Risky User Alert Feature
With the security reports in the Microsoft Entra ID, you can gauge the probability of compromised user accounts in your environment. A user flagged for risk is an indicator for a user account that might have been compromised. The risky user represents the probability that a given identity or account is compromised. These risks are calculated offline using Microsoft's internal and external threat intelligence sources including security researchers, law enforcement professionals, security teams at Microsoft, and other trusted sources.
This feature supports the following operations:
-
Account Aggregation
-
Get Object
Note
By default, this feature is enabled for new connectors. If your Microsoft Entra ID instance doesn't require or support the Risky User Alert feature, you must disable the feature by removing attributes from the schema.
Prerequisite
The tenant must have a Microsoft Entra ID P2 license.
Administrator Permissions
To fetch risky user details using MS Graph APIs, the following API permissions must be assigned:
|
OAuth2.0 Authentication |
Type |
Permission |
Purpose |
|---|---|---|---|
|
Client Credentials |
Application |
IdentityRiskEvent.Read.All IdentityRiskyUser.Read.All |
Aggregate or Get Risky user related information |
|
SAML Bearer Assertion Refresh Token / AuthCode JWT Certificate Credentials |
Delegated |
IdentityRiskEvent.Read.All IdentityRiskyUser.Read.All |
Aggregate or Get Risky user related information |
Note
For SAML Bearer Assertion the authenticated user must have the Security Operator role.
Supported Schema Attributes
To manage the risky user alert feature, ensure that the Risky User Alert Supported Attributes are present in the account schema.
Note
Only the default schema attributes are supported. The Account schema cannot be extended for other risk related attributes.