IdentityRiskyUser.Read.All

Allows the app to read identity risky user information for all users in your organization on behalf of the signed-in user.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the IdentityRiskyUser.Read.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	dc5007c0-2d7d-4c42-879c-2dab87571379	d04bb851-cb7c-4146-97c7-ca3e71baf56c
DisplayText	Read all identity risky user information	Read identity risky user information
Description	Allows the app to read the identity risky user information for your organization without a signed in user.	Allows the app to read identity risky user information for all users in your organization on behalf of the signed-in user.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /identityProtection/riskyUsers
	GET /identityProtection/riskyUsers/{riskyUserId}
	GET /identityProtection/riskyUsers/{riskyUserId}/history

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /identityProtection/riskyUsers
	GET /identityProtection/riskyUsers/{id}
	GET /identityProtection/riskyUsers/{id}/history/
	GET /identityProtection/riskyUsers/{userid}/history/{id}
	GET /riskyUsers
	GET /riskyUsers/{id}
	GET /riskyUsers/{id}/history
	GET /riskyUsers/{userid}/history/{id}

	Commands
	Get-MgRiskyUser
	Get-MgRiskyUserHistory

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaRiskyUser
	Get-MgBetaRiskyUserHistory

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

riskyUser
riskyUserHistoryItem

Graph reference: riskyUser

Property	Type	Description
id	String	Unique ID of the user at risk.
isDeleted	Boolean	Indicates whether the user is deleted. Possible values are: `true`, `false`.
isProcessing	Boolean	Indicates whether the backend is processing a user's risky state.
riskLastUpdatedDateTime	DateTimeOffset	The date and time that the risky user was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.
riskLevel	riskLevel	Level of the detected risky user. Possible values are: `low`, `medium`, `high`, `hidden`, `none`, `unknownFutureValue`.
riskState	riskState	State of the user's risk. Possible values are: `none`, `confirmedSafe`, `remediated`, `dismissed`, `atRisk`, `confirmedCompromised`, `unknownFutureValue`.
riskDetail	riskDetail	The possible values are `none`, `adminGeneratedTemporaryPassword`, `userPerformedSecuredPasswordChange`, `userPerformedSecuredPasswordReset`, `adminConfirmedSigninSafe`, `aiConfirmedSigninSafe`, `userPassedMFADrivenByRiskBasedPolicy`, `adminDismissedAllRiskForUser`, `adminConfirmedSigninCompromised`, `hidden`, `adminConfirmedUserCompromised`, `unknownFutureValue`, `adminConfirmedServicePrincipalCompromised`, `adminDismissedAllRiskForServicePrincipal`, `m365DAdminDismissedDetection`, `userChangedPasswordOnPremises`, `adminDismissedRiskForSignIn`, `adminConfirmedAccountSafe`. Use the `Prefer: include-unknown-enum-members` request header to get the following value or values in this evolvable enum: `adminConfirmedServicePrincipalCompromised`, `adminDismissedAllRiskForServicePrincipal`, `m365DAdminDismissedDetection`, `userChangedPasswordOnPremises`, `adminDismissedRiskForSignIn`, `adminConfirmedAccountSafe`.
userDisplayName	String	Risky user display name.
userPrincipalName	String	Risky user principal name.

Graph reference: riskyUserHistoryItem

Property	Type	Description
activity	riskUserActivity	The activity related to user risk level change.
id	String	The unique identifier for the riskyUserHistoryItem object. Inherited from entity.
initiatedBy	String	The ID of actor that does the operation.
isDeleted	Boolean	Indicates whether the user is deleted. Inherited from riskyUser.
isProcessing	Boolean	Indicates whether a user's risky state is being processed by the backend. Inherited from riskyUser.
riskDetail	riskDetail	Details of the detected risk. Inherited from riskyUser. Possible values are: `none`, `adminGeneratedTemporaryPassword`, `userPerformedSecuredPasswordChange`, `userPerformedSecuredPasswordReset`, `adminConfirmedSigninSafe`, `aiConfirmedSigninSafe`, `userPassedMFADrivenByRiskBasedPolicy`, `adminDismissedAllRiskForUser`, `adminConfirmedSigninCompromised`, `hidden`, `adminConfirmedUserCompromised`, `unknownFutureValue`.
riskLastUpdatedDateTime	DateTimeOffset	The date and time when the risky user was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from riskyUser.
riskLevel	riskLevel	Level of the detected risky user. Inherited from riskyUser. Possible values are: `low`, `medium`, `high`, `hidden`, `none`, `unknownFutureValue`.
riskState	riskState	State of the user's risk. Inherited from riskyUser. Possible values are: `none`, `confirmedSafe`, `remediated`, `dismissed`, `atRisk`, `confirmedCompromised`, `unknownFutureValue`.
userDisplayName	String	Risky user display name. Inherited from riskyUser.
userId	String	The ID of the user.
userPrincipalName	String	Risky user principal name. Inherited from riskyUser.

Table of Contents

IdentityRiskyUser.Read.All

Graph Methods

Resources