Azure AD Identity Protection
Identity Protection is a tool that allows organizations to discover, investigate, and remediate identity-based risks in their environment.
This connector is available in the following products and regions:
| Service | Class | Regions |
|---|---|---|
| Logic Apps | Standard | All Logic Apps regions except the following: - Azure Government regions - Azure China regions - US Department of Defense (DoD) |
| Power Automate | Premium | All Power Automate regions except the following: - US Government (GCC) - US Government (GCC High) - China Cloud operated by 21Vianet - US Department of Defense (DoD) |
| Power Apps | Premium | All Power Apps regions except the following: - US Government (GCC) - US Government (GCC High) - China Cloud operated by 21Vianet - US Department of Defense (DoD) |
| Contact | |
|---|---|
| Name | Microsoft |
| URL | https://azure.microsoft.com/ |
| azuresentinel@microsoft.com |
| Connector Metadata | |
|---|---|
| Publisher | Microsoft |
| Website | https://www.microsoft.com |
| Privacy policy | https://privacy.microsoft.com/en-us/privacystatement |
| Categories | Website |
Identity Protection is a tool that allows organizations to discover, investigate, and remediate identity-based risks in their environment. This connector will leverage the riskyUsers, riskDetections, and signIns APIs.
Pre-requisites
Microsoft Entra ID Protection is a premium feature. You need an Microsoft Entra ID P1 or P2 license to access the riskDetection API (note: P1 licenses receive limited risk information). The riskyUsers API is only available to Microsoft Entra ID P2 licenses only.
API documentation
https://docs.microsoft.com/en-us/graph/api/resources/identityprotectionroot?view=graph-rest-1.0
Creating a connection
The connector supports the following authentication types:
| Default | Parameters for creating connection. | All regions | Not shareable |
Default
Applicable: All regions
Parameters for creating connection.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
Throttling Limits
| Name | Calls | Renewal Period |
|---|---|---|
| API calls per connection | 100 | 60 seconds |
Actions
| Confirm a risky user as compromised |
Confirm a risky user as compromised |
| Dismiss a risky user |
Dismiss a risky user |
| Get risk detections |
Get riskDetections |
| Get risky user |
Get a specific risky user and its properties |
| Get the risk history of a risky user |
Get the risk history |
Confirm a risky user as compromised
Confirm a risky user as compromised
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
userIds
|
userIds | array of string |
Dismiss a risky user
Dismiss a risky user
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
userIds
|
userIds | array of string |
Get risk detections
Get riskDetections
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Get risk detections
|
Id | True | string |
User Id or user Principal Name |
Returns
This API provides programmatic access to all risk detections in your Azure AD environment
- Body
- Get_riskDetection
Get risky user
Get a specific risky user and its properties
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Get Risk User
|
Id | True | string |
User Id or user Principal name |
Returns
Get risk user result
- Body
- Get_Risk_User_Result
Get the risk history of a risky user
Get the risk history
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Get history risk for user
|
Id | True | string |
User Id or user Principal Name |
Returns
Represents the risk history of an Azure AD user as determined by Azure AD Identity Protection
- Body
- Get_risk_history
Definitions
Get_Risk_User_Result
Get risk user result
| Name | Path | Type | Description |
|---|---|---|---|
|
@@odata.context
|
@@odata.context | string | |
|
id
|
id | string |
Unique ID of the user at risk |
|
isDeleted
|
isDeleted | boolean |
Indicates whether the user is deleted. Possible values are: true, false |
|
isProcessing
|
isProcessing | boolean |
Indicates whether a user's risky state is being processed by the backend |
|
riskLevel
|
riskLevel | string |
Level of the detected risky user |
|
riskState
|
riskState | string |
The date and time that the risky user was last updated |
|
riskDetail
|
riskDetail | string |
Details of the detected risk |
|
riskLastUpdatedDateTime
|
riskLastUpdatedDateTime | string |
The date and time that the risky user was last updated. |
|
userDisplayName
|
userDisplayName | string |
Risky user display name |
|
userPrincipalName
|
userPrincipalName | string |
Risky user principal name |
Get_riskDetection
This API provides programmatic access to all risk detections in your Azure AD environment
| Name | Path | Type | Description |
|---|---|---|---|
|
@@odata.type
|
@@odata.type | string | |
|
id
|
id | string |
Unique ID of the risk detection. Inherited from entity |
|
requestId
|
requestId | string |
Request ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in |
|
correlationId
|
correlationId | string |
Correlation ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in |
|
riskEventType
|
riskEventType | string |
The type of risk event detected |
|
riskState
|
riskState | string |
The state of a detected risky user or sign-in |
|
riskLevel
|
riskLevel | string |
Level of the detected risk |
|
riskDetail
|
riskDetail | string |
Details of the detected risk |
|
source
|
source | string |
Source of the risk detection |
|
detectionTimingType
|
detectionTimingType | string |
Date and time that the risk was detected |
|
activity
|
activity | string |
Indicates the activity type the detected risk is linked to |
|
tokenIssuerType
|
tokenIssuerType | string |
Indicates the type of token issuer for the detected sign-in risk |
|
ipAddress
|
ipAddress | string |
Provides the IP address of the client from where the risk occurred. |
|
@@odata.type
|
location.@@odata.type | string | |
|
activityDateTime
|
activityDateTime | string |
Date and time that the risky activity occurred |
|
detectedDateTime
|
detectedDateTime | string |
Date and time that the risk was detected |
|
lastUpdatedDateTime
|
lastUpdatedDateTime | string |
Date and time that the risk detection was last updated |
|
userId
|
userId | string |
Unique ID of the user |
|
userDisplayName
|
userDisplayName | string |
The user principal name (UPN) of the user |
|
userPrincipalName
|
userPrincipalName | string |
The user principal name (UPN) of the user. |
|
additionalInfo
|
additionalInfo | string |
Additional information associated with the risk detection in JSON format. |
Get_risk_history
Represents the risk history of an Azure AD user as determined by Azure AD Identity Protection
| Name | Path | Type | Description |
|---|---|---|---|
|
@@odata.type
|
@@odata.type | string | |
|
id
|
id | string |
Inherited from entity |
|
isDeleted
|
isDeleted | string |
Inherited from riskyUser |
|
isProcessing
|
isProcessing | string |
Inherited from riskyUser |
|
riskLastUpdatedDateTime
|
riskLastUpdatedDateTime | string |
Inherited from riskyUser |
|
riskLevel
|
riskLevel | string |
Inherited from riskyUser |
|
riskState
|
riskState | string |
Inherited from riskyUser |
|
riskDetail
|
riskDetail | string |
Inherited from riskyUser |
|
userDisplayName
|
userDisplayName | string |
Inherited from riskyUser |
|
userPrincipalName
|
userPrincipalName | string |
Risky user principal name |
|
userId
|
userId | string |
The id of the user |
|
initiatedBy
|
initiatedBy | string |
The id of actor that does the operation |
|
@@odata.type
|
activity.@@odata.type | string |