Account Attributes
accountEnabled
True if the user is enabled; otherwise, false.
assignedLicenses
List of the licenses that are assigned to the user.
assignedPlans
Plans that are assigned to the user (Entitlement).
city
City in which the user is located.
country
Country/region in which the user is located.
department
Name for the department the user belongs to.
dirSyncEnabled
Indicates whether this user was synced from the on-premises directory.
disabledPlans
Plans that are not assigned to the user.
displayName
Name displayed in the address book for the user.
employeeId
Numerically identifies an employee within an organization.
facsimileTelephoneNumber
Telephone number of the user's business fax machine.
givenName
First name of an user.
groups
Groups assigned to an user (Entitlement).
servicePrincipals
Enterprise Applications assigned to a user.
Note
The existing servicePrincipals attribute has been renamed to a new entitlement attribute named appRoleAssignments (along with an associated new entitlement schema. For more information, refer to appRoleAssignments. To continue to manage Service Principals as a group object, the schema from Service Principal and the respective account attribute needs to be present in your configuration.
immutableId
Property used to associate an on-premises Active Directory user account to their Microsoft Entra ID user account.
jobTitle
User’s job title.
lastDirSyncTime
Indicates the last time at which the user was synchronized with the on-premises directory.
signInActivity.lastNonInteractiveSignInDateTime
Indicates the last time a user signed in to the directory with an non-interactive authentication method.
The timestamp represents date and time information always in UTC. For example, midnight UTC on Jan 1, 2022 is 2022-01-01T00:00:00Z.
Note
This attribute is not present by default and must be added explicitly to the account schema if required.
signInActivity.lastNonInteractiveSignInRequestId
Indicates the request identifier of the last non-interactive sign-in performed by this user.
Note
This attribute is not present by default and must be added explicitly to the account schema if required.
signInActivity.lastSignInDateTime
Indicates the last time a user signed in to the directory with an interactive authentication method.
The timestamp represents date and time information always in UTC. For example, midnight UTC on Jan 1, 2022 is 2022-01-01T00:00:00Z.
Note
This attribute is not present by default and must be added explicitly to the account schema if required.
signInActivity.lastSignInRequestId
Indicates the request identifier of the last interactive sign-in performed by this user.
Note
This attribute is not present by default and must be added explicitly to the account schema if required.
signInActivity.lastSuccessfulSignInDateTime
Indicates the date and time of the user's most recent successful sign-in activity.
The timestamp type represents date and time information always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.
Note
This attribute is not present by default and must be added explicitly to the account schema if required.
signInActivity.lastSuccessfulSignInRequestId
Indicates the request identifier of the last successful sign-in activity.
Note
This attribute is not present by default and must be added explicitly to the account schema if required.
mail
The SMTP address for the user. For example, john@contoso.onmicrosoft.com
mailNickname
Mail alias for the user.
signInNames
Specifies the collection of sign-in names for a local account in an Azure Active Directory B2C tenant.
userIdentities
Specifies the collection of userIdentities for a social user account in an Azure Active Directory B2C tenant.
creationType
Indicates whether the user account is a local account for an Azure Active Directory B2C tenant.
manager
Manager of the user. (Type: String).
The Microsoft Entra ID connector provides support for provisioning the manager attribute. For more information, refer to Support for Provisioning Operations of manager Attribute.
mobile
Primary cellular telephone number for the user.
objectId
Unique identifier for the user.
This is an Account ID which must not be changed.
onPremisesSecurityIdentifier
Contains the on-premises security identifier (SID) for the user that was synchronized from on-premises to the cloud.
otherMails
A list of additional email addresses for the user.
passwordPolicies
Specifies password policies for the user.
physicalDeliveryOfficeName
Office location in the user's place of business.
postalCode
ZIP OR postal code for the user's postal address.
preferredLanguage
Preferred written or spoken language for a person.
proxyAddresses
Proxy addresses.
For example, ["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]
roles
Administrator Role assigned to user (Entitlement).
sipProxyAddress
Specifies the voice over IP (VOIP) session initiation protocol (SIP) address for the user.
state
State or province in the user's address.
streetAddress
Street address of the user's place of business.
surname
Last name of the user.
telephoneNumber
Primary telephone number of the user's place of business.
usageLocation
A two letter country code indicating usage location.
userPrincipalName
User principal name (UPN) of the user.
userType
Type of the user.
channels
List of channel membership of a user.
Type: Entitlement, Multi-Valued
azureRoleAssignments*
Azure Role Assignments assigned to user (Only applicable for SailPoint CIEM).
appRoleAssignments
Lists the associated application roles for the Account. This is a multi-valued, entitlement, and managed attribute.
Type: applicationRole, Multi-Valued
Risky User Alert Supported Attributes
riskLevel
Level of the detected risky user.
riskState
State of the user's risk.
riskDetail
Details of the detected risk.
riskLastUpdatedDateTime
The date and time that the risky user was last updated.