Queries for the AADRiskyUsers table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

High risk users

Gets list of the top 100 at high risk users for the last day.

AADRiskyUsers
| where RiskLastUpdatedDateTime > ago(1d)
| where RiskLevel == "high"
| where RiskState == "atRisk"
| take 100