openapi: 3.1.0 info: title: Microsoft Graph Identityprotection description: Needs a description. paths: /identityProtection: description: Provides operations to manage the identityProtectionRoot singleton. get: tags: - identityProtection.identityProtectionRoot summary: Microsoft Graph Get identityProtection operationId: identityProtection.identityProtectionRoot.GetIdentityProtectionRoot parameters: - name: $select in: query description: Select properties to be returned style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $expand in: query description: Expand related entities style: form explode: false schema: uniqueItems: true type: array items: type: string responses: 2XX: description: Retrieved entity content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.identityProtectionRoot' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation patch: tags: - identityProtection.identityProtectionRoot summary: Microsoft Graph Update identityProtection operationId: identityProtection.identityProtectionRoot.UpdateIdentityProtectionRoot requestBody: description: New property values content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.identityProtectionRoot' required: true responses: 2XX: description: Success content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.identityProtectionRoot' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation /identityProtection/riskDetections: description: >- Provides operations to manage the riskDetections property of the microsoft.graph.identityProtectionRoot entity. get: tags: - identityProtection.riskDetection summary: Microsoft Graph List riskDetections description: Get a list of the riskDetection objects and their properties. externalDocs: description: Find more info here url: >- https://learn.microsoft.com/graph/api/riskdetection-list?view=graph-rest-1.0 operationId: identityProtection.ListRiskDetections parameters: - $ref: '#/components/parameters/top' - $ref: '#/components/parameters/skip' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/filter' - $ref: '#/components/parameters/count' - name: $orderby in: query description: Order items by property values style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $select in: query description: Select properties to be returned style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $expand in: query description: Expand related entities style: form explode: false schema: uniqueItems: true type: array items: type: string responses: 2XX: $ref: >- #/components/responses/microsoft.graph.riskDetectionCollectionResponse 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-pageable: nextLinkName: '@odata.nextLink' operationName: listMore x-ms-docs-operation-type: operation post: tags: - identityProtection.riskDetection summary: Microsoft Graph Create new navigation property to riskDetections for identityProtection operationId: identityProtection.CreateRiskDetections requestBody: description: New navigation property content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.riskDetection' required: true responses: 2XX: description: Created navigation property. content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.riskDetection' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation /identityProtection/riskDetections/{riskDetection-id}: description: >- Provides operations to manage the riskDetections property of the microsoft.graph.identityProtectionRoot entity. get: tags: - identityProtection.riskDetection summary: Microsoft Graph Get riskDetection description: Read the properties and relationships of a riskDetection object. externalDocs: description: Find more info here url: >- https://learn.microsoft.com/graph/api/riskdetection-get?view=graph-rest-1.0 operationId: identityProtection.GetRiskDetections parameters: - name: $select in: query description: Select properties to be returned style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $expand in: query description: Expand related entities style: form explode: false schema: uniqueItems: true type: array items: type: string responses: 2XX: description: Retrieved navigation property content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.riskDetection' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation patch: tags: - identityProtection.riskDetection summary: Microsoft Graph Update the navigation property riskDetections in identityProtection operationId: identityProtection.UpdateRiskDetections requestBody: description: New navigation property values content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.riskDetection' required: true responses: 2XX: description: Success content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.riskDetection' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation delete: tags: - identityProtection.riskDetection summary: Microsoft Graph Delete navigation property riskDetections for identityProtection operationId: identityProtection.DeleteRiskDetections parameters: - name: If-Match in: header description: ETag schema: type: string responses: '204': description: Success 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation parameters: - name: riskDetection-id in: path description: The unique identifier of riskDetection required: true schema: type: string x-ms-docs-key-type: riskDetection /identityProtection/riskDetections/$count: description: Provides operations to count the resources in the collection. get: tags: - identityProtection.riskDetection summary: Microsoft Graph Get the number of the resource operationId: identityProtection.riskDetections.GetCount-ee19 parameters: - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/filter' responses: 2XX: $ref: '#/components/responses/ODataCountResponse' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' /identityProtection/riskyServicePrincipals: description: >- Provides operations to manage the riskyServicePrincipals property of the microsoft.graph.identityProtectionRoot entity. get: tags: - identityProtection.riskyServicePrincipal summary: Microsoft Graph List riskyServicePrincipals description: >- Retrieve the properties and relationships of riskyServicePrincipal objects. externalDocs: description: Find more info here url: >- https://learn.microsoft.com/graph/api/identityprotectionroot-list-riskyserviceprincipals?view=graph-rest-1.0 operationId: identityProtection.ListRiskyServicePrincipals parameters: - $ref: '#/components/parameters/top' - $ref: '#/components/parameters/skip' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/filter' - $ref: '#/components/parameters/count' - name: $orderby in: query description: Order items by property values style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $select in: query description: Select properties to be returned style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $expand in: query description: Expand related entities style: form explode: false schema: uniqueItems: true type: array items: type: string responses: 2XX: $ref: >- #/components/responses/microsoft.graph.riskyServicePrincipalCollectionResponse 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-pageable: nextLinkName: '@odata.nextLink' operationName: listMore x-ms-docs-operation-type: operation post: tags: - identityProtection.riskyServicePrincipal summary: >- Microsoft Graph Create new navigation property to riskyServicePrincipals for identityProtection operationId: identityProtection.CreateRiskyServicePrincipals requestBody: description: New navigation property content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.riskyServicePrincipal' required: true responses: 2XX: description: Created navigation property. content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.riskyServicePrincipal' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation /identityProtection/riskyServicePrincipals/{riskyServicePrincipal-id}: description: >- Provides operations to manage the riskyServicePrincipals property of the microsoft.graph.identityProtectionRoot entity. get: tags: - identityProtection.riskyServicePrincipal summary: Microsoft Graph Get riskyServicePrincipal description: Read the properties and relationships of a riskyServicePrincipal object. externalDocs: description: Find more info here url: >- https://learn.microsoft.com/graph/api/riskyserviceprincipal-get?view=graph-rest-1.0 operationId: identityProtection.GetRiskyServicePrincipals parameters: - name: $select in: query description: Select properties to be returned style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $expand in: query description: Expand related entities style: form explode: false schema: uniqueItems: true type: array items: type: string responses: 2XX: description: Retrieved navigation property content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.riskyServicePrincipal' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation patch: tags: - identityProtection.riskyServicePrincipal summary: >- Microsoft Graph Update the navigation property riskyServicePrincipals in identityProtection operationId: identityProtection.UpdateRiskyServicePrincipals requestBody: description: New navigation property values content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.riskyServicePrincipal' required: true responses: 2XX: description: Success content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.riskyServicePrincipal' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation delete: tags: - identityProtection.riskyServicePrincipal summary: Microsoft Graph Delete navigation property riskyServicePrincipals for identityProtection operationId: identityProtection.DeleteRiskyServicePrincipals parameters: - name: If-Match in: header description: ETag schema: type: string responses: '204': description: Success 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation parameters: - name: riskyServicePrincipal-id in: path description: The unique identifier of riskyServicePrincipal required: true schema: type: string x-ms-docs-key-type: riskyServicePrincipal /identityProtection/riskyServicePrincipals/{riskyServicePrincipal-id}/history: description: >- Provides operations to manage the history property of the microsoft.graph.riskyServicePrincipal entity. get: tags: - identityProtection.riskyServicePrincipal summary: Microsoft Graph List history (risk history of riskyServicePrincipal) description: Get the risk history of a riskyServicePrincipal object. externalDocs: description: Find more info here url: >- https://learn.microsoft.com/graph/api/riskyserviceprincipal-list-history?view=graph-rest-1.0 operationId: identityProtection.riskyServicePrincipals.ListHistory parameters: - $ref: '#/components/parameters/top' - $ref: '#/components/parameters/skip' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/filter' - $ref: '#/components/parameters/count' - name: $orderby in: query description: Order items by property values style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $select in: query description: Select properties to be returned style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $expand in: query description: Expand related entities style: form explode: false schema: uniqueItems: true type: array items: type: string responses: 2XX: $ref: >- #/components/responses/microsoft.graph.riskyServicePrincipalHistoryItemCollectionResponse 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-pageable: nextLinkName: '@odata.nextLink' operationName: listMore x-ms-docs-operation-type: operation post: tags: - identityProtection.riskyServicePrincipal summary: Microsoft Graph Create new navigation property to history for identityProtection operationId: identityProtection.riskyServicePrincipals.CreateHistory