IdentityRiskyUser.ReadWrite.All

Allows the app to read and update identity risky user information for all users in your organization on behalf of the signed-in user. Update operations include dismissing risky users.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the IdentityRiskyUser.ReadWrite.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	656f6061-f9fe-4807-9708-6a2e0934df76	e0a7cdbb-08b0-4697-8264-0069786e9674
DisplayText	Read and write all risky user information	Read and write risky user information
Description	Allows the app to read and update identity risky user information for your organization without a signed-in user. Update operations include dismissing risky users.	Allows the app to read and update identity risky user information for all users in your organization on behalf of the signed-in user. Update operations include dismissing risky users.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /identityProtection/riskyUsers/{riskyUserId}/history
	POST /identityProtection/riskyUsers/confirmCompromised
	POST /identityProtection/riskyUsers/dismiss

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /identityProtection/riskyUsers/{id}/history/
	GET /identityProtection/riskyUsers/{userid}/history/{id}
	GET /riskyUsers/{id}/history
	GET /riskyUsers/{userid}/history/{id}
	POST /auditLogs/signIns/confirmCompromised
	POST /auditLogs/signIns/confirmSafe
	POST /riskyUsers/confirmCompromised
	POST /riskyUsers/dismiss

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Confirm-MgRiskyUserCompromised
	Get-MgRiskyUserHistory
	Invoke-MgDismissRiskyUser

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Confirm-MgBetaAuditLogSignInCompromised
	Confirm-MgBetaAuditLogSignInSafe
	Confirm-MgBetaRiskyUserCompromised
	Get-MgBetaRiskyUserHistory
	Invoke-MgBetaDismissRiskyUser

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: riskyUser

Property	Type	Description
id	String	Unique ID of the user at risk.
isDeleted	Boolean	Indicates whether the user is deleted. Possible values are: `true`, `false`.
isProcessing	Boolean	Indicates whether the backend is processing a user's risky state.
riskLastUpdatedDateTime	DateTimeOffset	The date and time that the risky user was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.
riskLevel	riskLevel	Level of the detected risky user. Possible values are: `low`, `medium`, `high`, `hidden`, `none`, `unknownFutureValue`.
riskState	riskState	State of the user's risk. Possible values are: `none`, `confirmedSafe`, `remediated`, `dismissed`, `atRisk`, `confirmedCompromised`, `unknownFutureValue`.
riskDetail	riskDetail	The possible values are `none`, `adminGeneratedTemporaryPassword`, `userPerformedSecuredPasswordChange`, `userPerformedSecuredPasswordReset`, `adminConfirmedSigninSafe`, `aiConfirmedSigninSafe`, `userPassedMFADrivenByRiskBasedPolicy`, `adminDismissedAllRiskForUser`, `adminConfirmedSigninCompromised`, `hidden`, `adminConfirmedUserCompromised`, `unknownFutureValue`, `adminConfirmedServicePrincipalCompromised`, `adminDismissedAllRiskForServicePrincipal`, `m365DAdminDismissedDetection`, `userChangedPasswordOnPremises`, `adminDismissedRiskForSignIn`, `adminConfirmedAccountSafe`. You must use the `Prefer: include-unknown-enum-members` request header to get the following value or values in this evolvable enum: `adminConfirmedServicePrincipalCompromised`, `adminDismissedAllRiskForServicePrincipal`, `m365DAdminDismissedDetection`, `userChangedPasswordOnPremises`, `adminDismissedRiskForSignIn`, `adminConfirmedAccountSafe`.
userDisplayName	String	Risky user display name.
userPrincipalName	String	Risky user principal name.

Graph reference: riskyUserHistoryItem

Property	Type	Description
activity	riskUserActivity	The activity related to user risk level change.
id	String	The unique identifier for the riskyUserHistoryItem object. Inherited from entity.
initiatedBy	String	The ID of actor that does the operation.
isDeleted	Boolean	Indicates whether the user is deleted. Inherited from riskyUser.
isProcessing	Boolean	Indicates whether a user's risky state is being processed by the backend. Inherited from riskyUser.
riskDetail	riskDetail	Details of the detected risk. Inherited from riskyUser. Possible values are: `none`, `adminGeneratedTemporaryPassword`, `userPerformedSecuredPasswordChange`, `userPerformedSecuredPasswordReset`, `adminConfirmedSigninSafe`, `aiConfirmedSigninSafe`, `userPassedMFADrivenByRiskBasedPolicy`, `adminDismissedAllRiskForUser`, `adminConfirmedSigninCompromised`, `hidden`, `adminConfirmedUserCompromised`, `unknownFutureValue`.
riskLastUpdatedDateTime	DateTimeOffset	The date and time when the risky user was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from riskyUser.
riskLevel	riskLevel	Level of the detected risky user. Inherited from riskyUser. Possible values are: `low`, `medium`, `high`, `hidden`, `none`, `unknownFutureValue`.
riskState	riskState	State of the user's risk. Inherited from riskyUser. Possible values are: `none`, `confirmedSafe`, `remediated`, `dismissed`, `atRisk`, `confirmedCompromised`, `unknownFutureValue`.
userDisplayName	String	Risky user display name. Inherited from riskyUser.
userId	String	The ID of the user.
userPrincipalName	String	Risky user principal name. Inherited from riskyUser.

