Use the Azure AD identity protection API (preview)
Important: APIs under the /beta version in Microsoft Graph are in preview and are subject to change. Use of these APIs in production applications is not supported.
You can use Microsoft Graph to query the identityRiskEvent resource for each type of risk event detected by Azure AD Identity Protection. These events are available to customers with Azure AD Premium P2. A subset of events is available to customers with Azure AD Premium P1.
- sign-ins from anonymous IP addresses
- sign-ins from malware-infected devices
- impossible travel to atypical locations
- users with leaked credentials
- sign-ins from suspicious IP addresses
- sign-ins from unfamiliar locations
Use the following operations to get these events and associated information: