riskDetection resource type
Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Represents information about a detected risk in a Microsoft Entra tenant.
Microsoft Entra ID Protection continually evaluates user risks and app or user sign-in risks based on various signals and machine learning. This API provides programmatic access to all risk detections in your Microsoft Entra environment.
For more information about risk detection, see Microsoft Entra ID Protection and What are risk detections?
Note
The availability of risk detection data is governed by the Microsoft Entra data retention policies.
Methods
| Method | Return Type | Description |
|---|---|---|
| List | riskDetection collection | List risk detections and their properties. |
| Get | riskDetection | Get a specific risky detection and its properties. |
Properties
| Property | Type | Description |
|---|---|---|
| activity | activityType | Indicates the activity type the detected risk is linked to. The possible values are signin, user, unknownFutureValue. |
| activityDateTime | DateTimeOffset | Date and time that the risky activity occurred. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
| additionalInfo | string | Additional information associated with the risk detection in JSON format. |
| correlationId | string | Correlation ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in. |
| detectedDateTime | DateTimeOffset | Date and time that the risk was detected. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
| detectionTimingType | riskDetectionTimingType | Timing of the detected risk (real-time/offline). The possible values are notDefined, realtime, nearRealtime, offline, unknownFutureValue. |
| id | string | Unique ID of the risk detection. |
| ipAddress | string | Provides the IP address of the client from where the risk occurred. |
| lastUpdatedDateTime | DateTimeOffset | Date and time that the risk detection was last updated. |
| location | signInLocation | Location of the sign-in. |
| requestId | string | Request ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in. |
| riskEventType | String | The type of risk event detected. The possible values are adminConfirmedUserCompromised, anomalousUserActivity, anonymizedIPAddress,attackerinTheMiddle,attemptedPRTAccess, generic, investigationsThreatIntelligence, investigationsThreatIntelligenceSigninLinked,leakedCredentials, maliciousIPAddress, maliciousIPAddressValidCredentialsBlockedIP, malwareInfectedIPAddress, mcasImpossibleTravel,mcasFinSuspiciousFileAccess, mcasSuspiciousInboxManipulationRules,nationStateIP, suspiciousAPITraffic, suspiciousIPAddress,suspiciousSendingPatterns, unfamiliarFeatures, unlikelyTravel, userReportedSuspiciousActivity. For more information about each value, see Risk types and detection. |
| riskDetail | riskDetail | Details of the detected risk. The possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, unknownFutureValue, adminConfirmedServicePrincipalCompromised, adminDismissedAllRiskForServicePrincipal, m365DAdminDismissedDetection. Note that you must use the Prefer: include - unknown -enum-members request header to get the following value(s) in this evolvable enum: adminConfirmedServicePrincipalCompromised , adminDismissedAllRiskForServicePrincipal , m365DAdminDismissedDetection. Note: Details for this property are only available for Microsoft Entra ID P2 customers. P1 customers will be returned hidden. |
| riskLevel | riskLevel | Level of the detected risk. The possible values are low, medium, high, hidden, none, unknownFutureValue. Note: Details for this property are only available for Microsoft Entra ID P2 customers. P1 customers will be returned hidden. |
| riskState | riskState | The state of a detected risky user or sign-in. The possible values are none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, and unknownFutureValue. |
| source | string | Source of the risk detection. For example, activeDirectory. |
| tokenIssuerType | tokenIssuerType | Indicates the type of token issuer for the detected sign-in risk. The possible values are AzureAD, ADFederationServices, and unknownFutureValue. |
| userId | string | Unique ID of the user. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
| userDisplayName | string | Name of the user. |
| userPrincipalName | string | The user principal name (UPN) of the user. |
| riskType (deprecated) | riskEventType | List of risk event types. Note: This property is deprecated. Use riskEventType instead. |
JSON representation
The following JSON representation shows the resource type.
{
"id": "string",
"requestId": "string",
"correlationId": "string",
"riskType": {"@odata.type": "microsoft.graph.riskEventType"},
"riskState": {"@odata.type": "microsoft.graph.riskState"},
"riskLevel": {"@odata.type": "microsoft.graph.riskLevel"},
"riskDetail": {"@odata.type": "microsoft.graph.riskDetail"},
"source": "string",
"detectionTimingType": {"@odata.type": "microsoft.graph.riskDetectionTimingType"},
"activity": {"@odata.type": "microsoft.graph.riskUserActivity"},
"tokenIssuerType": {"@odata.type": "microsoft.graph.tokenIssuerType"},
"ipAddress": "string",
"location": {"@odata.type": "microsoft.graph.signInLocation"},
"activityDateTime": "string (timestamp)",
"detectedDateTime": "string (timestamp)",
"lastUpdatedDateTime": "string (timestamp)",
"userId": "string",
"userDisplayName": "string",
"userPrincipalName": "string",
"additionalInfo": "string"
}