identityProtectionRoot resource type

Namespace: microsoft.graph

Identity Protection is a tool that allows organizations to discover, investigate, and remediate identity-based risks in their environment. You can use the following Microsoft Graph APIs to query risks detected by Identity Protection:

  • riskDetection - Query Microsoft Graph for a list of both user and sign-in linked risk detections and associated information about the detection. Risk detections in Azure AD Identity Protection include any identified suspicious actions related to user accounts in the directory.

  • riskyUsers - Query Microsoft Graph for information about users that Identity Protection detected as risky. User risk represents the probability that a given identity or account is compromised. These risks are calculated offline using Microsoft’s internal and external threat intelligence sources, including security researchers, law enforcement professionals, security teams at Microsoft, and other trusted sources.

  • signIn - Query Microsoft Graph for information about Azure AD sign-ins with specific properties related to risk state, detail, and level. A sign-in risk represents the probability that a given authentication request isn’t authorized by the identity owner. These risks can be calculated in real-time or calculated offline using Microsoft’s internal and external threat intelligence sources, including security researchers, law enforcement professionals, security teams at Microsoft, and other trusted sources.

What can I do with Identity Protection APIs in Microsoft Graph?

The following are popular requests for working with audit log data:

Operation URL
GET risky users GET https://graph.microsoft.com/v1.0/identityProtection/riskyUsers
GET risk detections GET https://graph.microsoft.com/v1.0/identityProtection/riskDetections
GET a user's risk history GET https://graph.microsoft.com/v1.0/identityProtection/riskyUsers/{riskyUserId}/history
CONFIRM a user as compromised POST https://graph.microsoft.com/v1.0/identityProtection/riskyUsers/confirmCompromised
DISMISS a risky user POST https://graph.microsoft.com/v1.0/identityProtection/riskyUsers/dismiss

What licenses do I need?

Azure AD Identity Protection is a premium feature. You need an Azure AD Premium P1 or P2 license to access the riskDetection API (note: P1 licenses receive limited risk information). The riskyUsers API is only available to Azure AD Premium P2 licenses only.

See also