Azure: Node & Edge Schema
This document describes the graph model built by the Azure connection, which maps cloud identities, groups, service principals, and IAM roles into a the SlashID identity graph.
Node Types
| Node Type | Description |
|---|---|
AzureUser | A cloud user in Azure Active Directory |
AzureGroup | A security or distribution group in Azure AD |
AzureRole | A role definition assigned through Azure RBAC |
AzureServicePrincipal | A service identity for apps and automation in Azure |
AzureManagedIdentity | A managed identity for Azure services |
AzureResourceManagerRole | Role used in ARM for access control |
Credential | A login credential (e.g., password, token) tied to an identity |
Resource | A cloud resource like VM, storage account, etc. |
AzureStorageAccount | An Azure Storage account for blob, file, queue, and table storage |
AzureBlobContainer | A blob container within an Azure Storage account |
Edge Relationships
Membership & Role Edges
| Edge Type | From Node | To Node | Description |
|---|---|---|---|
IS_MEMBER_OF | AzureUser, AzureGroup | AzureGroup | Membership within Azure groups |
HAS_MEMBER | AzureGroup | AzureUser, AzureGroup | Reverse of IS_MEMBER_OF |
HAS_ROLE | AzureUser, AzureServicePrincipal | AzureRole | Indicates that a role is granted to a principal |
IS_ROLE_OF | AzureRole | AzureUser, AzureGroup | Reverse of HAS_ROLE |
HAS_CREDENTIAL | AzureUser, AzureServicePrincipal | Credential | A credential belonging to an identity |
IS_CREDENTIAL_OF | Credential | AzureUser, AzureServicePrincipal | Reverse of HAS_CREDENTIAL |
IS_ASSIGNED | AzureUser, AzureGroup | AzureRole, Resource | Role/resource assignment |
Ownership & Containment Edges
| Edge Type | From Node | To Node | Description |
|---|---|---|---|
OWNS | AzureUser, AzureServicePrincipal | Resource | Ownership of a resource |
IS_OWNED_BY | Resource | AzureUser, AzureServicePrincipal | Reverse of OWNS |
CONTAINS | AzureGroup, Resource, AzureStorageAccount | Nested members or resources | Structural containment |
IS_CONTAINED_BY | AzureBlobContainer | AzureStorageAccount | Reverse of CONTAINS |
Effective Permission Edges
These edges represent the effective permissions after evaluating Azure RBAC policies, including role assignments at management group, subscription, resource group, and resource levels.
| Edge Type | From Node | To Node | Description |
|---|---|---|---|
ALLOWS_ACCESS_TO | AzureUser, AzureServicePrincipal, AzureGroup | Resource | Effective allowed access based on RBAC evaluation |
IS_ALLOWED_ACCESS_BY | Resource | AzureUser, AzureGroup | Reverse of ALLOWS_ACCESS_TO |
DENIES_ACCESS_TO | AzureUser, AzureServicePrincipal, AzureGroup | Resource | Explicit deny from NotActions in role definitions |
IS_DENIED_ACCESS_BY | Resource | AzureUser, AzureGroup | Reverse of DENIES_ACCESS_TO |
CAN_ACCESS | AzureUser, AzureServicePrincipal, AzureGroup | Resource | Direct access relationship (legacy) |
CAN_BE_ACCESSED | Resource | AzureUser, AzureGroup | Reverse of CAN_ACCESS |
Effective Permissions
The ALLOWS_ACCESS_TO and DENIES_ACCESS_TO edges are computed by evaluating Azure RBAC policies across the full scope hierarchy:
- Management Group → inherited by all child subscriptions
- Subscription → inherited by all resource groups
- Resource Group → inherited by all resources
- Resource → direct assignment
This ensures that permissions granted at higher levels (like a "Reader" role on a management group) are properly reflected in the graph for all child resources.
Examples
// Membership and roles
(AzureUser)-[:IS_MEMBER_OF]->(AzureGroup)
(AzureUser)-[:HAS_ROLE]->(AzureRole)
(AzureServicePrincipal)-[:HAS_CREDENTIAL]->(Credential)
(AzureUser)-[:OWNS]->(Resource)
// Effective permissions (recommended for access analysis)
(AzureManagedIdentity)-[:ALLOWS_ACCESS_TO]->(Resource)
(AzureServicePrincipal)-[:ALLOWS_ACCESS_TO]->(AzureStorageAccount)
(AzureUser)-[:DENIES_ACCESS_TO]->(AzureBlobContainer)
// Storage hierarchy
(AzureStorageAccount)-[:CONTAINS]->(AzureBlobContainer)
Query Examples
Find all identities with access to storage accounts
MATCH (i:Identity)-[:ALLOWS_ACCESS_TO]->(s:Resource)
WHERE s.resource_type = "azure_storage_account"
RETURN i.name, s.name;
Find identities with denied access to resources
MATCH (i:Identity)-[:DENIES_ACCESS_TO]->(r:Resource)
RETURN i.name AS identity, r.name AS resource, r.resource_type;
Analyze effective permissions from management group inheritance
MATCH (i:Identity)-[a:ALLOWS_ACCESS_TO]->(r:Resource)
WHERE a.scope STARTS WITH "/providers/Microsoft.Management/managementGroups"
RETURN i.name, r.name, a.scope AS inherited_from;