Connectors Reference

Azure AD Identity Protection

Identity Protection is a tool that allows organizations to discover, investigate, and remediate identity-based risks in their environment.

 

Status: Preview

Tier: Premium

Version: 1.0.0

 

Actions:

Name

Summary

GetRiskUser (string Id)

Get risky user

ConfirmRiskUser ([Optional]ConfirmRiskUserParameterBody body)

Confirm a risky user as compromised

riskDetections (string Id)

Get risk detections

DismissRiskUser ([Optional]DismissRiskUserParameterBody body)

Dismiss a risky user

GetRiskUserHistory (string Id)

Get the risk history of a risky user

 

Triggers:

Name

Summary

 

Objects:

Name

Summary

ConfirmRiskUserParameterBody

 

DismissRiskUserParameterBody

 

Get_riskDetection

 

Get_risk_history

 

Get_Risk_User_Result

 

 

Actions:

GetRiskUser

Summary: Get risky user

Description: Get a specific risky user and its properties

 

Syntax:

AzureADIdentityProtection.GetRiskUser (string Id)

 

Parameters:

Name

Type

Summary

Required

Related Action

Id

string

(Get Risk User)

User Id or user Principal name

True

 

Returns:

          Type:Get_Risk_User_Result

          Description: Get risk user result

 

ConfirmRiskUser

Summary: Confirm a risky user as compromised

Description: Confirm a risky user as compromised

 

Syntax:

AzureADIdentityProtection.ConfirmRiskUser ([Optional]ConfirmRiskUserParameterBody body)

 

Parameters:

Name

Type

Summary

Required

Related Action

body

ConfirmRiskUserParameterBody

 

 

False

 

Returns:

 

riskDetections

Summary: Get risk detections

Description: Get riskDetections

 

Syntax:

AzureADIdentityProtection.riskDetections (string Id)

 

Parameters:

Name

Type

Summary

Required

Related Action

Id

string

(Get risk detections)

User Id or user Principal Name

True

 

Returns:

          Type:Get_riskDetection

          Description: This API provides programmatic access to all risk detections in your Azure AD environment

 

DismissRiskUser

Summary: Dismiss a risky user

Description: Dismiss a risky user

 

Syntax:

AzureADIdentityProtection.DismissRiskUser ([Optional]DismissRiskUserParameterBody body)

 

Parameters:

Name

Type

Summary

Required

Related Action

body

DismissRiskUserParameterBody

 

 

False

 

Returns:

 

GetRiskUserHistory

Summary: Get the risk history of a risky user

Description: Get the risk history

 

Syntax:

AzureADIdentityProtection.GetRiskUserHistory (string Id)

 

Parameters:

Name

Type

Summary

Required

Related Action

Id

string

(Get history risk for user )

User Id or user Principal Name

True

 

Returns:

          Type:Get_risk_history

          Description: Represents the risk history of an Azure AD user as determined by Azure AD Identity Protection

 


 

ConfirmRiskUserParameterBody

Summary:

Description:

 

          Properties:

Name

Type

Summary

userIds

array of (string)

 

 


 

DismissRiskUserParameterBody

Summary:

Description:

 

          Properties:

Name

Type

Summary

userIds

array of (string)

 

 


 

Get_riskDetection

Summary:

Description: This API provides programmatic access to all risk detections in your Azure AD environment

 

          Properties:

Name

Type

Summary

@@odata.type

string

 

 

id

string

 

Unique ID of the risk detection. Inherited from entity

requestId

string

 

Request ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in

correlationId

string

 

Correlation ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in

riskEventType

string

 

The type of risk event detected

riskState

string

 

The state of a detected risky user or sign-in

riskLevel

string

 

Level of the detected risk

riskDetail

string

 

Details of the detected risk

source

string

 

Source of the risk detection

detectionTimingType

string

 

Date and time that the risk was detected

activity

string

 

Indicates the activity type the detected risk is linked to

tokenIssuerType

string

 

Indicates the type of token issuer for the detected sign-in risk

ipAddress

string

 

Provides the IP address of the client from where the risk occurred.

location

Location

 

Location of the sign-in

activityDateTime

string

 

Date and time that the risky activity occurred

detectedDateTime

string

 

Date and time that the risk was detected

lastUpdatedDateTime

string

 

Date and time that the risk detection was last updated

userId

string

 

Unique ID of the user

userDisplayName

string

 

The user principal name (UPN) of the user

userPrincipalName

string

 

The user principal name (UPN) of the user.

additionalInfo

string

 

Additional information associated with the risk detection in JSON format.

 

Location

Summary:

Description: Location of the sign-in

 

          Properties:

Name

Type

Summary

@@odata.type

string

 

 

 


 

Get_risk_history

Summary:

Description: Represents the risk history of an Azure AD user as determined by Azure AD Identity Protection

 

          Properties:

Name

Type

Summary

@@odata.type

string

 

 

id

string

 

Inherited from entity

isDeleted

string

 

Inherited from riskyUser

isProcessing

string

 

Inherited from riskyUser

riskLastUpdatedDateTime

string

 

Inherited from riskyUser

riskLevel

string

 

Inherited from riskyUser

riskState

string

 

Inherited from riskyUser

riskDetail

string

 

Inherited from riskyUser

userDisplayName

string

 

Inherited from riskyUser

userPrincipalName

string

 

Risky user principal name

userId

string

 

The id of the user

initiatedBy

string

 

The id of actor that does the operation

activity

Activity

 

The activity related to user risk level change

 

Activity

Summary:

Description: The activity related to user risk level change

 

          Properties:

Name

Type

Summary

@@odata.type

string

 

 

 


 

Get_Risk_User_Result

Summary:

Description: Get risk user result

 

          Properties:

Name

Type

Summary

@@odata.context

string

 

 

id

string

 

Unique ID of the user at risk

isDeleted

boolean

 

Indicates whether the user is deleted. Possible values are: true, false

isProcessing

boolean

 

Indicates whether a user's risky state is being processed by the backend

riskLevel

string

 

Level of the detected risky user

riskState

string

 

The date and time that the risky user was last updated

riskDetail

string

 

Details of the detected risk

riskLastUpdatedDateTime

string

 

The date and time that the risky user was last updated.

userDisplayName

string

 

Risky user display name

userPrincipalName

string

 

Risky user principal name