Directory
Active Directory / LDAP / Entra ID lookups. Read-only by default; write actions require the approval workflow.
User search
Free-text search: sAMAccountName, UPN, display name, email. Returns group memberships, last-logon, account state (enabled / locked / password-expired / inactive-90d).
Group search
Group name → nested members, computed transitively. Useful for "who has X permission" audits.
Stale-account report
Scheduled job stale-ad-report (weekly) lists accounts inactive > 90 days. Landing zone: Admin → Users → AD drift.
Gotchas
- Write actions (disable user, reset password, add to group) require a second admin to approve. See Approvals.
- Entra ID uses Microsoft Graph; permission scope on the app registration must include
Directory.Read.Allat minimum.