Today we’re announcing the introduction of a new preview API to Microsoft Graph: IdentityRiskEvents. This API works in conjunction with Azure Active Directory Identity Protection and allows developers to query risk events generated by Identity Protection. These risk events are sign-ins and other events that have been analyzed and found to be “risky” by Identity Protection’s machine learning and algorithms. For example, Identity Protection thinks that it might not be the actual user trying to sign in, or the account is known to be at risk (e.g. we’ve detected leaked credentials). Identity Protection is currently in public preview, and the API is available to all tenants signed up for Identity Protection. This is the first API we’re releasing from the Identity Protection family, with more to follow soon.
With the identityRiskEvents API, developers can retrieve a collection of all types of risk events by making a GET request to https://graph.microsoft.com/beta/identityRiskEvents. Each identityRiskEvent entity contains information about the affected user, date and time data, and the type, severity, and status of the risk event. Additional information is included for specific subtypes of risk events: for example, a suspiciousIpRiskEvent entity contains location information for the IP address in question, and a malwareRiskEvent entity contains information about the malware involved.
The subtypes can also be queried specifically:
Check it out and let us know if you have any questions or comments. You can do so at Stack Overflow and UserVoice. If your tenant isn’t signed up for Azure AD Identity Protection, check it out here—it’s a great tool for protecting your users.
Michael McLaughlin on behalf of the Microsoft Graph and Azure AD Identity Protection teams