requestBody: description: New navigation property content: application/json: schema: $ref: >- #/components/schemas/microsoft.graph.riskyServicePrincipalHistoryItem required: true responses: 2XX: description: Created navigation property. content: application/json: schema: $ref: >- #/components/schemas/microsoft.graph.riskyServicePrincipalHistoryItem 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation parameters: - name: riskyServicePrincipal-id in: path description: The unique identifier of riskyServicePrincipal required: true schema: type: string x-ms-docs-key-type: riskyServicePrincipal /identityProtection/riskyServicePrincipals/{riskyServicePrincipal-id}/history/{riskyServicePrincipalHistoryItem-id}: description: >- Provides operations to manage the history property of the microsoft.graph.riskyServicePrincipal entity. get: tags: - identityProtection.riskyServicePrincipal summary: Microsoft Graph Get history from identityProtection description: Represents the risk history of Microsoft Entra service principals. operationId: identityProtection.riskyServicePrincipals.GetHistory parameters: - name: $select in: query description: Select properties to be returned style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $expand in: query description: Expand related entities style: form explode: false schema: uniqueItems: true type: array items: type: string responses: 2XX: description: Retrieved navigation property content: application/json: schema: $ref: >- #/components/schemas/microsoft.graph.riskyServicePrincipalHistoryItem 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation patch: tags: - identityProtection.riskyServicePrincipal summary: Microsoft Graph Update the navigation property history in identityProtection operationId: identityProtection.riskyServicePrincipals.UpdateHistory requestBody: description: New navigation property values content: application/json: schema: $ref: >- #/components/schemas/microsoft.graph.riskyServicePrincipalHistoryItem required: true responses: 2XX: description: Success content: application/json: schema: $ref: >- #/components/schemas/microsoft.graph.riskyServicePrincipalHistoryItem 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation delete: tags: - identityProtection.riskyServicePrincipal summary: Microsoft Graph Delete navigation property history for identityProtection operationId: identityProtection.riskyServicePrincipals.DeleteHistory parameters: - name: If-Match in: header description: ETag schema: type: string responses: '204': description: Success 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation parameters: - name: riskyServicePrincipal-id in: path description: The unique identifier of riskyServicePrincipal required: true schema: type: string x-ms-docs-key-type: riskyServicePrincipal - name: riskyServicePrincipalHistoryItem-id in: path description: The unique identifier of riskyServicePrincipalHistoryItem required: true schema: type: string x-ms-docs-key-type: riskyServicePrincipalHistoryItem /identityProtection/riskyServicePrincipals/{riskyServicePrincipal-id}/history/$count: description: Provides operations to count the resources in the collection. get: tags: - identityProtection.riskyServicePrincipal summary: Microsoft Graph Get the number of the resource operationId: identityProtection.riskyServicePrincipals.history.GetCount-818f parameters: - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/filter' responses: 2XX: $ref: '#/components/responses/ODataCountResponse' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' parameters: - name: riskyServicePrincipal-id in: path description: The unique identifier of riskyServicePrincipal required: true schema: type: string x-ms-docs-key-type: riskyServicePrincipal /identityProtection/riskyServicePrincipals/$count: description: Provides operations to count the resources in the collection. get: tags: - identityProtection.riskyServicePrincipal summary: Microsoft Graph Get the number of the resource operationId: identityProtection.riskyServicePrincipals.GetCount-d335 parameters: - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/filter' responses: 2XX: $ref: '#/components/responses/ODataCountResponse' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' /identityProtection/riskyServicePrincipals/confirmCompromised: description: Provides operations to call the confirmCompromised method. post: tags: - identityProtection.riskyServicePrincipal summary: Microsoft Graph Invoke action confirmCompromised description: >- Confirm one or more riskyServicePrincipal objects as compromised. This action sets the targeted service principal account's risk level to high. externalDocs: description: Find more info here url: >- https://learn.microsoft.com/graph/api/riskyserviceprincipal-confirmcompromised?view=graph-rest-1.0 operationId: identityProtection.riskyServicePrincipals.confirmCompromised requestBody: description: Action parameters content: application/json: schema: type: object properties: servicePrincipalIds: type: array items: type: string nullable: true required: true responses: '204': description: Success 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: action x-ms-docs-grouped-path: - /identityProtection/riskyUsers/confirmCompromised /identityProtection/riskyServicePrincipals/dismiss: description: Provides operations to call the dismiss method. post: tags: - identityProtection.riskyServicePrincipal summary: Microsoft Graph Invoke action dismiss description: >- Dismiss the risk of one or more riskyServicePrincipal objects. This action sets the targeted service principal account's risk level to none. You can dismiss up to 60 service principal accounts in one request. externalDocs: description: Find more info here url: >- https://learn.microsoft.com/graph/api/riskyserviceprincipal-dismiss?view=graph-rest-1.0 