IdentityRiskyServicePrincipal.ReadWrite.All
Allows the app to read and update identity risky service principal information for all service principals in your organization, on behalf of the signed-in user. Update operations include dismissing risky service principals.
Merill's Note
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the
IdentityRiskyServicePrincipal.ReadWrite.Allpermission.If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the
Export-MsIdAppConsentGrantReportcommand. See How To: Run a quick OAuth app audit of your tenant
| Category | Application | Delegated |
|---|---|---|
| Identifier | cb8d6980-6bcb-4507-afec-ed6de3a2d798 | bb6f654c-d7fd-4ae3-85c3-fc380934f515 |
| DisplayText | Read and write all identity risky service principal information | Read and write all identity risky service principal information |
| Description | Allows the app to read and update identity risky service principal for your organization, without a signed-in user. | Allows the app to read and update identity risky service principal information for all service principals in your organization, on behalf of the signed-in user. Update operations include dismissing risky service principals. |
| AdminConsentRequired | Yes | Yes |
Graph Methods
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
| Methods | |
|---|---|
Resources
Granting this permission allows the calling application to access (and/or update) the following information in your tenant.
Graph reference: riskyServicePrincipal
| Property | Type | Description |
|---|---|---|
| appId | String | The globally unique identifier for the associated application (its appId property), if any. |
| displayName | String | The display name for the service principal. |
| id | String | The unique identifier assigned to the service principal at risk. Inherited from entity. |
| isEnabled | Boolean | true if the service principal account is enabled; otherwise, false. |
| isProcessing | Boolean | Indicates whether Microsoft Entra ID is currently processing the service principal's risky state. |
| riskDetail | riskDetail | Details of the detected risk. Note: Details for this property are only available for Workload Identities Premium customers. Events in tenants without this license will be returned hidden. The possible values are: none, hidden, unknownFutureValue, adminConfirmedServicePrincipalCompromised, adminDismissedAllRiskForServicePrincipal. Note that you must use the Prefer: include-unknown-enum-members request header to get the following value(s) in this evolvable enum: adminConfirmedServicePrincipalCompromised , adminDismissedAllRiskForServicePrincipal. |
| riskLastUpdatedDateTime | DateTimeOffset | The date and time that the risk state was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2021 is 2021-01-01T00:00:00Z. Supports $filter (eq). |
| riskLevel | riskLevel | Level of the detected risky workload identity. The possible values are: low, medium, high, hidden, none, unknownFutureValue. Supports $filter (eq). |
| riskState | riskState | State of the service principal's risk. The possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue. |
| servicePrincipalType | String | Identifies whether the service principal represents an Application, a ManagedIdentity, or a legacy application (socialIdp). This is set by Microsoft Entra ID internally and is inherited from servicePrincipal. |