Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Represents Microsoft Entra users who are at risk. Microsoft Entra ID Protection continually evaluates user risk based on various signals and machine learning. This API provides programmatic access to all at-risk users in your Microsoft Entra tenant.
For more information about risk events, see Microsoft Entra ID Protection.
Note
- Using the riskyUsers API requires a Microsoft Entra ID P2 license.
- The availability of risky user data is governed by the Microsoft Entra data retention policies.
Methods
| Method | Return Type | Description |
|---|---|---|
| List | riskyUser collection | Get a list of the riskyUser objects and their properties. |
| Get | riskyUser | Read the properties and relationships of a riskyUser object. |
| Confirm compromised | None | Confirm one or more riskyUser objects as compromised. |
| Confirm safe | None | Confirm one or more riskyUser objects as safe. |
| Dismiss | None | Dismiss the risk of one or more riskyUser objects. |
| List history | riskyUserHistoryItem collection | Get the riskyUserHistoryItems from the history navigation property. |
Properties
| Property | Type | Description |
|---|---|---|
| id | string | Unique ID of the user at risk. |
| isDeleted | Boolean | Indicates whether the user is deleted. Possible values are: true, false. |
| isProcessing | Boolean | Indicates whether a user's risky state is being processed by the backend. |
| riskLastUpdatedDateTime | DateTimeOffset | The date and time that the risky user was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| riskLevel | riskLevel | Level of the detected risky user. The possible values are low, medium, high, hidden, none, unknownFutureValue. |
| riskState | riskState | State of the user's risk. Possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue. |
| riskDetail | riskDetail | The possible values are none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, unknownFutureValue, adminConfirmedServicePrincipalCompromised, adminDismissedAllRiskForServicePrincipal, m365DAdminDismissedDetection, userChangedPasswordOnPremises, adminDismissedRiskForSignIn, adminConfirmedAccountSafe. Use the Prefer: include-unknown-enum-members request header to get the following value(s) in this evolvable enum: adminConfirmedServicePrincipalCompromised, adminDismissedAllRiskForServicePrincipal, m365DAdminDismissedDetection, userChangedPasswordOnPremises, adminDismissedRiskForSignIn, adminConfirmedAccountSafe. |
| userDisplayName | string | Risky user display name. |
| userPrincipalName | string | Risky user principal name. |
Relationships
None.
JSON representation
The following JSON representation shows the resource type.
{
"id": "string",
"riskLastUpdatedDateTime": "dateTimeOffset",
"isProcessing": "Boolean",
"isDeleted": "Boolean",
"riskDetail": "string",
"riskLevel": "string",
"riskState": "string",
"userDisplayName": "string",
"userPrincipalName": "string"
}