...
The EmpowerID Identity Warehouse is comprised of a large number of tables for storing and maintaining information about each connected resource system and the objects in those systems, including those within the EmpowerID system itself. These tables are differentiated by resource type and have records corresponding to both inventoried and non-inventoried objects alike. For Azure AD, some examples of the former include the Azure_AccountLicense, Azure_GroupLicense, and Azure_ManagedIdentity tables, while examples of the latter include the OrgRole, OrgZone, and Person tables (these tables correspond to unique objects created in EmpowerID). When EmpowerID inventories an account store like Azure AD, it writes all resource objects in those systems—and the important attributes of those objects—to the appropriate table in the Identity Warehouse, adding the attributes of those objects as column values. In this way, user accounts are added to the Account table, account stores are added to the AccountStore table, Office 365 subscriptions are written to the Office365Subscription table, accounts belonging to an Office 365 subscription to the Office365SubscriptionAccount table, and so on.
Terminology
Subscription Definitions
Microsoft has products that once they are licensed for your tenant, are known as subscriptions. Microsoft offers many products and most organizations only license a handful of these products. However, EmpowerID stores a record for all possible and available Microsoft products. EmpowerID call these "subscription definitions" and stores in a table called the "AZGlobalServiceBundle" table. This table that stores the definitions for any product an organization could purchase from Microsoft.
Service Plans
Service plans are the Microsoft products with individual components that users consume. Those products contain one or more service plans, such as Microsoft Teams, Yammer, SharePoint or Exchange. EmpowerID stores a record for all possible service plans that could be part of those Microsoft products that can be bundled together in those Microsoft products or licenses. EmpowerID calls these "Service Definitions" as they define the services or service plans that Microsoft offers to which an organization could subscribe. They are global service bundles are the definitions of any product that Microsoft offers.
Service Definitions are stored in the “AZGlobalService” table of the EmpowerID Identity Warehouse, known as the AZGlobalService Table. This table also stores the relationship between which service plans are included with which service definitions, which allows EmpowerID to have a “Global Service Bundle” definition for all Microsoft products included with each service plan.
Tenant Subscriptions
Tenant subscriptions are when a Microsoft product is licensed for a customer or by a customer in an Azure AD tenant. EmpowerID inventories all tenant subscriptions and their associated license counts, along with the statistics on how many have been assigned versus unassigned, as well as which are available versus disabled. EmpowerID store tenant subscription in a table known as the "AZLocalServiceBundle" table.
License Assignments
Users or groups can be assigned directly in the Azure user interface to one or more subscriptions in your tenant. Now on each of those assignments, these service plans can be enabled or disabled. So, one user could be assigned a subscription directly and have all the features or service plans enabled for that subscription while another user or group could have specific service plans disabled, such as Yammer, preventing them from using those features. EmpowerID inventories all the license assignments from Azure of users and groups to these subscriptions, including the information about which service plans have been enabled or disabled on each of those assignments. We call this information "license assignments." The enabled or disabled status for each user group to a service plan within a license assignment is captured and stored as what is known as a "service assignment." It is the assignment of a service to a user or group for a subscription.
License assignments and service assignments are stored in the EmpowerID table, AZAssigneeLocalServiceBundleService. Assignees are users and groups that can be assigned to things. Local services are the products or subscriptions that have been subscribed to in your tenant and they are bundles of services or service plans. And this table stores the assignment of those users and groups to those products and which service plans are enabled or disabled for that assignment. So EmpowerID has this information--which users and which groups have which products, and which service plans or features are enabled or disabled for each of them.
Inventoried Data
The below image presents a high-level overview of how EmpowerID stores and gathers the inventory data it retrieves when connected to Azure.
...