Skip to main content

Azure Active Directory Identity And Access

This Integration is part of the Microsoft Graph Identity and Access Pack.#

Use the Azure Active Directory Identity And Access integration to manage roles and members.

Configure Azure Active Directory Identity and Access on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Azure Active Directory Identity and Access.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Application IDFalse
    Private KeyFalse
    Certificate ThumbprintFalse
    Use Azure Managed IdentitiesFalse
    Azure Managed Identities Client IDFalse
    Azure AD endpointFalse
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Required Permissions#

To use this integration, the following permissions are required on the Azure app.

  • IdentityRiskEvent.Read.All
  • IdentityRiskyUser.ReadWrite.All
  • RoleManagement.ReadWrite.Directory
  • Policy.ReadWrite.ConditionalAccess
  • Policy.Read.All

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

msgraph-identity-auth-start#


Run this command to start the authorization process and follow the instructions in the command results.

msgraph-identity-auth-complete#


Run this command to complete the authorization process. Should be used after running the msgraph-identity-auth-start command.

msgraph-identity-auth-reset#


Run this command if for some reason you need to rerun the authentication process.

msgraph-identity-auth-test#


Tests connectivity to Microsoft.

msgraph-identity-directory-roles-list#


Lists the roles in the directory.

Base Command#

msgraph-identity-directory-roles-list

Input#

Argument NameDescriptionRequired
limitMaximum number of results to fetch. Default is 10.Optional

Context Output#

PathTypeDescription
MSGraphIdentity.Role.deletedDateTimeDateThe time when a role was deleted. Displays only if a role was deleted.
MSGraphIdentity.Role.descriptionStringThe description of the directory role.
MSGraphIdentity.Role.displayNameStringThe display name of the directory role.
MSGraphIdentity.Role.idStringThe unique identifier of the directory role.
MSGraphIdentity.Role.roleTemplateIdStringThe ID of the directory role template on which the role is based.

Command Example#

!msgraph-identity-directory-roles-list limit=1

Context Example#

{
"MSGraphIdentity": {
"Role": {
"deletedDateTime": null,
"description": "Can create and manage all aspects of app registrations and enterprise apps.",
"displayName": "Application Administrator",
"id": ":id:",
"roleTemplateId": "role-template-id"
}
}
}

Human Readable Output#

Directory roles:#

iddisplayNamedescriptionroleTemplateId
idApplication AdministratorCan create and manage all aspects of app registrations and enterprise apps.role-template-id

msgraph-identity-directory-role-activate#


Activates a role by its template ID.

Base Command#

msgraph-identity-directory-role-activate

Input#

Argument NameDescriptionRequired
role_template_idID of the role template to activate. Can be retrieved using the msgraph-identity-directory-roles-list command.Required

Context Output#

PathTypeDescription
MSGraphIdentity.Role.deletedDateTimeDateThe time when the role was deleted. Displays only if the role was deleted.
MSGraphIdentity.Role.descriptionStringThe description of the directory role.
MSGraphIdentity.Role.displayNameStringThe display name of the directory role.
MSGraphIdentity.Role.idStringThe unique identifier of the directory role.
MSGraphIdentity.Role.roleTemplateIdStringThe ID of the directory role template on which this role is based.

Command Example#

!msgraph-identity-directory-role-activate role_template_id=role-template-id

Context Example#

{
"MSGraphIdentity": {
"Role": {
"deletedDateTime": null,
"description": "Can create and manage all aspects of app registrations and enterprise apps.",
"displayName": "Application Administrator",
"id": ":id:",
"roleTemplateId": "role-template-id"
}
}
}

Human Readable Output#

Role has been activated#

idroleTemplateIddisplayNamedescriptiondeletedDateTime
idrole-template-idApplication AdministratorCan create and manage all aspects of app registrations and enterprise apps.

msgraph-identity-directory-role-members-list#


Gets all members in a role ID.