Graph reference: signIn

Property	Type	Description
appDisplayName	String	App name displayed in the Microsoft Entra admin center. Supports `$filter` (`eq`, `startsWith`).
appId	String	Unique GUID that represents the app ID in the Microsoft Entra ID. Supports `$filter` (`eq`).
appliedConditionalAccessPolicies	appliedConditionalAccessPolicy collection	Provides a list of conditional access policies that the corresponding sign-in activity triggers. Apps need more Conditional Access-related privileges to read the details of this property. For more information, see Permissions for viewing applied conditional access (CA) policies in sign-ins.
clientAppUsed	String	Identifies the client used for the sign-in activity. Modern authentication clients include `Browser`, `modern clients`. Legacy authentication clients include `Exchange ActiveSync`, `IMAP`, `MAPI`, `SMTP`, `POP`, and `other clients`. Supports `$filter` (`eq`).
conditionalAccessStatus	conditionalAccessStatus	Reports status of an activated conditional access policy. Possible values are: `success`, `failure`, `notApplied`, and `unknownFutureValue`. Supports `$filter` (`eq`).
correlationId	String	The request ID sent from the client when the sign-in is initiated. Used to troubleshoot sign-in activity. Supports `$filter` (`eq`).
createdDateTime	DateTimeOffset	Date and time (UTC) the sign-in was initiated. Example: midnight on Jan 1, 2014 is reported as `2014-01-01T00:00:00Z`. Supports `$orderby`, `$filter` (`eq`, `le`, and `ge`).
deviceDetail	deviceDetail	Device information from where the sign-in occurred; includes device ID, operating system, and browser. Supports `$filter` (`eq`, `startsWith`) on browser and operatingSytem properties.
id	String	Unique ID representing the sign-in activity. Supports `$filter` (`eq`).
ipAddress	String	IP address of the client used to sign in. Supports `$filter` (`eq`, `startsWith`).
isInteractive	Boolean	Indicates whether a sign-in is interactive.
location	signInLocation	Provides the city, state, and country code where the sign-in originated. Supports `$filter` (`eq`, `startsWith`) on city, state, and countryOrRegion properties.
resourceDisplayName	String	Name of the resource the user signed into. Supports `$filter` (`eq`).
resourceId	String	ID of the resource that the user signed into. Supports `$filter` (`eq`).
riskDetail	riskDetail	The reason behind a specific state of a risky user, sign-in, or a risk event. The possible values are `none`, `adminGeneratedTemporaryPassword`, `userPerformedSecuredPasswordChange`, `userPerformedSecuredPasswordReset`, `adminConfirmedSigninSafe`, `aiConfirmedSigninSafe`, `userPassedMFADrivenByRiskBasedPolicy`, `adminDismissedAllRiskForUser`, `adminConfirmedSigninCompromised`, `hidden`, `adminConfirmedUserCompromised`, `unknownFutureValue`, `adminConfirmedServicePrincipalCompromised`, `adminDismissedAllRiskForServicePrincipal`, `m365DAdminDismissedDetection`, `userChangedPasswordOnPremises`, `adminDismissedRiskForSignIn`, `adminConfirmedAccountSafe`. You must use the `Prefer: include-unknown-enum-members` request header to get the following value or values in this evolvable enum: `adminConfirmedServicePrincipalCompromised`, `adminDismissedAllRiskForServicePrincipal`, `m365DAdminDismissedDetection`, `userChangedPasswordOnPremises`, `adminDismissedRiskForSignIn`, `adminConfirmedAccountSafe`.The value `none` means that Microsoft Entra risk detection did not flag the user or the sign-in as a risky event so far. Supports `$filter` (`eq`). Note: Details for this property are only available for Microsoft Entra ID P2 customers. All other customers are returned `hidden`.
riskEventTypes_v2	String collection	The list of risk event types associated with the sign-in. Possible values: `unlikelyTravel`, `anonymizedIPAddress`, `maliciousIPAddress`, `unfamiliarFeatures`, `malwareInfectedIPAddress`, `suspiciousIPAddress`, `leakedCredentials`, `investigationsThreatIntelligence`, `generic`, or `unknownFutureValue`. Supports `$filter` (`eq`, `startsWith`).
riskLevelAggregated	riskLevel	Aggregated risk level. The possible values are: `none`, `low`, `medium`, `high`, `hidden`, and `unknownFutureValue`. The value `hidden` means the user or sign-in wasn't enabled for Microsoft Entra ID Protection. Supports `$filter` (`eq`). Note: Details for this property are only available for Microsoft Entra ID P2 customers. All other customers are returned `hidden`.
riskLevelDuringSignIn	riskLevel	Risk level during sign-in. The possible values are: `none`, `low`, `medium`, `high`, `hidden`, and `unknownFutureValue`. The value `hidden` means the user or sign-in wasn't enabled for Microsoft Entra ID Protection. Supports `$filter` (`eq`). Note: Details for this property are only available for Microsoft Entra ID P2 customers. All other customers are returned `hidden`.
riskState	riskState	Reports status of the risky user, sign-in, or a risk event. The possible values are: `none`, `confirmedSafe`, `remediated`, `dismissed`, `atRisk`, `confirmedCompromised`, `unknownFutureValue`. Supports `$filter` (`eq`).
status	signInStatus	Sign-in status. Includes the error code and description of the error (if a sign-in failure occurs). Supports `$filter` (`eq`) on errorCode property.
userDisplayName	String	Display name of the user that initiated the sign-in. Supports `$filter` (`eq`, `startsWith`).
userId	String	ID of the user that initiated the sign-in. Supports `$filter` (`eq`).
userPrincipalName	String	User principal name of the user that initiated the sign-in. This value is always in lowercase. For guest users whose values in the user object typically contain `#EXT#` before the domain part, this property stores the value in both lowercase and the "true" format. For example, while the user object stores `AdeleVance_fabrikam.com#EXT#@contoso.com`, the sign-in logs store `[email protected]`. Supports `$filter` (`eq`, `startsWith`).

Table of Contents

IdentityRiskyUser.ReadWrite.All

Graph Methods

Resources