riskyUser resource type
Namespace: microsoft.graph
Represents Azure AD users who are at risk. Azure AD continually evaluates user risk based on various signals and machine learning. This API provides programmatic access to all at-risk users in your Azure AD.
For more information about risk events, see Azure Active Directory Identity Protection.
Note
- Using the riskyUsers API requires an Azure AD Premium P2 license.
- The availability of risky user data is governed by the Azure AD data retention policies.
Methods
| Method | Return type | Description |
|---|---|---|
| List riskyUsers | riskyUser collection | Get a list of the riskyUser objects and their properties. |
| Get riskyUser | riskyUser | Read the properties and relationships of a riskyUser object. |
| Dismiss a riskyUser | None | Dismiss the risk of one or more riskyUser objects. |
| Confirm a riskyUser as compromised | None | Confirm one or more riskyUser objects as compromised. |
| List history | riskyUserHistoryItem collection | Get the riskyUserHistoryItems from the history navigation property. |
| Get history | riskyUserHistoryItem | Read the properties and relationships of a riskyUserHistoryItem object. |
Properties
| Property | Type | Description |
|---|---|---|
| id | String | Unique ID of the user at risk. |
| isDeleted | Boolean | Indicates whether the user is deleted. Possible values are: true, false. |
| isProcessing | Boolean | Indicates whether a user's risky state is being processed by the backend. |
| riskDetail | riskDetail | Details of the detected risk. Possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, unknownFutureValue. |
| riskLastUpdatedDateTime | DateTimeOffset | The date and time that the risky user was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| riskLevel | riskLevel | Level of the detected risky user. Possible values are: low, medium, high, hidden, none, unknownFutureValue. |
| riskState | riskState | State of the user's risk. Possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue. |
| userDisplayName | String | Risky user display name. |
| userPrincipalName | String | Risky user principal name. |
Relationships
| Relationship | Type | Description |
|---|---|---|
| history | riskyUserHistoryItem collection | The activity related to user risk level change |
JSON representation
The following is a JSON representation of the resource.
{
"@odata.type": "#microsoft.graph.riskyUser",
"id": "String (identifier)",
"isDeleted": "Boolean",
"isProcessing": "Boolean",
"riskLastUpdatedDateTime": "String (timestamp)",
"riskLevel": "String",
"riskState": "String",
"riskDetail": "String",
"userDisplayName": "String",
"userPrincipalName": "String"
}
Feedback
Submit and view feedback for