Azure AD Identity Protection (Preview)
Identity Protection is a tool that allows organizations to discover, investigate, and remediate identity-based risks in their environment.
This connector is available in the following products and regions:
| Service | Class | Regions |
|---|---|---|
| Logic Apps | Standard | All Logic Apps regions except the following: - Azure Government regions - Azure China regions |
| Power Automate | Premium | All Power Automate regions except the following: - US Government (GCC) - US Government (GCC High) - China Cloud operated by 21Vianet |
| Power Apps | Premium | All Power Apps regions except the following: - US Government (GCC) - US Government (GCC High) - China Cloud operated by 21Vianet |
| Contact | |
|---|---|
| Name | Microsoft |
| URL | https://azure.microsoft.com/ |
| azuresentinel@microsoft.com |
| Connector Metadata | |
|---|---|
| Publisher | Microsoft |
| Website | https://www.microsoft.com |
| Privacy policy | https://privacy.microsoft.com/en-us/privacystatement |
| Categories | Website |
Identity Protection is a tool that allows organizations to discover, investigate, and remediate identity-based risks in their environment. This connector will leverage the riskyUsers, riskDetections, and signIns APIs.
Pre-requisites
Azure AD Identity Protection is a premium feature. You need an Azure AD Premium P1 or P2 license to access the riskDetection API (note: P1 licenses receive limited risk information). The riskyUsers API is only available to Azure AD Premium P2 licenses only.
API documentation
https://docs.microsoft.com/en-us/graph/api/resources/identityprotectionroot?view=graph-rest-1.0
Throttling Limits
| Name | Calls | Renewal Period |
|---|---|---|
| API calls per connection | 100 | 60 seconds |
Actions
| Confirm a risky user as compromised |
Confirm a risky user as compromised |
| Dismiss a risky user |
Dismiss a risky user |
| Get risk detections |
Get riskDetections |
| Get risky user |
Get a specific risky user and its properties |
| Get the risk history of a risky user |
Get the risk history |
Confirm a risky user as compromised
Confirm a risky user as compromised
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
userIds
|
userIds | string |
Dismiss a risky user
Dismiss a risky user
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
userIds
|
userIds | string |
Get risk detections
Get riskDetections
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Get risk detections
|
Id | True | string |
User Id or user Principal Name |
Returns
This API provides programmatic access to all risk detections in your Azure AD environment
- Body
- Get_riskDetection
Get risky user
Get a specific risky user and its properties
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Get Risk User
|
Id | True | string |
User Id or user Principal name |
Returns
Get risk user result
- Body
- Get_Risk_User_Result
Get the risk history of a risky user
Get the risk history
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Get history risk for user
|
Id | True | string |
User Id or user Principal Name |
Returns
Represents the risk history of an Azure AD user as determined by Azure AD Identity Protection
- Body
- Get_risk_history
Definitions
Get_Risk_User_Result
Get risk user result
| Name | Path | Type | Description |
|---|---|---|---|
|
@@odata.context
|
@@odata.context | string | |
|
id
|
id | string |
Unique ID of the user at risk |
|
isDeleted
|
isDeleted | boolean |
Indicates whether the user is deleted. Possible values are: true, false |
|
isProcessing
|
isProcessing | boolean |
Indicates whether a user's risky state is being processed by the backend |
|
riskLevel
|
riskLevel | string |
Level of the detected risky user |
|
riskState
|
riskState | string |
The date and time that the risky user was last updated |
|
riskDetail
|
riskDetail | string |
Details of the detected risk |
|
riskLastUpdatedDateTime
|
riskLastUpdatedDateTime | string |
The date and time that the risky user was last updated. |
|
userDisplayName
|
userDisplayName | string |
Risky user display name |
|
userPrincipalName
|
userPrincipalName | string |
Risky user principal name |
Get_riskDetection
This API provides programmatic access to all risk detections in your Azure AD environment
| Name | Path | Type | Description |
|---|---|---|---|
|
@@odata.type
|
@@odata.type | string | |
|
id
|
id | string |
Unique ID of the risk detection. Inherited from entity |
|
requestId
|
requestId | string |
Request ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in |
|
correlationId
|
correlationId | string |
Correlation ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in |
|
riskEventType
|
riskEventType | string |
The type of risk event detected |
|
riskState
|
riskState | string |
The state of a detected risky user or sign-in |
|
riskLevel
|
riskLevel | string |
Level of the detected risk |
|
riskDetail
|
riskDetail | string |
Details of the detected risk |
|
source
|
source | string |
Source of the risk detection |
|
detectionTimingType
|
detectionTimingType | string |
Date and time that the risk was detected |
|
activity
|
activity | string |
Indicates the activity type the detected risk is linked to |
|
tokenIssuerType
|
tokenIssuerType | string |
Indicates the type of token issuer for the detected sign-in risk |
|
ipAddress
|
ipAddress | string |
Provides the IP address of the client from where the risk occurred. |
|
@@odata.type
|
location.@@odata.type | string | |
|
activityDateTime
|
activityDateTime | string |
Date and time that the risky activity occurred |
|
detectedDateTime
|
detectedDateTime | string |
Date and time that the risk was detected |
|
lastUpdatedDateTime
|
lastUpdatedDateTime | string |
Date and time that the risk detection was last updated |
|
userId
|
userId | string |
Unique ID of the user |
|
userDisplayName
|
userDisplayName | string |
The user principal name (UPN) of the user |
|
userPrincipalName
|
userPrincipalName | string |
The user principal name (UPN) of the user. |
|
additionalInfo
|
additionalInfo | string |
Additional information associated with the risk detection in JSON format. |
Get_risk_history
Represents the risk history of an Azure AD user as determined by Azure AD Identity Protection
| Name | Path | Type | Description |
|---|---|---|---|
|
@@odata.type
|
@@odata.type | string | |
|
id
|
id | string |
Inherited from entity |
|
isDeleted
|
isDeleted | string |
Inherited from riskyUser |
|
isProcessing
|
isProcessing | string |
Inherited from riskyUser |
|
riskLastUpdatedDateTime
|
riskLastUpdatedDateTime | string |
Inherited from riskyUser |
|
riskLevel
|
riskLevel | string |
Inherited from riskyUser |
|
riskState
|
riskState | string |
Inherited from riskyUser |
|
riskDetail
|
riskDetail | string |
Inherited from riskyUser |
|
userDisplayName
|
userDisplayName | string |
Inherited from riskyUser |
|
userPrincipalName
|
userPrincipalName | string |
Risky user principal name |
|
userId
|
userId | string |
The id of the user |
|
initiatedBy
|
initiatedBy | string |
The id of actor that does the operation |
|
@@odata.type
|
activity.@@odata.type | string |