operationId: identityProtection.riskyServicePrincipals.dismiss requestBody: description: Action parameters content: application/json: schema: type: object properties: servicePrincipalIds: type: array items: type: string nullable: true required: true responses: '204': description: Success 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: action x-ms-docs-grouped-path: - /identityProtection/riskyUsers/dismiss /identityProtection/riskyUsers: description: >- Provides operations to manage the riskyUsers property of the microsoft.graph.identityProtectionRoot entity. get: tags: - identityProtection.riskyUser summary: Microsoft Graph List riskyUsers description: Get a list of the riskyUser objects and their properties. externalDocs: description: Find more info here url: >- https://learn.microsoft.com/graph/api/riskyuser-list?view=graph-rest-1.0 operationId: identityProtection.ListRiskyUsers parameters: - $ref: '#/components/parameters/top' - $ref: '#/components/parameters/skip' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/filter' - $ref: '#/components/parameters/count' - name: $orderby in: query description: Order items by property values style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $select in: query description: Select properties to be returned style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $expand in: query description: Expand related entities style: form explode: false schema: uniqueItems: true type: array items: type: string responses: 2XX: $ref: '#/components/responses/microsoft.graph.riskyUserCollectionResponse' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-pageable: nextLinkName: '@odata.nextLink' operationName: listMore x-ms-docs-operation-type: operation post: tags: - identityProtection.riskyUser summary: Microsoft Graph Create new navigation property to riskyUsers for identityProtection operationId: identityProtection.CreateRiskyUsers requestBody: description: New navigation property content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.riskyUser' required: true responses: 2XX: description: Created navigation property. content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.riskyUser' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation /identityProtection/riskyUsers/{riskyUser-id}: description: >- Provides operations to manage the riskyUsers property of the microsoft.graph.identityProtectionRoot entity. get: tags: - identityProtection.riskyUser summary: Microsoft Graph Get riskyUser description: Read the properties and relationships of a riskyUser object. externalDocs: description: Find more info here url: >- https://learn.microsoft.com/graph/api/riskyuser-get?view=graph-rest-1.0 operationId: identityProtection.GetRiskyUsers parameters: - name: $select in: query description: Select properties to be returned style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $expand in: query description: Expand related entities style: form explode: false schema: uniqueItems: true type: array items: type: string responses: 2XX: description: Retrieved navigation property content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.riskyUser' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation patch: tags: - identityProtection.riskyUser summary: Microsoft Graph Update the navigation property riskyUsers in identityProtection operationId: identityProtection.UpdateRiskyUsers requestBody: description: New navigation property values content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.riskyUser' required: true responses: 2XX: description: Success content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.riskyUser' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation delete: tags: - identityProtection.riskyUser summary: Microsoft Graph Delete navigation property riskyUsers for identityProtection operationId: identityProtection.DeleteRiskyUsers parameters: - name: If-Match in: header description: ETag schema: type: string responses: '204': description: Success 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation parameters: - name: riskyUser-id in: path description: The unique identifier of riskyUser required: true schema: type: string x-ms-docs-key-type: riskyUser /identityProtection/riskyUsers/{riskyUser-id}/history: description: >- Provides operations to manage the history property of the microsoft.graph.riskyUser entity. get: tags: - identityProtection.riskyUser summary: Microsoft Graph List history of riskyUser description: Get the riskyUserHistoryItems from the history navigation property. externalDocs: description: Find more info here url: >- https://learn.microsoft.com/graph/api/riskyuser-list-history?view=graph-rest-1.0 operationId: identityProtection.riskyUsers.ListHistory parameters: - $ref: '#/components/parameters/top' - $ref: '#/components/parameters/skip' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/filter' - $ref: '#/components/parameters/count' - name: $orderby in: query description: Order items by property values style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $select in: query description: Select properties to be returned style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $expand in: query description: Expand related entities style: form explode: false schema: uniqueItems: true type: array items: type: string responses: 2XX: $ref: >- #/components/responses/microsoft.graph.riskyUserHistoryItemCollectionResponse 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-pageable: nextLinkName: '@odata.nextLink' operationName: listMore x-ms-docs-operation-type: operation post: tags: - identityProtection.riskyUser summary: Microsoft Graph Create new navigation property to history for identityProtection operationId: identityProtection.riskyUsers.CreateHistory requestBody: description: New navigation property