Excel Power Query workbook export¶
Identity Atlas can hand a data analyst a pre-configured Excel workbook that pulls live data from the API via Power Query. A freshly-minted read-only token is embedded in the workbook, so refreshing the data on any machine is a single click — no API credentials to paste, no connections to configure.
Who this is for¶
- Data analysts who want Identity Atlas data in Excel or Power BI without learning the API
- Anyone building ad-hoc reports (access reviews, risk dashboards, compliance reports) against live principal / assignment / resource data
- Teams that want to pipe Identity Atlas into an existing BI stack via the API but without standing up interactive OAuth for their service accounts
What the download contains¶
One .xlsx file with these sheets:
| Sheet | Endpoint | Contents |
|---|---|---|
| README | — | Usage notes |
| Settings | — | BaseUrl + AuthToken pre-populated named-range cells |
| Systems | GET /api/systems |
Connected systems (Entra ID, Omada, CSV-backed, …) |
| Principals | GET /api/users |
Every principalType — users, service principals, MIs, AI agents |
| Resources | GET /api/resources |
Groups, directory roles, app roles and business roles / access packages (the governanceResource flag marks the governance ones) |
| Assignments | GET /api/assignments |
Who has access to what (from ResourceAssignments). The governed flag splits governed-intent rows from actual access |
| Identities | GET /api/identities |
Real-person identities aggregated from multiple accounts |
| IdentityMembers | GET /api/identity-members |
Identity ↔ account links |
| ResourceRelationships | GET /api/resource-relationships |
Parent↔child resource links (Contains, GrantsAccessTo) — incl. which groups each business role Contains |
| GovernanceCatalogs | GET /api/governance-catalogs |
Catalogs that group business roles / access packages |
| AssignmentPolicies | GET /api/assignment-policies |
Rules governing how a business role / access package is granted (auto-add/remove, access-review settings) |
| AssignmentRequests | GET /api/assignment-requests |
Access request / approval workflow rows |
| CertificationDecisions | GET /api/certification-decisions |
Access-review (certification) decisions — approve/deny/dontKnow outcomes |
Between them these tabs carry the full governance (SOLL) layer, so an analyst
can rebuild any matrix the web UI shows — including the governed/non-governed
split and the business-role → group grants — entirely in Excel: join
Assignments to Resources on resourceId, and ResourceRelationships
(relationshipType = "Contains") to Resources on both parentResourceId
(the business role) and childResourceId (the group it grants).
The Principals and Resources tabs auto-expand the extendedAttributes JSONB
column into first-class ext_* columns (ext_userType,
ext_onPremisesSyncEnabled, ext_signInActivity, ext_appId, etc.). Keys
are collected across every row, so sparsely-populated attributes still show
up.
How to use it¶
- Admin → Data → Excel Power Query Workbook.
- Click Generate token & download workbook. A token is created and the workbook is streamed back (a few KB).
- Open the file in Excel.
- For each data tab (Principals, Resources, Assignments, …):
- Go to Data → Get Data → From Other Sources → Blank Query.
- In Power Query Editor: Home → Advanced Editor.
- Copy the M code from cell A6 of that sheet and paste it into the editor. Click Done.
- Rename the query to match the sheet name (e.g.
Principals). - Home → Close & Load To… → Existing worksheet → that sheet, cell A1.
- Back in Excel, Data → Refresh All. Every sheet fills with live data.
One-click refresh coming soon. The current workbook requires the paste-into-Advanced-Editor step per sheet. A follow-up PR ships a hand-built template where the queries auto-load on first open — at that point the flow becomes "download → open → Refresh All".
Rotating or retiring tokens¶
Each download mints a new read token so you have a fresh credential. The Existing tokens table on the same page lists every outstanding token with its prefix, creation date, and last-used timestamp. Click Revoke to invalidate any token immediately — workbooks using that token stop refreshing on their next attempt.
Automatic revocation of idle tokens¶
Tokens that go unused for too long are revoked automatically, so a credential embedded in a workbook that nobody refreshes anymore doesn't linger as live read access. A token counts as "used" whenever a request authenticates with it (every workbook refresh); the clock falls back to the creation date for a token that was never used.
The threshold defaults to 90 days and is controlled by the
READ_TOKEN_IDLE_DAYS key in WorkerConfig. Set it to 0 to disable
idle revocation entirely, or to a different number of days to suit your
policy. The sweep runs shortly after startup and every six hours
thereafter; an idle token is therefore revoked within a few hours of
crossing the threshold. Revoking is not deletion — idle-revoked tokens
still appear in the Existing tokens table (marked revoked) for audit.
How the token is used against the API¶
The workbook's M code reads the token from the AuthToken named range
and sends it on every request:
The token works on every read endpoint (/api/users,
/api/resources, /api/systems, /api/assignments,
/api/identity-members, /api/resource-relationships,
/api/identities, etc.). It does not work on mutating endpoints
(POST/PUT/PATCH/DELETE) nor on any /api/admin/* endpoint — the auth
middleware rejects those with HTTP 403.
That scoping means you can hand the token to a BI stack, a script, or a curl one-liner and the blast radius of a leak is read access only. It is not a substitute for a user's Entra ID sign-in when you need to manage data.
Updating a workbook to point at a different deployment¶
The workbook works against whatever Identity Atlas host generated it. To retarget an existing workbook (e.g. point a locally-authored workbook at a production deployment):
- Open the workbook's Settings sheet.
- Change cell B2 (
BaseUrl) to the new/apibase — e.g.https://identityatlas.example.com/api. - Paste in a new read token you generated on the target deployment in
cell B3 (
AuthToken). - Refresh All. Every query picks up the new values because they all read from the named ranges.
No M code edits needed — you only touch those two cells.
Building your own reports from this¶
The workbook's tabs are just starting points. Once the raw data is loaded as Excel tables, you can:
- Pivot any tab against any other via Power Query's Merge feature
(e.g. Assignments ⨝ Principals on
principalId) - Build pivot tables directly on a loaded sheet
- Use the
ext_*columns as pivot filters for fine-grained slicing (e.g. "Service Principals withext_servicePrincipalType = ManagedIdentity") - Chain into Power BI — same M code, same token pattern, same endpoints
Security notes¶
- Tokens are secrets. The
Settingssheet is not encrypted. If you share the workbook, anyone with the file can read from the API as long as the token is active. Rotate the token after sharing. - Tokens are read-only. They cannot mutate data or reach admin endpoints — but they CAN list every principal, resource, and assignment. Treat that with the same discretion as a database dump.
- Revoke proactively. When someone leaves the team, or when a
workbook is superseded, revoke the token from Admin → Data. The
token's
lastUsedAttimestamp helps you tell active from stale. - Per-user tokens. Click Create token only… to mint named tokens that don't get bundled into a workbook, useful for scripts or BI connectors. The Admin → Data list shows which person/integration owns each one.
Related¶
- Authoring the polished XLSX template — for the maintainer wiring up the one-click-refresh template
- API reference — the endpoints your Power Query code hits