Base Command#

msgraph-identity-directory-role-members-list

Input#

Argument NameDescriptionRequired
role_idThe ID of the application for which to get its role members list. Can be retrieved using the msgraph-identity-directory-roles-list command.Required
limitThe maximum number of members to fetch. Default is 10.Optional

Context Output#

PathTypeDescription
MSGraphIdentity.RoleMember.user_idStringThe unique identifier of the user in the role.
MSGraphIdentity.RoleMember.role_idStringThe unique identifier of the role specified in the input.

Command Example#

!msgraph-identity-directory-role-members-list role_id=:role:

Context Example#

{
"MSGraphIdentity": {
"RoleMember": {
"role_id": ":role:",
"user_id": [
"70585180-517a-43ea-9403-2d80b97ab19d",
"5d9ed8e5-be5c-4aaf-86f8-c133c5cd19de"
]
}
}
}

Human Readable Output#

Role ':role:' members:#

role_iduser_id
:role:70585180-517a-43ea-9403-2d80b97ab19d,
5d9ed8e5-be5c-4aaf-86f8-c133c5cd19de,
"id",
a7cedb37-c4e5-4cfb-a327-7bafb34a1f49

msgraph-identity-directory-role-member-add#


Adds a user to a role.

Base Command#

msgraph-identity-directory-role-member-add

Input#

Argument NameDescriptionRequired
role_idThe ID of the role to add the user to. Can be retrieved using the msgraph-identity-directory-roles-list command.Required
user_idThe ID of the user to add to the role. Can be retrieved using the msgraph-identity-directory-role-members-list command.Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-identity-directory-role-member-add role_id=:role: user_id=:id:

Human Readable Output#

User ID ๐Ÿ†” has been added to role :role:

msgraph-identity-directory-role-member-remove#


Removes a user from a role.

Base Command#

msgraph-identity-directory-role-member-remove

Input#

Argument NameDescriptionRequired
role_idID of the role from which to remove the user. Can be retrieved using the msgraph-identity-directory-roles-list command.Required
user_idID of the user to remove from the role. Can be retrieved using the msgraph-identity-directory-role-members-list command.Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-identity-directory-role-member-remove role_id=:role: user_id=:id:

Human Readable Output#

User ID ๐Ÿ†” has been removed from role :role:

msgraph-identity-ip-named-locations-create#


Creates an ip named location.

Base Command#

msgraph-identity-ip-named-locations-create

Input#

Argument NameDescriptionRequired
display_nameThe display name for the ip named location.Required
is_trustedA boolean to show if the ip named location is trusted.Required
ipsThe ip ranges for the ip named location.Required

Context Output#

PathTypeDescription
MSGraph.conditionalAccess.namedIpLocations.time_createdDateThe time of the ip named location creation.
MSGraph.conditionalAccess.namedIpLocations.time_modifiedDateThe time the ip named location was last modified.
MSGraph.conditionalAccess.namedIpLocations.display_nameStringThe ip named location display name.
MSGraph.conditionalAccess.namedIpLocations.idStringThe unique identifier of the ip named location.
MSGraph.conditionalAccess.namedIpLocations.is_trustedStringThe ip named location trust status.
MSGraph.conditionalAccess.namedIpLocations.ip_rangesArrayThe ip named location ip ranges.

Command Example#

!msgraph-identity-ip-named-locations-create ips=12.34.221.11/22,2001:0:9d38:90d6:0:0:0:0/63 display_name=test is_trusted=True:

Human Readable Output#

created Ip named location 'ID': :ipNamedLocation:

msgraph-identity-ip-named-locations-get#


Gets an ip named location.

Base Command#

msgraph-identity-ip-named-locations-get

Input#

Argument NameDescriptionRequired
ip_idThe id of the ip named location to get.Required

Context Output#

PathTypeDescription
MSGraph.conditionalAccess.namedIpLocations.time_createdDateThe time of the ip named location creation.
MSGraph.conditionalAccess.namedIpLocations.time_modifiedDateThe time the ip named location was last modified.
MSGraph.conditionalAccess.namedIpLocations.display_nameStringThe ip named location display name.
MSGraph.conditionalAccess.namedIpLocations.idStringThe unique identifier of the ip named location.
MSGraph.conditionalAccess.namedIpLocations.is_trustedStringThe ip named location trust status.
MSGraph.conditionalAccess.namedIpLocations.ip_rangesArrayThe ip named location ip ranges.