content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.riskyUserHistoryItem' required: true responses: 2XX: description: Created navigation property. content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.riskyUserHistoryItem' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation parameters: - name: riskyUser-id in: path description: The unique identifier of riskyUser required: true schema: type: string x-ms-docs-key-type: riskyUser /identityProtection/riskyUsers/{riskyUser-id}/history/{riskyUserHistoryItem-id}: description: >- Provides operations to manage the history property of the microsoft.graph.riskyUser entity. get: tags: - identityProtection.riskyUser summary: Microsoft Graph Get history from identityProtection description: The activity related to user risk level change operationId: identityProtection.riskyUsers.GetHistory parameters: - name: $select in: query description: Select properties to be returned style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $expand in: query description: Expand related entities style: form explode: false schema: uniqueItems: true type: array items: type: string responses: 2XX: description: Retrieved navigation property content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.riskyUserHistoryItem' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation patch: tags: - identityProtection.riskyUser summary: Microsoft Graph Update the navigation property history in identityProtection operationId: identityProtection.riskyUsers.UpdateHistory requestBody: description: New navigation property values content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.riskyUserHistoryItem' required: true responses: 2XX: description: Success content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.riskyUserHistoryItem' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation delete: tags: - identityProtection.riskyUser summary: Microsoft Graph Delete navigation property history for identityProtection operationId: identityProtection.riskyUsers.DeleteHistory parameters: - name: If-Match in: header description: ETag schema: type: string responses: '204': description: Success 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation parameters: - name: riskyUser-id in: path description: The unique identifier of riskyUser required: true schema: type: string x-ms-docs-key-type: riskyUser - name: riskyUserHistoryItem-id in: path description: The unique identifier of riskyUserHistoryItem required: true schema: type: string x-ms-docs-key-type: riskyUserHistoryItem /identityProtection/riskyUsers/{riskyUser-id}/history/$count: description: Provides operations to count the resources in the collection. get: tags: - identityProtection.riskyUser summary: Microsoft Graph Get the number of the resource operationId: identityProtection.riskyUsers.history.GetCount-33a2 parameters: - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/filter' responses: 2XX: $ref: '#/components/responses/ODataCountResponse' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' parameters: - name: riskyUser-id in: path description: The unique identifier of riskyUser required: true schema: type: string x-ms-docs-key-type: riskyUser /identityProtection/riskyUsers/$count: description: Provides operations to count the resources in the collection. get: tags: - identityProtection.riskyUser summary: Microsoft Graph Get the number of the resource operationId: identityProtection.riskyUsers.GetCount-2b7d parameters: - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/filter' responses: 2XX: $ref: '#/components/responses/ODataCountResponse' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' /identityProtection/riskyUsers/confirmCompromised: description: Provides operations to call the confirmCompromised method. post: tags: - identityProtection.riskyUser summary: Microsoft Graph Invoke action confirmCompromised description: >- Confirm one or more riskyUser objects as compromised. This action sets the targeted user's risk level to high. externalDocs: description: Find more info here url: >- https://learn.microsoft.com/graph/api/riskyuser-confirmcompromised?view=graph-rest-1.0 operationId: identityProtection.riskyUsers.confirmCompromised requestBody: description: Action parameters content: application/json: schema: type: object properties: userIds: type: array items: type: string nullable: true required: true responses: '204': description: Success 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: action x-ms-docs-grouped-path: - /identityProtection/riskyServicePrincipals/confirmCompromised /identityProtection/riskyUsers/confirmSafe: description: Provides operations to call the confirmSafe method. post: tags: - identityProtection.riskyUser summary: Microsoft Graph Invoke action confirmSafe description: >- Confirm one or more riskyUser objects as safe. This action sets the targeted user's risk level to none. externalDocs: description: Find more info here url: >- https://learn.microsoft.com/graph/api/riskyuser-confirmsafe?view=graph-rest-1.0 operationId: identityProtection.riskyUsers.confirmSafe requestBody: description: Action parameters content: application/json: schema: type: object properties: userIds: type: array items: type: string nullable: true required: true responses: '204': description: Success 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: action /identityProtection/riskyUsers/dismiss: description: Provides operations to call the dismiss method. post: tags: - identityProtection.riskyUser summary: Microsoft Graph Invoke action dismiss description: >- Dismiss the risk of one or more riskyUser objects. This action sets the targeted user's risk level to none. externalDocs: description: Find more info here url: >- https://learn.microsoft.com/graph/api/riskyuser-dismiss?view=graph-rest-1.0 operationId: