GraphGroup

Represents Entra ID groups collected from Microsoft Graph.

Labels: :GraphObject:GraphGroup

Properties:

id - Group object ID (primary key)
displayName - Group display name
groupTypes - Array of group types (e.g., ["DynamicMembership", "Unified"])
membershipRule - Membership rule for dynamic groups
membershipRuleProcessingState - State of membership rule processing
mailNickname - Mail nickname for the group
onPremisesDomainName - On-premises domain name
onPremisesLastSyncDateTime - Last synchronization with on-premises
onPremisesNetBiosName - On-premises NetBIOS name
onPremisesSamAccountName - On-premises SAM account name
onPremisesSecurityIdentifier - On-premises security identifier
onPremisesSyncEnabled - Whether on-premises sync is enabled
organizationId - Organization ID
securityEnabled - Whether security is enabled for the group
visibility - Group visibility (Public, Private, etc.)
writebackConfigurationEnabled - Whether writeback is enabled
writebackConfigurationGroupType - Group type for writeback

Relationships

Incoming

GraphObject → MEMBER_OF → GraphGroup - Members of the group
GraphObject → OWNS → GraphGroup - Owners of the group

Outgoing

GraphGroup → MEMBER_OF → GraphObject - Groups this group is a member of

Examples

// Find all security-enabled groups
MATCH (g:GraphGroup)
WHERE g.securityEnabled = true
RETURN g.displayName, g.groupTypes, g.visibility

// Find dynamic membership groups
MATCH (g:GraphGroup)
WHERE g.membershipRule IS NOT NULL
RETURN g.displayName, g.membershipRule, g.membershipRuleProcessingState

// Find group owners and members
MATCH (owner:GraphObject)-[:OWNS]->(g:GraphGroup)<-[:MEMBER_OF]-(member:GraphObject)
RETURN g.displayName, collect(DISTINCT owner.displayName) AS owners, collect(DISTINCT member.displayName) AS members