Command Example#

!msgraph-identity-ip-named-locations-get ip_id=03f8c56f-2ffd-4699-84af-XXXXXXXCX

Human Readable Output#

Ip named location 'ID': :ipNamedLocation:

msgraph-identity-ip-named-locations-delete#


Deletes an ip named location.

Base Command#

msgraph-identity-ip-named-locations-delete

Input#

Argument NameDescriptionRequired
ip_idThe id of the ip named location to delete.Required

Context Output#

No context output

Command Example#

!msgraph-identity-ip-named-locations-delete ip_id=03f8c56f-2ffd-4699-84af-XXXXXXXCX

Human Readable Output#

Successfully deleted IP named location 'X-X-X-X'

msgraph-identity-ip-named-locations-update#


Updates an ip named location.

Base Command#

msgraph-identity-ip-named-locations-update

Input#

Argument NameDescriptionRequired
ip_idThe id of the ip named location to delete.Required
display_nameThe display name for the ip named location.Required
is_trustedA boolean to show if the ip named location is trusted.Required
ipsThe ip ranges for the ip named location.Required

Context Output#

No context output

Command Example#

!msgraph-identity-ip-named-locations-update ips=12.34.221.11/22,2001:0:9d38:90d6:0:0:0:0/63 display_name=test is_trusted=True ip_id=098699fc-10ad-420e-9XXXXXXXXXX

Human Readable Output#

Successfully updated IP named location '006cc9bf-8391-4ff3-8cff-ee87f06b7b02'

msgraph-identity-ip-named-locations-list#


Lists an ip named locations.

Base Command#

msgraph-identity-ip-named-locations-list

Input#

Argument NameDescriptionRequired
limitThe get request results limit.Optional
pageThe page to get the data from.Optional
odata_queryAn odata query to send to the api.Optional

Context Output#

PathTypeDescription
MSGraph.conditionalAccess.namedIpLocations.ip_named_locationsArrayList of ip named locations.

Command Example#

!msgraph-identity-ip-named-locations-list

msgraph-identity-protection-risks-list#


Retrieve the properties of a collection of riskDetection objects.

Required Permissions#

IdentityRiskEvent.Read.All

Base Command#

msgraph-identity-protection-risks-list

Input#

Argument NameDescriptionRequired
odata_queryAn odata query to send to the api.Optional
limitNumber of results to provide. Default is 50.Optional

