsoft.policies | Microsoft policies |
| microsoft.policies.activityBasedTimeoutPolicy | Activity-based timeout policy |
| microsoft.policies.authenticationMethodConfiguration | Configuration for a specific authentication method |
| microsoft.policies.authenticationMethodsPolicy | The tenant-wide policy that controls which authentication methods are allowed |
| microsoft.policies.externalIdentitiesPolicy | Tenant-wide policy that controls whether external users can leave a tenant via self-service controls |
| microsoft.rolemanagement | Deprecated: use microsoft.roles instead |
| microsoft.rolemanagement.roleassignment | Microsoft role assignment |
| microsoft.rolemanagement.roledefinition | Microsoft role definition |
| microsoft.roles | List of Microsoft Entra role definitions with optional filters |
| microsoft.security | Microsoft Security |
| microsoft.security.exchange | Microsoft Security Exchange |
| microsoft.security.exchange.antispam | Microsoft Security Exchange Antispam |
| microsoft.security.exchange.antispam.hostedConnectionFilterPolicy | Microsoft Security Exchange Antispam Hosted Connection Filter Policy |
| microsoft.security.riskyUser | Microsoft Entra users who are at risk |
| microsoft.security.securityscore | Microsoft Secure Score |
| microsoft.serviceprincipal | Microsoft service principal (Enterprise application) |
| microsoft.serviceprincipal.assignment | Microsoft Service Principal Assignment |
| microsoft.tenant | Microsoft Entra tenant |
| microsoft.tenantFormsSettings | Company-wide settings for Microsoft Forms |
| microsoft.tenantSettings | Company-wide configuration for apps and services. |
| microsoft.user | Microsoft Entra ID user |
| microsoft.user.assignedLicense | A single license assigned to a user |
| microsoft.user.auditlog | Microsoft user audit log |
| microsoft.user.authenticationMethods | Microsoft Entra authentication methods |
| microsoft.user.authenticationMethods.userRegistrationDetails | Represents the state of a user's authentication methods, including which methods are registered and capable |
| microsoft.user.authenticationRequirements | Microsoft user authentication method states |
| microsoft.user.identity | Microsoft user identity |
| microsoft.user.licenseDetail | Details of a single license assigned to a user |
| microsoft.user.licenseDetail.servicePlanInfo | Contains information about a service plan associated with a subscribed SKU |
| microsoft.user.signin | Microsoft user sign-in |
| microsoft.users | List of Microsoft Entra users with optional filters |
| ms365.exchangeonline | Microsoft 365 Exchange Online |
| ms365.exchangeonline.exoMailbox | Microsoft 365 Exchange Online Mailbox |
| ms365.exchangeonline.externalSender | Microsoft 365 Exchange Online External Sender |
| ms365.exchangeonline.mailbox | Microsoft 365 Exchange Online Mailbox with Audit Settings |
| ms365.exchangeonline.reportSubmissionPolicy | Report Submission Policy configuration |
| ms365.exchangeonline.securityAndCompliance | Microsoft 365 Exchange Online Security and Compliance |
| ms365.exchangeonline.teamsProtectionPolicy | Teams Protection Policy configuration |
| ms365.exchangeonlineMailboxAuditBypassAssociation | Mailbox Audit Bypass Association configuration |
| ms365.sharepointonline | Microsoft 365 SharePoint Online |
| ms365.sharepointonline.site | Microsoft 365 SharePoint Site |
| ms365.teams | Microsoft 365 Teams |
| ms365.teams.teamsMeetingPolicyConfig | Microsoft 365 Teams meeting policy configuration |
| ms365.teams.teamsMessagingPolicyConfig | Teams meeting policy configuration |
| ms365.teams.tenantFederationConfig | Microsoft 365 Teams tenant federation configuration |