riskyUser resource type

Namespace: microsoft.graph


APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported.

Represents Azure AD users who are at risk. Azure AD continually evaluates user risk based on various signals and machine learning. This API provides programmatic access to all at-risk users in your Azure AD.

For more information about risk events, see Azure Active Directory Identity Protection.

Note: Using the riskyUsers API requires an Azure AD Premium P2 license.


Method Return Type Description
List riskyUsers riskyUser collection List risky users and their properties.
Get riskyUser riskyUser Get a specific risky user and its properties.
List history riskyUserHistoryItem collection Get the risk history of an Azure AD user.
Confirm riskyUsers compromised None Confirm a risky user as compromised.
Dismiss riskyUsers None Dismiss the risk of a risky user.


Property Type Description
id string Unique id of the user at risk
isDeleted bool Indicates whether the user is deleted. Possible values are: true, false
isGuest bool Indicates whether the user is a guest user. Possible values are: true, false. True if user’s identity lies outside of the tenant in consideration. This user could be a B2B or a B2C user with identity in Azure AD, MSA or 3rd party identity provider. False if user’s identity lies inside the tenant in consideration
isProcessing bool Indicates wehther a user's risky state is being processed by the backend
riskLastUpdatedDateTime datetime The date and time that the risky user was last updated
riskLevel riskLevel The possible values are low, medium, high, hidden, none, unknownFutureValue.
riskState riskState The possible values are none, confirmedSafe, remediated, atRisk, unknownFutureValue.
riskDetail riskDetail The possible values are none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, unknownFutureValue.
userDisplayName string Risky user display name
userPrincipalName string Risky user principal name



JSON representation

The following is a JSON representation of the resource.

"id": "string",
"riskLastUpdatedDateTime": "dateTimeOffset",
"isGuest": "boolean",
"isProcessing": "boolean",
"isDeleted": "boolean",
"riskDetail":  "string",
"riskLevel":  "string",
"riskState":  "string",
"userDisplayName": "string",
"userPrincipalName": "string"