Context Output#

PathTypeDescription
MSGraph.identityProtection.risks.idstringUnique ID of the risk detection.
MSGraph.identityProtection.risks.requestIdstringThe ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in.
MSGraph.identityProtection.risks.correlationIdstringCorrelation ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in.
MSGraph.identityProtection.risks.riskEventTypestringThe type of risk event detected. The possible values are unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic,adminConfirmedUserCompromised, mcasImpossibleTravel, mcasSuspiciousInboxManipulationRules, investigationsThreatIntelligenceSigninLinked, maliciousIPAddressValidCredentialsBlockedIP, and unknownFutureValue.
MSGraph.identityProtection.risks.riskTypestringDeprecated. Use riskEventType instead. List of risk event types.
MSGraph.identityProtection.risks.riskLevelstringRisk level of the detected risky user. The possible values are low, medium, high, hidden, none, and unknownFutureValue.
MSGraph.identityProtection.risks.riskstatestringState of the user's risk. The possible values are none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, and unknownFutureValue.
MSGraph.identityProtection.risks.riskDetailstringReason why the user is considered a risky user. The possible values are limited to none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, and unknownFutureValue.
MSGraph.identityProtection.risks.sourcestringSource of the risk detection. For example, activeDirectory.
MSGraph.identityProtection.risks.detectionTimingTypestringTiming of the detected risk (real-time/offline). The possible values are notDefined, realtime, nearRealtime, offline, and unknownFutureValue.
MSGraph.identityProtection.risks.activitystringIndicates the activity type the detected risk is linked to. The possible values are signin, user, and unknownFutureValue.
MSGraph.identityProtection.risks.tokenIssuerTypestringIndicates the type of token issuer for the detected sign-in risk. The possible values are AzureAD, ADFederationServices, and unknownFutureValue.
MSGraph.identityProtection.risks.ipAddressstringProvides the IP address of the client from where the risk occurred.
MSGraph.identityProtection.risks.location.citystringCity of the sign-in.
MSGraph.identityProtection.risks.location.countryOrRegionstringCountry or region of the sign-in.
MSGraph.identityProtection.risks.location.geoCoordinates.latitudestringLatitude of the sign-in.
MSGraph.identityProtection.risks.location.geoCoordinates.longitudestringLongitude of the sign-in.
MSGraph.identityProtection.risks.location.statestringState of the sign-in.
MSGraph.identityProtection.risks.activityDateTimestringDate and time that the risky activity occurred. The DateTimeOffset type represents date and time information using the ISO 8601 format and is always in UTC time.
MSGraph.identityProtection.risks.detectedDateTimestringDate and time that the risk was detected. The DateTimeOffset type represents date and time information using the ISO 8601 format and is always in UTC time.
MSGraph.identityProtection.risks.lastUpdatedDateTimestringDate and time that the risk detection was last updated. The DateTimeOffset type represents date and time information using the ISO 8601 format and is always in UTC time.
MSGraph.identityProtection.risks.userIdstringUnique ID of the user.
MSGraph.identityProtection.risks.userDisplayNamestringRisky user display name.
MSGraph.identityProtection.risks.userPrincipalNamestringRisky user principal name.
MSGraph.identityProtection.risks.additionalInfostringAdditional information associated with the risk detection in JSON format.