identityProtection.riskyUsers.dismiss requestBody: description: Action parameters content: application/json: schema: type: object properties: userIds: type: array items: type: string nullable: true required: true responses: '204': description: Success 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: action x-ms-docs-grouped-path: - /identityProtection/riskyServicePrincipals/dismiss /identityProtection/servicePrincipalRiskDetections: description: >- Provides operations to manage the servicePrincipalRiskDetections property of the microsoft.graph.identityProtectionRoot entity. get: tags: - identityProtection.servicePrincipalRiskDetection summary: Microsoft Graph List servicePrincipalRiskDetections description: >- Retrieve the properties of a collection of servicePrincipalRiskDetection objects. externalDocs: description: Find more info here url: >- https://learn.microsoft.com/graph/api/identityprotectionroot-list-serviceprincipalriskdetections?view=graph-rest-1.0 operationId: identityProtection.ListServicePrincipalRiskDetections parameters: - $ref: '#/components/parameters/top' - $ref: '#/components/parameters/skip' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/filter' - $ref: '#/components/parameters/count' - name: $orderby in: query description: Order items by property values style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $select in: query description: Select properties to be returned style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $expand in: query description: Expand related entities style: form explode: false schema: uniqueItems: true type: array items: type: string responses: 2XX: $ref: >- #/components/responses/microsoft.graph.servicePrincipalRiskDetectionCollectionResponse 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-pageable: nextLinkName: '@odata.nextLink' operationName: listMore x-ms-docs-operation-type: operation post: tags: - identityProtection.servicePrincipalRiskDetection summary: >- Microsoft Graph Create new navigation property to servicePrincipalRiskDetections for identityProtection operationId: identityProtection.CreateServicePrincipalRiskDetections requestBody: description: New navigation property content: application/json: schema: $ref: >- #/components/schemas/microsoft.graph.servicePrincipalRiskDetection required: true responses: 2XX: description: Created navigation property. content: application/json: schema: $ref: >- #/components/schemas/microsoft.graph.servicePrincipalRiskDetection 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation /identityProtection/servicePrincipalRiskDetections/{servicePrincipalRiskDetection-id}: description: >- Provides operations to manage the servicePrincipalRiskDetections property of the microsoft.graph.identityProtectionRoot entity. get: tags: - identityProtection.servicePrincipalRiskDetection summary: Microsoft Graph Get servicePrincipalRiskDetection description: >- Read the properties and relationships of a servicePrincipalRiskDetection object. externalDocs: description: Find more info here url: >- https://learn.microsoft.com/graph/api/serviceprincipalriskdetection-get?view=graph-rest-1.0 operationId: identityProtection.GetServicePrincipalRiskDetections parameters: - name: $select in: query description: Select properties to be returned style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $expand in: query description: Expand related entities style: form explode: false schema: uniqueItems: true type: array items: type: string responses: 2XX: description: Retrieved navigation property content: application/json: schema: $ref: >- #/components/schemas/microsoft.graph.servicePrincipalRiskDetection 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation patch: tags: - identityProtection.servicePrincipalRiskDetection summary: >- Microsoft Graph Update the navigation property servicePrincipalRiskDetections in identityProtection operationId: identityProtection.UpdateServicePrincipalRiskDetections requestBody: description: New navigation property values content: application/json: schema: $ref: >- #/components/schemas/microsoft.graph.servicePrincipalRiskDetection required: true responses: 2XX: description: Success content: application/json: schema: $ref: >- #/components/schemas/microsoft.graph.servicePrincipalRiskDetection 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation delete: tags: - identityProtection.servicePrincipalRiskDetection summary: >- Microsoft Graph Delete navigation property servicePrincipalRiskDetections for identityProtection operationId: identityProtection.DeleteServicePrincipalRiskDetections parameters: - name: If-Match in: header description: ETag schema: type: string responses: '204': description: Success 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-ms-docs-operation-type: operation parameters: - name: servicePrincipalRiskDetection-id in: path description: The unique identifier of servicePrincipalRiskDetection required: true schema: type: string x-ms-docs-key-type: servicePrincipalRiskDetection /identityProtection/servicePrincipalRiskDetections/$count: description: Provides operations to count the resources in the collection. get: tags: - identityProtection.servicePrincipalRiskDetection summary: Microsoft Graph Get the number of the resource operationId: identityProtection.servicePrincipalRiskDetections.GetCount-1bc5 parameters: - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/filter' responses: 2XX: $ref: '#/components/responses/ODataCountResponse' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' components: schemas: microsoft.graph.identityProtectionRoot: title: identityProtectionRoot required: - '@odata.type' type: object properties: riskDetections: type: array items: $ref: '#/components/schemas/microsoft.graph.riskDetection' description: >- Risk detection in Microsoft Entra ID Protection and the