IdentityRiskyServicePrincipal.Read.All
Allows the app to read all identity risky service principal information for your organization, on behalf of the signed-in user.
Merill's Note
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the
IdentityRiskyServicePrincipal.Read.Allpermission.If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the
Export-MsIdAppConsentGrantReportcommand. See How To: Run a quick OAuth app audit of your tenant
| Category | Application | Delegated |
|---|---|---|
| Identifier | 607c7344-0eed-41e5-823a-9695ebe1b7b0 | ea5c4ab0-5a73-4f35-8272-5d5337884e5d |
| DisplayText | Read all identity risky service principal information | Read all identity risky service principal information |
| Description | Allows the app to read all risky service principal information for your organization, without a signed-in user. | Allows the app to read all identity risky service principal information for your organization, on behalf of the signed-in user. |
| AdminConsentRequired | Yes | Yes |
Graph Methods
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
| Methods | |
|---|---|
Resources
Granting this permission allows the calling application to access (and/or update) the following information in your tenant.
Graph reference: riskyServicePrincipal
| Property | Type | Description |
|---|---|---|
| appId | String | The globally unique identifier for the associated application (its appId property), if any. |
| displayName | String | The display name for the service principal. |
| id | String | The unique identifier assigned to the service principal at risk. Inherited from entity. |
| isEnabled | Boolean | true if the service principal account is enabled; otherwise, false. |
| isProcessing | Boolean | Indicates whether Microsoft Entra ID is currently processing the service principal's risky state. |
| riskDetail | riskDetail | Details of the detected risk. Note: Details for this property are only available for Workload Identities Premium customers. Events in tenants without this license will be returned hidden. The possible values are: none, hidden, unknownFutureValue, adminConfirmedServicePrincipalCompromised, adminDismissedAllRiskForServicePrincipal. Note that you must use the Prefer: include-unknown-enum-members request header to get the following value(s) in this evolvable enum: adminConfirmedServicePrincipalCompromised , adminDismissedAllRiskForServicePrincipal. |
| riskLastUpdatedDateTime | DateTimeOffset | The date and time that the risk state was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2021 is 2021-01-01T00:00:00Z. Supports $filter (eq). |
| riskLevel | riskLevel | Level of the detected risky workload identity. The possible values are: low, medium, high, hidden, none, unknownFutureValue. Supports $filter (eq). |
| riskState | riskState | State of the service principal's risk. The possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue. |
| servicePrincipalType | String | Identifies whether the service principal represents an Application, a ManagedIdentity, or a legacy application (socialIdp). This is set by Microsoft Entra ID internally and is inherited from servicePrincipal. |