Azure AD Identity Protection (Preview)

Identity Protection is a tool that allows organizations to discover, investigate, and remediate identity-based risks in their environment.

This connector is available in the following products and regions:

Service Class Regions
Logic Apps Standard All Logic Apps regions except the following:
     -   Azure Government regions
     -   Azure China regions
Power Automate Premium All Power Automate regions except the following:
     -   US Government (GCC)
     -   US Government (GCC High)
     -   China Cloud operated by 21Vianet
Power Apps Premium All Power Apps regions except the following:
     -   US Government (GCC)
     -   US Government (GCC High)
     -   China Cloud operated by 21Vianet
Contact
Name Microsoft
URL https://azure.microsoft.com/
Email azuresentinel@microsoft.com
Connector Metadata
Publisher Microsoft
Website https://www.microsoft.com
Privacy policy https://privacy.microsoft.com/en-us/privacystatement
Categories Website

Identity Protection is a tool that allows organizations to discover, investigate, and remediate identity-based risks in their environment. This connector will leverage the riskyUsers, riskDetections, and signIns APIs.

Pre-requisites

Azure AD Identity Protection is a premium feature. You need an Azure AD Premium P1 or P2 license to access the riskDetection API (note: P1 licenses receive limited risk information). The riskyUsers API is only available to Azure AD Premium P2 licenses only.

API documentation

https://docs.microsoft.com/en-us/graph/api/resources/identityprotectionroot?view=graph-rest-1.0

Throttling Limits

Name Calls Renewal Period
API calls per connection10060 seconds

Actions

Confirm a risky user as compromised

Confirm a risky user as compromised

Dismiss a risky user

Dismiss a risky user

Get risk detections

Get riskDetections

Get risky user

Get a specific risky user and its properties

Get the risk history of a risky user

Get the risk history

Confirm a risky user as compromised

Confirm a risky user as compromised

Parameters

Name Key Required Type Description
userIds
userIds string

Dismiss a risky user

Dismiss a risky user

Parameters

Name Key Required Type Description
userIds
userIds string

Get risk detections

Get riskDetections

Parameters

Name Key Required Type Description
Get risk detections
Id True string

User Id or user Principal Name

Returns

This API provides programmatic access to all risk detections in your Azure AD environment

Get risky user

Get a specific risky user and its properties

Parameters

Name Key Required Type Description
Get Risk User
Id True string

User Id or user Principal name

Returns

Get risk user result

Get the risk history of a risky user

Get the risk history

Parameters

Name Key Required Type Description
Get history risk for user
Id True string

User Id or user Principal Name

Returns

Represents the risk history of an Azure AD user as determined by Azure AD Identity Protection

Definitions

Get_Risk_User_Result

Get risk user result

Name Path Type Description
@@odata.context
@@odata.context string
id
id string

Unique ID of the user at risk

isDeleted
isDeleted boolean

Indicates whether the user is deleted. Possible values are: true, false

isProcessing
isProcessing boolean

Indicates whether a user's risky state is being processed by the backend

riskLevel
riskLevel string

Level of the detected risky user

riskState
riskState string

The date and time that the risky user was last updated

riskDetail
riskDetail string

Details of the detected risk

riskLastUpdatedDateTime
riskLastUpdatedDateTime string

The date and time that the risky user was last updated.

userDisplayName
userDisplayName string

Risky user display name

userPrincipalName
userPrincipalName string

Risky user principal name

Get_riskDetection

This API provides programmatic access to all risk detections in your Azure AD environment

Name Path Type Description
@@odata.type
@@odata.type string
id
id string

Unique ID of the risk detection. Inherited from entity

requestId
requestId string

Request ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in

correlationId
correlationId string

Correlation ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in

riskEventType
riskEventType string

The type of risk event detected

riskState
riskState string

The state of a detected risky user or sign-in

riskLevel
riskLevel string

Level of the detected risk

riskDetail
riskDetail string

Details of the detected risk

source
source string

Source of the risk detection

detectionTimingType
detectionTimingType string

Date and time that the risk was detected

activity
activity string

Indicates the activity type the detected risk is linked to

tokenIssuerType
tokenIssuerType string

Indicates the type of token issuer for the detected sign-in risk

ipAddress
ipAddress string

Provides the IP address of the client from where the risk occurred.

@@odata.type
location.@@odata.type string
activityDateTime
activityDateTime string

Date and time that the risky activity occurred

detectedDateTime
detectedDateTime string

Date and time that the risk was detected

lastUpdatedDateTime
lastUpdatedDateTime string

Date and time that the risk detection was last updated

userId
userId string

Unique ID of the user

userDisplayName
userDisplayName string

The user principal name (UPN) of the user

userPrincipalName
userPrincipalName string

The user principal name (UPN) of the user.

additionalInfo
additionalInfo string

Additional information associated with the risk detection in JSON format.

Get_risk_history

Represents the risk history of an Azure AD user as determined by Azure AD Identity Protection

Name Path Type Description
@@odata.type
@@odata.type string
id
id string

Inherited from entity

isDeleted
isDeleted string

Inherited from riskyUser

isProcessing
isProcessing string

Inherited from riskyUser

riskLastUpdatedDateTime
riskLastUpdatedDateTime string

Inherited from riskyUser

riskLevel
riskLevel string

Inherited from riskyUser

riskState
riskState string

Inherited from riskyUser

riskDetail
riskDetail string

Inherited from riskyUser

userDisplayName
userDisplayName string

Inherited from riskyUser

userPrincipalName
userPrincipalName string

Risky user principal name

userId
userId string

The id of the user

initiatedBy
initiatedBy string

The id of actor that does the operation

@@odata.type
activity.@@odata.type string