associated information about the detection. x-ms-navigationProperty: true riskyServicePrincipals: type: array items: $ref: '#/components/schemas/microsoft.graph.riskyServicePrincipal' description: Microsoft Entra service principals that are at risk. x-ms-navigationProperty: true riskyUsers: type: array items: $ref: '#/components/schemas/microsoft.graph.riskyUser' description: Users that are flagged as at-risk by Microsoft Entra ID Protection. x-ms-navigationProperty: true servicePrincipalRiskDetections: type: array items: $ref: '#/components/schemas/microsoft.graph.servicePrincipalRiskDetection' description: >- Represents information about detected at-risk service principals in a Microsoft Entra tenant. x-ms-navigationProperty: true '@odata.type': type: string microsoft.graph.riskDetection: allOf: - $ref: '#/components/schemas/microsoft.graph.entity' - title: riskDetection required: - '@odata.type' type: object properties: activity: anyOf: - $ref: '#/components/schemas/microsoft.graph.activityType' - type: object nullable: true description: Indicates the activity type the detected risk is linked to. activityDateTime: pattern: >- ^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$ type: string description: >- Date and time that the risky activity occurred. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is look like this: 2014-01-01T00:00:00Z format: date-time nullable: true additionalInfo: type: string description: >- Additional information associated with the risk detection in JSON format. For example, '[{/'Key/':/'userAgent/',/'Value/':/'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36/'}]'. Possible keys in the additionalInfo JSON string are: userAgent, alertUrl, relatedEventTimeInUtc, relatedUserAgent, deviceInformation, relatedLocation, requestId, correlationId, lastActivityTimeInUtc, malwareName, clientLocation, clientIp, riskReasons. For more information about riskReasons and possible values, see riskReasons values. nullable: true correlationId: type: string description: >- Correlation ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in. nullable: true detectedDateTime: pattern: >- ^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$ type: string description: >- Date and time that the risk was detected. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like this: 2014-01-01T00:00:00Z format: date-time nullable: true detectionTimingType: anyOf: - $ref: '#/components/schemas/microsoft.graph.riskDetectionTimingType' - type: object nullable: true description: >- Timing of the detected risk (real-time/offline). The possible values are: notDefined, realtime, nearRealtime, offline, unknownFutureValue. ipAddress: type: string description: >- Provides the IP address of the client from where the risk occurred. nullable: true lastUpdatedDateTime: pattern: >- ^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$ type: string description: >- Date and time that the risk detection was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is look like this: 2014-01-01T00:00:00Z format: date-time nullable: true location: anyOf: - $ref: '#/components/schemas/microsoft.graph.signInLocation' - type: object nullable: true description: Location of the sign-in. requestId: type: string description: >- Request ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in. nullable: true riskDetail: anyOf: - $ref: '#/components/schemas/microsoft.graph.riskDetail' - type: object nullable: true description: Details of the detected risk. riskEventType: type: string description: >- The type of risk event detected. The possible values are adminConfirmedUserCompromised, anomalousToken, anomalousUserActivity, anonymizedIPAddress, generic, impossibleTravel, investigationsThreatIntelligence, suspiciousSendingPatterns, leakedCredentials, maliciousIPAddress,malwareInfectedIPAddress, mcasSuspiciousInboxManipulationRules, newCountry, passwordSpray,riskyIPAddress, suspiciousAPITraffic, suspiciousBrowser,suspiciousInboxForwarding, suspiciousIPAddress, tokenIssuerAnomaly, unfamiliarFeatures, unlikelyTravel. If the risk detection is a premium detection, will show generic. For more information about each value, see Risk types and detection. nullable: true riskLevel: anyOf: - $ref: '#/components/schemas/microsoft.graph.riskLevel' - type: object nullable: true description: >- Level of the detected risk. The possible values are: low, medium, high, hidden, none, unknownFutureValue. riskState: anyOf: - $ref: '#/components/schemas/microsoft.graph.riskState' - type: object nullable: true description: >- The state of a detected risky user or sign-in. The possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue. source: type: string description: Source of the risk detection. For example, activeDirectory. nullable: true tokenIssuerType: anyOf: - $ref: '#/components/schemas/microsoft.graph.tokenIssuerType' - type: object nullable: true description: >- Indicates the type of token issuer for the detected sign-in risk. The possible values are: AzureAD, ADFederationServices, UnknownFutureValue. userDisplayName: type: string description: The user principal name (UPN) of the user. nullable: true userId: type: string description: Unique ID of the user. nullable: true userPrincipalName: type: string description: The user principal name (UPN) of the user. nullable: true '@odata.type': type: string x-ms-discriminator-value: '#microsoft.graph.riskDetection' microsoft.graph.riskyServicePrincipal: allOf: - $ref: '#/components/schemas/microsoft.graph.entity' - title: riskyServicePrincipal required: - '@odata.type' type: object properties: appId: type: string description: >- The globally unique identifier for the associated application (its appId property), if any. nullable: true displayName: type: string description: The display name for the service principal. nullable: