Default Microsoft Entra ID Attribute Mapping

When a Microsoft Entra ID context table is onboarded, it processes a predetermined set of user attributes that are collected from a Microsoft Entra ID service. This set of attributes is mapped to a set of Exabeam target attributes that are compliant with a common user information model. This model defines a standardized user object for security content across Exabeam products.

The table below lists the predetermined set of source Microsoft Entra ID attributes and the Exabeam target attributes to which they are mapped. The table is organized alphabetically by the Target Attributes column and contains the following notations:

* (asterisk) – Indicates attributes that are selected for display by default when onboarding a Microsoft Entra ID context table. During onboarding, you can choose to display or not display any of the available predetermined attributes by toggling the visibility icon ().
(Calculated) – Indicates attributes that are calculated, either in format or in value. During onboarding, you can hover over the Calculated Attribute tag in the Source Attributes column to view a description of the attribute and its calculation.
(Primary Key) – Indicates the attribute that is designated as the key attribute for the context table. The key and its mapping cannot be changed.

Note

If you are using Microsoft Entra ID integrated with Active Directory, see the separate Integration table for attributes that are available only for that integration.

Microsoft Entra ID Source Attribute	Exabeam Target Attribute	Example	Description
accountEnabled	Access Status (Calculated)	`AccountActive`	Indicates the status of the user's account. Calculated by mapping the status of a user account to one of the following Exabeam status values: AccountActive = accountEnabled is `True` AccountDisabled = accountEnabled is `False`
mailNickName	Alias	`jim.smith`	An email alias that represents a user in a Microsoft Exchange organization.
city	City Name	`Philadelphia`	Country or region where the user is located.
givenName + surname	Common Name (Calculated)	`Jim Smith`	Common name attached to the user object. Calculated based on the attributes: `givenName` and `surname`, concatenated with a space character. If `givenName` and `surname` values are not available, the attribute defaults to the `displayName` value.
country	Country	`US`	Country or region where the user is located.
department	Department*	`Engineering`	Name of the department in which the user works.
displayName	Display Name*	`Jim Smith`	The name displayed in the address book for a user. This attribute is usually represented by a combination of first name, middle initial, and last name.
proxyAddresses, mail	Email Addresses (Calculated)	Example in the UI: `[email protected]: [email protected]: [email protected]` Example in the Public API: `[“[email protected]", "[email protected]", "[email protected]"]` The above examples are based on a concatenated list from the `proxyAddress` and `email` attribute values listed below. Note which values were extracted and which were not. Attribute Values: `proxyAddress` Values: SMTP:[email protected] smtp: [email protected] isp:[email protected] `mail` Value: [email protected]	A string value that lists email addresses associated with a user. Calculated by extracting values from the `proxyAddress` and `mail` attributes associated with a user. Note From `proxyAddress` attributes, only the values starting with `smtp` are considered (regardless of case). In the UI, the resulting list is concatenated using colons (:). It is a calculated field and not modifiable.
employeeId	Employee ID	`ISED0003`	Code that identifies an employee of a business.
employeeType	Employee Type*	`Staff-US`	An employment category for an employee.
givenName	First Name	`Jim`	The given first name of an employee.
displayName	Full Name	`James Smith`	The printable display name for a user. This attribute is usually represented by a combination of first name, middle initial, and last name.
memberOf	Group Name (Calculated)	`Developers:Administrators`	Groups to which a user belongs (not including the user's primary group). Calculated based on parsed JSON extracted from the `Display Name` attribute.
id	ID (Primary Key)	`9f8ab381-4e80-4b55-b004- 249dbbf950f8`	The unique identifier for a user object. This field is the key attribute and cannot be remapped.
surname	Last Name	`Smith`	The user's surname (family name or last name).
mobilePhone	Mobile Number	`+1 415 555 1212`	The mobile phone number for a user.
securityIdentifier	Object Sid (Calculated)	`S-1-5-21-819955361-1664132107- 1760188083-368909`	A unique security identifier for an object. Calculated based on the `securityIdentifier` attribute. If integrated with Active Directory, this attribute maps to `onPremisesSecurityIdentifier`.
businessPhones	Phone Number	`+1 415 555 1212`	The primary work phone number for a user.
userPrincipalName	Primary Login* (Email Format) (Calculated)	`[email protected]`	An email-formatted identifier for a user, based on standard RFC 822. Calculated based on the `userPrincipalName` attribute If integrated with Active Directory, this attribute maps to `onPremisesUserPrincipalName`.
userPrincipalName	Primary User Name (Calculated)	`jim.smith`	A primary user name, commonly used for login purposes. (Does not include the domain.) Calculated based on the `userPrincipalName` attribute. If integrated with Active Directory, this attribute maps to `onPremisesSamAccountName`.
jobTitle	Title*	`Developer FE II`	A user's formal job title (not an occupation category).

* Attribute is selected for display by default.

Attributes for Microsoft Entra ID Integrated with Active Directory

The following table shows attributes that are available only if your Microsoft Entra ID is integrated with Active Directory. For more information, see Integrate on-premises AD with Azure in the Azure Product Documentation.

Microsoft Entra ID Source Attribute	Exabeam Target Attribute	Example	Description
onPremisesDistinguishedName	Distinguished Name	`CN=AA_02,OU=I-NGC, OU=Workstations,DC=ad, DC=acmecorp,DC=com`	The name that uniquely identifies a user object, in an organization structure, within the Active Directory. For a glossary of terms, see the Microsoft Documentation Reference.
onPremisesDistinguishedName	Domain FQDN (Calculated)	`ad.acmecorp.com`	A fully qualified domain name. Calculated by extracting a list of DC values from the `Distinguished Name` attribute. The list is concatenated using periods (.) between values. This is a calculated field that cannot be mapped to a different source attribute.
onPremisesSecurityIdentifier	Object Sid (Calculated)	`S-1-5-21-819955361-1664132107- 1760188083-368909`	A unique security identifier for an object. Calculated based on a binary value that specifies a unique security identifier for an object.
onPremisesDistinguishedName	Organizational Unit (Calculated)	`I-NGC:Workstations`	Organizations to which a user belongs. Calculated by extracting a list of OU values from the DN attribute. Concatenated with colons (:). This is a calculated field that cannot be mapped to a different source attribute.
onPremisesUserPrincipalName	Primary Login* (Email Format)	`[email protected]`	An email-formatted identifier for a user, based on standard RFC 822. Calculated by mapping to the maps to `onPremisesUserPrincipalName` attribute.
onPremisesSamAccountName	Primary User Name	`jim.smith`	A primary user name, commonly used for login purposes. (Does not include the domain.) Calculated by mapping to the `onPremisesSamAccountName`.

Context ManagementContext Management Administration Guide

Table of ContentsTable of Contents