Command Example#

!msgraph-identity-protection-risks-list

Human Readable Output#

risks (6 results)#

User IDUser Principal NameUser Display NameIP AddressDetected Date TimeActivityActivity Date TimeAdditional InfoCorrelation IDDetection Timing TypeIDLast Updated Date TimeLocationRequest IDRisk DetailRisk Event TypeRisk LevelRisk StateRisk TypeSourceToken Issuer Type
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2jdoe@example.comJohn Doe1.1.1.12021-04-25T09:00:40.7780969Zsignin2021-04-25T09:00:40.7780969Z[{"Key":"userAgent","Value":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"}]271ac223-695b-418e-85b3-7809070ee33erealtime86a45315157fb75c3a6e0936ef854c139df99bdfbde4bd7e7f1bc685c36389082021-05-23T08:20:41.9161522Zcity: San Jose
state: California
countryOrRegion: US
geoCoordinates: {"latitude": 37.33053, "longitude": -121.8382}
86b6e4a1-25cb-40c7-af2b-9e79c6106000userPerformedSecuredPasswordChangeunfamiliarFeatureslowremediatedunfamiliarFeaturesIdentityProtectionAzureAD
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2jdoe@example.comJohn Doe2.2.2.22021-04-28T11:40:11.333738Zsignin2021-04-28T11:40:11.333738Z[{"Key":"userAgent","Value":"python-requests/2.18.4"}]6f74b0f4-dabc-49af-aa87-3aaba042babarealtimec0e94938cddbb849ef64dbb6a98189ab3d93cdec4c4f95923ac935a91486def22021-05-23T08:20:29.027631Zcity: Frankfurt Am Main
state: Hessen
countryOrRegion: DE
geoCoordinates: {"latitude": 50.1109, "longitude": 8.6821}
64b01b65-25fa-4811-b4cd-411c9accc000userPerformedSecuredPasswordChangeunfamiliarFeatureslowremediatedunfamiliarFeaturesIdentityProtectionAzureAD
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2jdoe@example.comJohn Doe3.3.3.32021-04-29T08:03:23.5302796Zsignin2021-04-29T08:03:23.5302796Z[{"Key":"userAgent","Value":"python-requests/2.18.4"}]069f7e67-3692-4191-a84d-14ab0aa1babarealtimec197aea67197503695f6dbddd9af2b3adcd1e8571f8381e96707ac71162d1cdf2021-05-23T08:20:42.1561664Zcity: Paris
state: Paris
countryOrRegion: FR
geoCoordinates: {"latitude": 48.86023, "longitude": 2.34107}
22e0bc21-61f2-4661-aa0b-afe40985e100userPerformedSecuredPasswordChangeunfamiliarFeatureslowremediatedunfamiliarFeaturesIdentityProtectionAzureAD
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2jdoe@example.comJohn Doe5.5.5.52021-05-07T06:00:45.0034244Zsignin2021-05-07T06:00:45.0034244Z[{"Key":"userAgent","Value":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"}]dec7bb21-5a9b-45ff-84d6-b1538da801bcrealtime8b29fae724e168a32412e2bdc630540588df7558ac647772c36d957656b6e1562021-05-23T08:20:42.2461705Zcity: Tanglin
state: South West
countryOrRegion: SG
geoCoordinates: {"latitude": 1.32, "longitude": 103.8198}
5fd28f4a-b172-4aa6-92b2-883832460400userPerformedSecuredPasswordChangeunfamiliarFeatureslowremediatedunfamiliarFeaturesIdentityProtectionAzureAD
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2jdoe@example.comJohn Doe4.4.4.42021-05-09T09:41:24.9769131Zsignin2021-05-09T09:41:24.9769131Z[{"Key":"userAgent","Value":"BAV2ROPC"}]f9dbd73b-8e7f-4bcd-93a7-2a7c1d4cbabarealtimedbc1272033adf3a2e960ce438a671de91b4b1b917e250ec575492156eb64f6eb2021-05-23T08:20:29.0726385Zcity: Stockholm
state: Stockholms Lan
countryOrRegion: SE
geoCoordinates: {"latitude": 59.31512, "longitude": 18.05132}
d6e81927-c8e1-40f4-ad38-aa4d5408aa00userPerformedSecuredPasswordChangeunfamiliarFeatureslowremediatedunfamiliarFeaturesIdentityProtectionAzureAD
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2jdoe@example.comJohn Doe1.2.3.42021-05-11T07:15:33.6885155Zsignin2021-05-11T07:15:33.6885155Z[{"Key":"userAgent","Value":"python-requests/2.25.1"}]5bb85e1f-1933-4698-831d-fbeb40aebabarealtime969476f4d6d20717dfaea9f2df92945f9d736240d53b4187b50579003bf2d0112021-05-23T08:20:42.2911741Zcity: Dublin
state: Dublin
countryOrRegion: IE
geoCoordinates: {"latitude": 53.35389, "longitude": -6.24333}
7b7d098c-edcc-4139-b171-fc64c38d0d00userPerformedSecuredPasswordChangeunfamiliarFeatureslowremediatedunfamiliarFeaturesIdentityProtectionAzureAD

msgraph-identity-protection-risky-user-list#


Retrieves the properties of a collection of riskDetection objects.

Required Permissions#

IdentityRiskEvent.Read.All

Base Command#

msgraph-identity-protection-risky-user-list

Input#

Argument NameDescriptionRequired
updated_timeThe time elapsed since the risky user was last updated, formatted as <number> <time unit>, e.g., 12 hours or 7 days.Optional
risk_levelRisk level of the detected risky user. The possible values are low, medium, high, hidden, none, and unknownFeatureValue.Optional
risk_stateState of the user's risk. The possible values are none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, and unknownFutureValue.Optional
risk_detailDetails of the detected risk. The possible values are none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, and unknownFutureValue.Optional
filter_expressionA custom query in OData syntax. Using this overrides all arguments, except for next_link. For more details, see https://docs.microsoft.com/en-us/graph/query-parameters.Optional
limitNumber of results to provide. Default is 50.Optional
next_linkA link that specifies a starting point for subsequent calls. Using this argument overrides all other arguments.Optional
user_nameRisky user principal name.Optional