true isEnabled: type: boolean description: >- true if the service principal account is enabled; otherwise, false. nullable: true isProcessing: type: boolean description: >- Indicates whether Microsoft Entra ID is currently processing the service principal's risky state. nullable: true riskDetail: anyOf: - $ref: '#/components/schemas/microsoft.graph.riskDetail' - type: object nullable: true description: >- Details of the detected risk. Note: Details for this property are only available for Workload Identities Premium customers. Events in tenants without this license will be returned hidden. riskLastUpdatedDateTime: pattern: >- ^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$ type: string description: >- The date and time that the risk state was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2021 is 2021-01-01T00:00:00Z. Supports $filter (eq). format: date-time nullable: true riskLevel: anyOf: - $ref: '#/components/schemas/microsoft.graph.riskLevel' - type: object nullable: true description: >- Level of the detected risky workload identity. The possible values are: low, medium, high, hidden, none, unknownFutureValue. Supports $filter (eq). riskState: anyOf: - $ref: '#/components/schemas/microsoft.graph.riskState' - type: object nullable: true description: >- State of the service principal's risk. The possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue. servicePrincipalType: type: string description: >- Identifies whether the service principal represents an Application, a ManagedIdentity, or a legacy application (socialIdp). This is set by Microsoft Entra ID internally and is inherited from servicePrincipal. nullable: true history: type: array items: $ref: >- #/components/schemas/microsoft.graph.riskyServicePrincipalHistoryItem description: >- Represents the risk history of Microsoft Entra service principals. x-ms-navigationProperty: true '@odata.type': type: string discriminator: propertyName: '@odata.type' mapping: '#microsoft.graph.riskyServicePrincipalHistoryItem': >- #/components/schemas/microsoft.graph.riskyServicePrincipalHistoryItem microsoft.graph.riskyUser: allOf: - $ref: '#/components/schemas/microsoft.graph.entity' - title: riskyUser required: - '@odata.type' type: object properties: isDeleted: type: boolean description: >- Indicates whether the user is deleted. The possible values are: true, false. nullable: true isProcessing: type: boolean description: >- Indicates whether the backend is processing a user's risky state. nullable: true riskDetail: anyOf: - $ref: '#/components/schemas/microsoft.graph.riskDetail' - type: object nullable: true description: Details of the detected risk. riskLastUpdatedDateTime: pattern: >- ^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$ type: string description: >- The date and time that the risky user was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. format: date-time nullable: true riskLevel: anyOf: - $ref: '#/components/schemas/microsoft.graph.riskLevel' - type: object nullable: true description: >- Level of the detected risky user. The possible values are: low, medium, high, hidden, none, unknownFutureValue. riskState: anyOf: - $ref: '#/components/schemas/microsoft.graph.riskState' - type: object nullable: true description: >- State of the user's risk. The possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue. userDisplayName: type: string description: Risky user display name. nullable: true userPrincipalName: type: string description: Risky user principal name. nullable: true history: type: array items: $ref: '#/components/schemas/microsoft.graph.riskyUserHistoryItem' description: The activity related to user risk level change x-ms-navigationProperty: true '@odata.type': type: string discriminator: propertyName: '@odata.type' mapping: '#microsoft.graph.riskyUserHistoryItem': '#/components/schemas/microsoft.graph.riskyUserHistoryItem' microsoft.graph.riskyUserHistoryItem: allOf: - $ref: '#/components/schemas/microsoft.graph.riskyUser' - title: riskyUserHistoryItem required: - '@odata.type' type: object properties: activity: anyOf: - $ref: '#/components/schemas/microsoft.graph.riskUserActivity' - type: object nullable: true description: The activity related to user risk level change. initiatedBy: type: string description: The ID of actor that does the operation. nullable: true userId: type: string description: The ID of the user. nullable: true '@odata.type': type: string x-ms-discriminator-value: '#microsoft.graph.riskyUserHistoryItem' parameters: top: name: $top in: query description: Show only the first n items style: form explode: false schema: minimum: 0 type: integer example: 50 skip: name: $skip in: query description: Skip the first n items style: form explode: false schema: minimum: 0 type: integer search: name: $search in: query description: Search items by search phrases style: form explode: false schema: type: string filter: name: $filter in: query description: Filter items by property values style: form explode: false schema: type: string count: name: $count in: query description: Include count of items style: form explode: false schema: type: boolean examples: {} responses: error: description: error content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.ODataErrors.ODataError' ODataCountResponse: description: The count of the resource content: text/plain: schema: $ref: '#/components/schemas/ODataCountResponse' microsoft.graph.riskyUserCollectionResponse: description: Retrieved collection content: application/json: schema: $ref: '#/components/schemas/microsoft.graph.riskyUserCollectionResponse' tags: - name: identityProtection.identityProtectionRoot - name: identityProtection.riskDetection - name: identityProtection.riskyServicePrincipal - name: identityProtection.riskyUser - name: identityProtection.servicePrincipalRiskDetection