riskyUser resource type

Namespace: microsoft.graph

Represents Microsoft Entra users who are at risk. Microsoft Entra ID continually evaluates user risk based on various signals and machine learning. This API provides programmatic access to all at-risk users in your Microsoft Entra ID.

For more information about risk events, see Microsoft Entra ID Protection.


  1. Using the riskyUsers API requires a Microsoft Entra ID P2 license.
  2. The availability of risky user data is governed by the Microsoft Entra data retention policies.


Method Return type Description
List riskyUsers riskyUser collection Get a list of the riskyUser objects and their properties.
Get riskyUser riskyUser Read the properties and relationships of a riskyUser object.
Dismiss a riskyUser None Dismiss the risk of one or more riskyUser objects.
Confirm a riskyUser as compromised None Confirm one or more riskyUser objects as compromised.
List history riskyUserHistoryItem collection Get the riskyUserHistoryItems from the history navigation property.
Get history riskyUserHistoryItem Read the properties and relationships of a riskyUserHistoryItem object.


Property Type Description
id String Unique ID of the user at risk.
isDeleted Boolean Indicates whether the user is deleted. Possible values are: true, false.
isProcessing Boolean Indicates whether a user's risky state is being processed by the backend. Supports $filter (eq).
riskDetail riskDetail Details of the detected risk. Possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, unknownFutureValue.
riskLastUpdatedDateTime DateTimeOffset The date and time that the risky user was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $filter (eq, gt, lt).
riskLevel riskLevel Level of the detected risky user. Possible values are: low, medium, high, hidden, none, unknownFutureValue. Supports $filter (eq).
riskState riskState State of the user's risk. Possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue. Supports $filter (eq).
userDisplayName String Risky user display name.
userPrincipalName String Risky user principal name.


Relationship Type Description
history riskyUserHistoryItem collection The activity related to user risk level change

JSON representation

The following is a JSON representation of the resource.

  "@odata.type": "#microsoft.graph.riskyUser",
  "id": "String (identifier)",
  "isDeleted": "Boolean",
  "isProcessing": "Boolean",
  "riskLastUpdatedDateTime": "String (timestamp)",
  "riskLevel": "String",
  "riskState": "String",
  "riskDetail": "String",
  "userDisplayName": "String",
  "userPrincipalName": "String"