Events
Mar 17, 11 PM - Mar 21, 11 PM
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Namespace: microsoft.graph
Microsoft Entra ID Protection is tool that allows organizations to discover, investigate, and remediate identity-based risks in their Microsoft Entra organization.
Use the following Microsoft Graph APIs to query user and service principal risks detected by Microsoft Entra ID Protection:
riskDetection - Query Microsoft Graph for a list of both user and sign-in linked risk detections and associated information about the detection. Risk detections in Microsoft Entra ID Protection include any identified suspicious actions related to user accounts in the directory.
riskyUsers - Query Microsoft Graph for information about users that Microsoft Entra ID Protection detected as risky. User risk represents the probability that a given identity or account is compromised. These risks are calculated offline using Microsoft's internal and external threat intelligence sources, including security researchers, law enforcement professionals, security teams at Microsoft, and other trusted sources.
signIn - Query Microsoft Graph for information about sign-ins with specific properties related to risk state, detail, and level. A sign-in risk represents the probability that an identity owner didn't authorize a given authentication request. These risks can be calculated in real-time or calculated offline using Microsoft's internal and external threat intelligence sources, including security researchers, law enforcement professionals, security teams at Microsoft, and other trusted sources.
servicePrincipalRiskDetection - Query Microsoft Graph for a list of service principal risk detections and associated information about the detections. Risk detections in Microsoft Entra ID Protection include any identified suspicious actions related to service principal accounts in the directory.
riskyServicePrincipals - Query Microsoft Graph for information about service principals that Microsoft Entra ID Protection detected as risky. Service principal risk represents the probability that a given identity or account is compromised. These risks are calculated asynchronously using data and patterns from Microsoft's internal and external threat intelligence sources, including security researchers, law enforcement professionals, security teams at Microsoft, and other trusted sources.
Apart from manual remediation of risky users and service principals, you can also automatically remediate risks by integrating Identity Protection with Microsoft Entra Conditional Access policies. For more information, see Configure and enable risk policies.
The following are popular requests:
Operation | URL |
---|---|
GET risky users | GET https://graph.microsoft.com/v1.0/identityProtection/riskyUsers |
GET risk detections | GET https://graph.microsoft.com/v1.0/identityProtection/riskDetections |
GET a user's risk history | GET https://graph.microsoft.com/v1.0/identityProtection/riskyUsers/{riskyUserId}/history |
CONFIRM a user as compromised | POST https://graph.microsoft.com/v1.0/identityProtection/riskyUsers/confirmCompromised |
DISMISS a risky user | POST https://graph.microsoft.com/v1.0/identityProtection/riskyUsers/dismiss |
Microsoft Entra ID Protection for both users and service principals is a premium feature. You need specific licenses to access the full reports. For more information, see Microsoft Entra ID Protection license requirements.
The availability of risk data is governed by the Microsoft Entra data retention policies.
Events
Mar 17, 11 PM - Mar 21, 11 PM
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowTraining
Module
Manage Microsoft Entra Identity Protection - Training
Protecting a user's identity by monitoring their usage and sign-in patterns will ensure a secure cloud solution. Explore how to design and implement Microsoft Entra Identity protection.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.
Documentation
List riskDetections - Microsoft Graph v1.0
Get a list of the riskDetection objects and their properties.
riskyUser resource type - Microsoft Graph v1.0
risky users item
riskDetection resource type - Microsoft Graph v1.0
Represents all risk detections in a Microsoft Entra tenant.