Risky User Alert Feature
With the security reports in Microsoft Entra, you can gauge the probability of compromised user accounts in your environment. A user flagged for risk is an indicator for a user account that might have been compromised. The risky user represents the probability that a given identity or account is compromised. These risks are calculated offline using Microsoft's internal and external threat intelligence sources including security researchers, law enforcement professionals, security teams at Microsoft, and other trusted sources.
This feature supports the following operations:
-
Account Aggregation
-
Get Object
Note
By default, this feature is not enabled for new connectors. If your Microsoft Entra instance requires support of the Risky User Alert feature, you must enable the feature by adding attributes to the account schema.
Prerequisite
The tenant must have a Microsoft Entra P2 license.
Administrator Permissions
To fetch risky user details using MS Graph APIs, the following API permissions must be assigned:
|
OAuth2.0 Authentication |
Type |
Permission |
Purpose |
|---|---|---|---|
|
Client Credentials |
Application |
IdentityRiskEvent.Read.All IdentityRiskyUser.Read.All |
Aggregate or Get Risky user related information |
|
Refresh Token / AuthCode JWT Certificate Credentials |
Delegated |
IdentityRiskEvent.Read.All IdentityRiskyUser.Read.All |
Aggregate or Get Risky user related information |
Supported Schema Attributes
To manage the risky user alert feature, ensure that the following attributes are present in the account schema
Note
The Account schema cannot be extended for other risk related attributes.
Risky User Alert Supported Attributes
riskLevel
Level of the detected risky user.
riskState
State of the user's risk.
riskDetail
Details of the detected risk.
riskLastUpdatedDateTime
The date and time that the risky user was last updated.