Azure AD Identity Protection (Preview)

Identity Protection is a tool that allows organizations to discover, investigate, and remediate identity-based risks in their environment.
This connector is available in the following products and regions:
Service | Class | Regions |
---|---|---|
Logic Apps | Standard | All Logic Apps regions except the following: - Azure Government regions - Azure China regions |
Power Automate | Premium | All Power Automate regions except the following: - US Government (GCC) - US Government (GCC High) - China Cloud operated by 21Vianet |
Power Apps | Premium | All Power Apps regions except the following: - US Government (GCC) - US Government (GCC High) - China Cloud operated by 21Vianet |
Contact | |
---|---|
Name | Microsoft |
URL | https://azure.microsoft.com/ |
azuresentinel@microsoft.com |
Connector Metadata | |
---|---|
Publisher | Microsoft |
Website | https://www.microsoft.com |
Privacy policy | https://privacy.microsoft.com/en-us/privacystatement |
Categories | Website |
Identity Protection is a tool that allows organizations to discover, investigate, and remediate identity-based risks in their environment. This connector will leverage the riskyUsers, riskDetections, and signIns APIs.
Pre-requisites
Azure AD Identity Protection is a premium feature. You need an Azure AD Premium P1 or P2 license to access the riskDetection API (note: P1 licenses receive limited risk information). The riskyUsers API is only available to Azure AD Premium P2 licenses only.
API documentation
https://docs.microsoft.com/en-us/graph/api/resources/identityprotectionroot?view=graph-rest-1.0
Creating a connection
The connector supports the following authentication types:
Default | Required parameters for creating connection. | All regions |
Default
Applicable: All regions
Required parameters for creating connection.
Throttling Limits
Name | Calls | Renewal Period |
---|---|---|
API calls per connection | 100 | 60 seconds |
Actions
Confirm a risky user as compromised |
Confirm a risky user as compromised |
Dismiss a risky user |
Dismiss a risky user |
Get risk detections |
Get riskDetections |
Get risky user |
Get a specific risky user and its properties |
Get the risk history of a risky user |
Get the risk history |
Confirm a risky user as compromised
Confirm a risky user as compromised
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
userIds
|
userIds | string |
Dismiss a risky user
Dismiss a risky user
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
userIds
|
userIds | string |
Get risk detections
Get riskDetections
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Get risk detections
|
Id | True | string |
User Id or user Principal Name |
Returns
This API provides programmatic access to all risk detections in your Azure AD environment
- Body
- Get_riskDetection
Get risky user
Get a specific risky user and its properties
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Get Risk User
|
Id | True | string |
User Id or user Principal name |
Returns
Get risk user result
- Body
- Get_Risk_User_Result
Get the risk history of a risky user
Get the risk history
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Get history risk for user
|
Id | True | string |
User Id or user Principal Name |
Returns
Represents the risk history of an Azure AD user as determined by Azure AD Identity Protection
- Body
- Get_risk_history
Definitions
Get_Risk_User_Result
Get risk user result
Name | Path | Type | Description |
---|---|---|---|
@@odata.context
|
@@odata.context | string | |
id
|
id | string |
Unique ID of the user at risk |
isDeleted
|
isDeleted | boolean |
Indicates whether the user is deleted. Possible values are: true, false |
isProcessing
|
isProcessing | boolean |
Indicates whether a user's risky state is being processed by the backend |
riskLevel
|
riskLevel | string |
Level of the detected risky user |
riskState
|
riskState | string |
The date and time that the risky user was last updated |
riskDetail
|
riskDetail | string |
Details of the detected risk |
riskLastUpdatedDateTime
|
riskLastUpdatedDateTime | string |
The date and time that the risky user was last updated. |
userDisplayName
|
userDisplayName | string |
Risky user display name |
userPrincipalName
|
userPrincipalName | string |
Risky user principal name |
Get_riskDetection
This API provides programmatic access to all risk detections in your Azure AD environment
Name | Path | Type | Description |
---|---|---|---|
@@odata.type
|
@@odata.type | string | |
id
|
id | string |
Unique ID of the risk detection. Inherited from entity |
requestId
|
requestId | string |
Request ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in |
correlationId
|
correlationId | string |
Correlation ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in |
riskEventType
|
riskEventType | string |
The type of risk event detected |
riskState
|
riskState | string |
The state of a detected risky user or sign-in |
riskLevel
|
riskLevel | string |
Level of the detected risk |
riskDetail
|
riskDetail | string |
Details of the detected risk |
source
|
source | string |
Source of the risk detection |
detectionTimingType
|
detectionTimingType | string |
Date and time that the risk was detected |
activity
|
activity | string |
Indicates the activity type the detected risk is linked to |
tokenIssuerType
|
tokenIssuerType | string |
Indicates the type of token issuer for the detected sign-in risk |
ipAddress
|
ipAddress | string |
Provides the IP address of the client from where the risk occurred. |
@@odata.type
|
location.@@odata.type | string | |
activityDateTime
|
activityDateTime | string |
Date and time that the risky activity occurred |
detectedDateTime
|
detectedDateTime | string |
Date and time that the risk was detected |
lastUpdatedDateTime
|
lastUpdatedDateTime | string |
Date and time that the risk detection was last updated |
userId
|
userId | string |
Unique ID of the user |
userDisplayName
|
userDisplayName | string |
The user principal name (UPN) of the user |
userPrincipalName
|
userPrincipalName | string |
The user principal name (UPN) of the user. |
additionalInfo
|
additionalInfo | string |
Additional information associated with the risk detection in JSON format. |
Get_risk_history
Represents the risk history of an Azure AD user as determined by Azure AD Identity Protection
Name | Path | Type | Description |
---|---|---|---|
@@odata.type
|
@@odata.type | string | |
id
|
id | string |
Inherited from entity |
isDeleted
|
isDeleted | string |
Inherited from riskyUser |
isProcessing
|
isProcessing | string |
Inherited from riskyUser |
riskLastUpdatedDateTime
|
riskLastUpdatedDateTime | string |
Inherited from riskyUser |
riskLevel
|
riskLevel | string |
Inherited from riskyUser |
riskState
|
riskState | string |
Inherited from riskyUser |
riskDetail
|
riskDetail | string |
Inherited from riskyUser |
userDisplayName
|
userDisplayName | string |
Inherited from riskyUser |
userPrincipalName
|
userPrincipalName | string |
Risky user principal name |
userId
|
userId | string |
The id of the user |
initiatedBy
|
initiatedBy | string |
The id of actor that does the operation |
@@odata.type
|
activity.@@odata.type | string |