Context Output#

PathTypeDescription
MSGraph.identityProtection.risky-users.idstringUnique ID of the risky user.
MSGraph.identityProtection.risky-users.isDeletedBooleanIndicates whether a user is delted
MSGraph.identityProtection.risky-users.isProcessingBooleanIndicates whether a user's risky state is being processed by the backend.
MSGraph.identityProtection.risky-users.riskLastUpdatedDateTimeDateTimeThe date and time that the risky user was last updated. The DateTimeOffset type represents date and time information using the ISO 8601 format and is always in UTC time.
MSGraph.identityProtection.risky-users.riskLevelstringRisk level of the detected risky user. The possible values are low, medium, high, hidden, none, and unknownFutureValue.
MSGraph.identityProtection.risky-users.riskstatestringState of the user's risk. The possible values are none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, and unknownFutureValue.
MSGraph.identityProtection.risky-users.riskDetailstringReason why the user is considered a risky user. The possible values are limited to none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, and unknownFutureValue.
MSGraph.identityProtection.risky-users.userDisplayNamestringRisky user display name.
MSGraph.identityProtection.risky-users.userPrincipalNamestringRisky user principal name.

Command Example#

!msgraph-identity-protection-risky-user-list

Human Readable Output#

Risky Users (1 result)#

User Principal NameUser Display NameIDIs DeletedIs ProcessingRisk DetailRisk Last Updated Date TimeRisk LevelRisk State
jdoe@example.comJohn Doe3fa9f28b-eb0e-463a-ba7b-8089fe9991e2falsefalsenone2021-07-21T17:56:28.958147ZmediumatRisk

msgraph-identity-protection-risky-user-history-list#


Gets the risk history of a riskyUser resource.

Required Permissions#

IdentityRiskyUser.Read.All IdentityRiskyUser.ReadWrite.All

Base Command#

msgraph-identity-protection-risky-user-history-list

Input#

Argument NameDescriptionRequired
user_idUnique ID of the user.Required
limitNumber of results to provide. Default is 50.Optional
filter_expressionA custom query in OData syntax. Using this overrides all arguments, except for next_link. For more details, see https://docs.microsoft.com/en-us/graph/query-parameters.Optional
next_linkA link that specifies a starting point for subsequent calls. Using this argument overrides all other arguments.Optional

Context Output#

PathTypeDescription
MSGraph.identityProtection.RiskyUserHistory.idstringUnique ID of the risky user.
MSGraph.identityProtection.RiskyUserHistory.isDeletedBooleanIndicates whether the user is deleted.
MSGraph.identityProtection.RiskyUserHistory.isProcessingBooleanIndicates whether a user's risky state is being processed by the backend.
MSGraph.identityProtection.RiskyUserHistory.riskLastUpdatedDateTimeDateTimeThe date and time that the risky user was last updated. The DateTimeOffset type represents date and time information using the ISO 8601 format and is always in UTC time.
MSGraph.identityProtection.RiskyUserHistory.riskLevelstringRisk level of the detected risky user. The possible values are low, medium, high, hidden, none, and unknownFutureValue.
MSGraph.identityProtection.RiskyUserHistory.riskstatestringState of the user's risk. The possible values are none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, and unknownFutureValue.
MSGraph.identityProtection.RiskyUserHistory.riskDetailstringReason why the user is considered a risky user. The possible values are limited to none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, and unknownFutureValue.
MSGraph.identityProtection.RiskyUserHistory.userDisplayNamestringRisky user display name.
MSGraph.identityProtection.RiskyUserHistory.userPrincipalNamestringRisky user principal name.

Command Example#

!msgraph-identity-protection-risky-user-history-list user_id="3fa9f28b-eb0e-463a-ba7b-8089fe9991e2"

