Supported Entra ID object attributes

Each Entra ID object (user, group, administrative unit, role, service principal, and app registration) has a set of attributes (properties such as name or description) that we protect. Below, you'll find a list of these attributes.

You can view these attributes directly within the platform using the metadata previewer. To access this, hover over the object and select ••• > Object metadata. For more info, see: Preview and compare Entra ID metadata

Entra ID policies have a settings that we back up, but due to the complexity and variability of the metadata they contain, we do not list them here nor do we display them in the metadata preview. Instead, this information is available in JSON format, which can be viewed in the platform.

In addition to attributes and settings, we also back up relationships and other related items of Entra ID objects and policies. For a complete overview of the Entra ID objects, policies, and other entities we backup, please see: Entra ID backup coverage

Supported Object Attributes

Knowledge base Entra ID Connector

User

Attribute	Description
accountEnabled	Defines if account is enabled or not.
ageGroup	Age group of the user: minor, notAdult, adult
businessPhones	The telephone numbers for the user.
city	The city in which the user is located.
companyName	The company name which the user is associated.
consentProvidedForMinor	Sets whether consent has been obtained for minors: granted, denied, notRequired
country	The country/region in which the user is located.
createdDateTime	The date the user object was created.
creationType	If the user account was created as a local account for an Entra ID B2C tenant, the value is LocalAccount or nameCoexistence
deletedDateTime	For some Entra ID objects (user, group, application), if the object is deleted, it is first logically deleted, and this property is updated with the date and time when the object was deleted. Otherwise this property is null. If the object is restored, this property is updated to null.
department	The name for the department in which the user works.
displayName	The display name for the user.
employeeHireDate	The date and time when the user was hired or will start work in case of a future hire.
employeeId	The employee identifier assigned to the user by the organization.
employeeOrgData	Represents organization data (e.g. division and costCenter) associated with a user.
employeeType	Captures enterprise worker type (e.g. Contractor, Consultant, Employee)
externalUserState	For an external user invited to the tenant this property represents the invited user's invitation status.
externalUserState ChangeDateTime	Shows the timestamp for the latest change to the invitation status (externalUserState) property.
faxNumber	The fax number of the user.
givenName	The given name (first name) of the user.
identities	Represents the identities that can be used to sign in to this user account. An identity can be provided by Microsoft (also known as a local account), by organizations, or by social identity providers such as Facebook, Google, and Microsoft, and tied to a user account.
jobTitle	The user's job title.
lastPasswordChangeDateTime	The date the the user last changed their password.
mail	The SMTP address for the user.
mailNickname	The mail alias for the user.
mobilephone	The primary cellular telephone number for the user.
officeLocation	The office location in the user's place of business.
onPremisesImmutableId	This property is used to associate an on-premises user account to their Entra ID user object.
onPremisesProvisioningErrors	Errors when using Microsoft synchronization product during provisioning.
otherMails	A list of additional email addresses for the user
passwordPolicies	Specifies password policies for the user.
postalCode	The postal code for the user's postal address.
preferredDataLocation	The preferred data location for the user.
preferredLanguage	The preferred language for the user.
showInAddressList	If the Outlook global address list should contain this user.
state	The state or province in the user's address.
streetAddress	The street address of the user's place of business.
surname	The user's surname (family name or last name).
usageLocation	A two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries.
userPrincipalName	The user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains.
userType	A string value that can be used to classify user types in your directory, such as "Member" and "Guest."

Group

Attribute	Description
classification	Describes a classification for the group (such as low, medium or high business impact).
deletedDateTime	For some Entra ID objects (user, group, application), if the object is deleted, it is first logically deleted, and this property is updated with the date and time when the object was deleted. Otherwise this property is null. If the object is restored, this property is updated to null.
description	An optional description for the group.
groupTypes	Specifies the group type and its membership.
deducedGroupType	Keepit's property which helps us to deduce the exact type of the group based on several properties (mailEnabled, securityEnabled, groupTypes).
mailEnabled	Specifies whether the group is mail-enabled.
mailNickname	The mail alias for the group, unique in the organization. Maximum length is 64 characters.
mail	The SMTP address for the group, for example, "serviceadmins@contoso.onmicrosoft.com".
membershipRule	The rule that determines members for this group if the group is a dynamic group.
membershipRule ProcessingState	Indicates whether the dynamic membership processing is on or paused.
preferredDataLocation	The preferred data location for the group.
preferredLanguage	The preferred language for a Microsoft 365 group.
resourceBehaviorOptions	Specifies the group behaviors that can be set for a Microsoft 365 group during creation.
resourceProvisioningOptions	Specifies the group resources that are provisioned as part of Microsoft 365 group creation, that are not normally part of default group creation.
securityEnabled	Specifies whether the group is a security group.
securityIdentifier	Security identifier of the group, used in Windows scenarios.
theme	Specifies a Microsoft 365 group's color theme.
visibility	Specifies the group join policy and group content visibility for groups.
isAssignableToRole	Indicates whether this group can be assigned to an Entra ID role or not.

Administrative Unit

Attribute	Description
description	An optional description for the administrative unit.
visibility	Controls whether the administrative unit and its members are hidden or public.

Role

Attribute	Description
description	Role description.
isBuiltIn	Flag indicating if the role is part of the default set included with the product or custom.
isEnabled	Flag indicating if the role is enabled for assignment.
rolePermissions	List of permissions included in the role.
templateId	Custom template identifier that can be set when isBuiltIn is false.
version	Indicates version of the role.
visibility	Controls whether the role is hidden or public.

