Skip to main content

Azure AD plugin


Usage: ds-load-azuread <command>

AzureAD directory loader

version version information
fetch fetch Azure AD data
transform transform Azure AD data
export-transform export default transform template
exec fetch and transform Azure AD data
verify verify fetcher configuration and credentials

-h, --help Show context-sensitive help.
-c, --config=CONFIG-FLAG Configuration file path
-v, --verbosity=INT Use to increase output verbosity.

Run "ds-load-azuread <command> --help" for more information on a command.


The Azure AD plugin supports the following arguments:

  -a, --tenant=STRING           AzureAD tenant ($AZUREAD_TENANT)
-i, --client-id=STRING AzureAD Client ID ($AZUREAD_CLIENT_ID)
-s, --client-secret=STRING AzureAD Client Secret ($AZUREAD_CLIENT_SECRET)
-r, --refresh-token=STRING AzureAD Refresh Token ($AZUREAD_REFRESH_TOKEN)

To create an Azure AD OAuth application which provides these arguments, please follow the tutorial here.


The Azure AD plugin can retrieve both users and groups, and transform these into directory user objects, identity objects, groups, and relationships between these.

To export the default transform, use:

ds-load azuread export-transform

You can use this as the basis for your own transform, which can be tweaked for a different mapping between Azure AD and directory objects and relations.

To learn about the transformation language, refer to the transform docs.