Human Readable Output#

Risky User History For 3Fa9F28B-Eb0E-463A-Ba7B-8089Fe9991E2 (12 results)#

User IDUser Principal NameUser Display NameActivityIDInitiated ByIs DeletedIs ProcessingRisk DetailRisk Last Updated Date TimeRisk LevelRisk State
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2jdoe@example.comJohn DoeeventTypes: unfamiliarFeatures
riskEventTypes: unfamiliarFeatures
detail: null
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2637571860258849619falsefalsenone2021-05-21T09:27:05.8849619ZhighatRisk
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2jdoe@example.comJohn DoeeventTypes: unfamiliarFeatures
riskEventTypes: unfamiliarFeatures
detail: null
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2637579558855706894falsefalsenone2021-05-30T07:18:05.5706894ZlowatRisk
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2jdoe@example.comJohn DoeeventTypes: unfamiliarFeatures
riskEventTypes: unfamiliarFeatures
detail: null
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2637581817194185440falsefalsenone2021-06-01T22:01:59.418544ZlowatRisk
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2jdoe@example.comJohn DoeeventTypes: unfamiliarFeatures
riskEventTypes: unfamiliarFeatures
detail: null
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2637617844902084332falsefalsenone2021-07-13T14:48:10.2084332ZlowatRisk
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2jdoe@example.comJohn DoeeventTypes: unfamiliarFeatures,
mcasImpossibleTravel
riskEventTypes: unfamiliarFeatures,
mcasImpossibleTravel
detail: null
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2637617905007494900falsefalsenone2021-07-13T16:28:20.74949ZmediumatRisk
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2jdoe@example.comJohn DoeeventTypes: unfamiliarFeatures
riskEventTypes: unfamiliarFeatures
detail: null
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2falsefalsenone2021-07-21T17:56:28.958147ZmediumatRisk
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2jdoe@example.comJohn DoeeventTypes:
riskEventTypes:
detail: userPerformedSecuredPasswordChange
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2637573546620000000falsefalseuserPerformedSecuredPasswordChange2021-05-23T08:17:42Znoneremediated
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2jdoe@example.comJohn DoeeventTypes: mcasImpossibleTravel
riskEventTypes: mcasImpossibleTravel
detail: null
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2637580439207803793falsefalsenone2021-05-31T07:45:20.7803793ZlowatRisk
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2jdoe@example.comJohn DoeeventTypes: unfamiliarFeatures
riskEventTypes: unfamiliarFeatures
detail: null
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2637588246283692301falsefalsenone2021-06-09T08:37:08.3692301ZlowatRisk
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2jdoe@example.comJohn DoeeventTypes: mcasImpossibleTravel
riskEventTypes: mcasImpossibleTravel
detail: null
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2637597636382264783falsefalsenone2021-06-20T05:27:18.2264783ZlowatRisk
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2jdoe@example.comJohn DoeeventTypes: unfamiliarFeatures
riskEventTypes: unfamiliarFeatures
detail: null
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2637600753627454017falsefalsenone2021-06-23T20:02:42.7454017ZlowatRisk
3fa9f28b-eb0e-463a-ba7b-8089fe9991e2jdoe@example.comJohn DoeeventTypes:
riskEventTypes:
detail: adminDismissedAllRiskForUser
3fa9f28b-eb0e-463a-ba7b-8089fe9991e26376238611617065393fa9f28b-eb0e-463a-ba7b-8089fe9991e2falsefalseadminDismissedAllRiskForUser2021-07-20T13:55:16.1706539Znonedismissed

msgraph-identity-protection-risky-user-confirm-compromised#


Confirms one or more riskyUser objects as compromised. This action sets the targeted user's risk level to high.

Required Permissions#

IdentityRiskyUser.ReadWrite.All

Base Command#

msgraph-identity-protection-risky-user-confirm-compromised

Input#

Argument NameDescriptionRequired
user_idsOne or more user IDs, comma-separated.Required

Context Output#

There is no context output for this command.

Command Example#

!MSGraph.identityProtection-risky-user-confirm-compromised user_ids="3fa9f28b-eb0e-463a-ba7b-8089fe9991e3"

Human Readable Output#

โœ… Confirmed successfully.

msgraph-identity-protection-risky-user-dismiss#


Dismisses the risk of one or more riskyUser objects. This action sets the targeted user's risk level to none.

Required Permissions#

IdentityRiskyUser.ReadWrite.All

Base Command#

msgraph-identity-protection-risky-user-dismiss

Input#

Argument NameDescriptionRequired
user_idsOne or more user IDs, comma-separated.Required

Context Output#

There is no context output for this command.

Command Example#

!c user_ids="3fa9f28b-eb0e-463a-ba7b-8089fe9991e2"

Human Readable Output#

โœ… Dismissed successfully.