Service Principal

Attribute	Description
accountEnabled	`true` if the service principal account is enabled; otherwise, `false`. If set to `false`, then no users will be able to sign in to this app, even if they are assigned to it.
addIns	Defines custom behavior that a consuming service can use to call an app in specific contexts.
displayName	The display name for the service principal.
alternativeNames	Used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
appDescription	The description exposed by the associated application.
appDisplayName	The display name exposed by the associated application.
appId	The unique identifier for the associated application (its appId property).
applicationTemplateId	Unique identifier of the applicationTemplate that the servicePrincipal was created from.
appOwnerOrganizationId	Contains the tenant id where the application is registered.
appRoleAssignmentRequired	Specifies whether users or other service principals need to be granted an app role assignment for this service principal before users can sign in or apps can get tokens.
appRoles	The roles exposed by the application which this service principal represents.
deletedDateTime	The date and time the service principal was deleted.
description	Free text field to provide an internal end-user facing description of the service principal.
disabledByMicrosoftStatus	Specifies whether Microsoft has disabled the registered application.
homepage	Home page or landing page of the application.
info	Basic profile information of the acquired application such as app's marketing, support, terms of service and privacy statement URLs.
keyCredentials	The collection of key credentials associated with the service principal.
loginUrl	Specifies the URL where the service provider redirects the user to Entra ID to authenticate.
logoutUrl	Specifies the URL that will be used by Microsoft's authorization service to logout an user using OpenId Connect front-channel, back-channel or SAML logout protocols.
notes	Free text field to capture information about the service principal, typically used for operational purposes.
notificationEmailAddresses	Specifies the list of email addresses where Entra ID sends a notification when the active certificate is near the expiration date.
oauth2PermissionScopes	The delegated permissions exposed by the application.
passwordCredentials	The collection of password credentials associated with the application.
preferredSingleSignOnMode	Specifies the single sign-on mode configured for this application. Entra ID uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Entra ID My Apps.
replyUrls	The URLs that user tokens are sent to for sign in with the associated application, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to for the associated application.
resourceSpecificApplicationPermissions	The resource-specific application permissions exposed by this application.
samlSingleSignOnSettings	The collection for settings related to saml single sign-on.
servicePrincipalNames	Contains the list of identifiersUris, copied over from the associated application.
servicePrincipalType	Identifies whether the service principal represents an application, a managed identity, or a legacy application.
signInAudience	Specifies the Microsoft accounts that are supported for the current application.
tokenEncryptionKeyId	Specifies the keyId of a public key from the keyCredentials collection.
tags	Custom strings that can be used to categorize and identify the service principal.
verifiedPublisher	Specifies the verified publisher of the application which this service principal represents.

App Registration

Attribute	Description
addIns	Defines custom behavior that a consuming service can use to call an app in specific contexts.
displayName	The display name for the application.
api	Specifies settings for an application that implements a web API.
applicationTemplateId	Unique identifier of the applicationTemplate.
appRoles	The collection of roles defined for the application.
certification	Specifies the certification status of the application.
createdDateTime	The date and time the application was registered.
deletedDateTime	The date and time the application was deleted.
description	Free text field to provide a description of the application object to end users.
disabledByMicrosoftStatus	Specifies whether Microsoft has disabled the registered application.
groupMembershipClaims	Configures the `groups` claim issued in a user or OAuth 2.0 access token that the application expects.
identifierUris	Also known as App ID URI, this value is set when an application is used as a resource app.
info	Basic profile information of the application such as app's marketing, support, terms of service and privacy statement URLs.
isDeviceOnlyAuthSupported	Specifies whether this application supports device authentication without a user.
isFallbackPublicClient	Specifies the fallback application type as public client, such as an installed application running on a mobile device.
keyCredentials	The collection of key credentials associated with the application.
notes	Notes relevant for the management of the application.
oauth2RequiredPostResponse	Specifies whether, as part of OAuth 2.0 token requests, Entra ID allows POST requests, as opposed to GET requests.
optionalClaims	Application developers can configure optional claims in their Entra ID applications to specify the claims that are sent to their application by the Microsoft security token service.
parentalControlSettings	Specifies parental control settings for an application.
passwordCredentials	The collection of password credentials associated with the application. Not nullable.
publicClient	Specifies settings for installed clients such as desktop or mobile devices.
publisherDomain	The verified publisher domain for the application.
requiredResourceAccess	Specifies the resources that the application needs to access.
samlMetadataUrl	The URL where the service exposes SAML metadata for federation.
serviceManagementReference	References application or service contact information from a Service or Asset Management database.
signInAudience	Specifies the Microsoft accounts that are supported for the current application.
spa	Specifies settings for a single-page application, including sign out URLs and redirect URIs for authorization codes and access tokens.
tags	Custom strings that can be used to categorize and identify the application.
tokenEncryptionKeyId	Specifies the keyId of a public key from the keyCredentials collection.
verifiedPublisher	Specifies the verified publisher of the application.
web	Specifies settings for a web application.

Entra ID connector

Supported Entra ID object attributes

Supported Object Attributes

Related articles

Requirements for setting up a Microsoft 365 backup

Configure role-based access control (RBAC) for a connector

Using the Keepit Audit Log