March 9th, 2020

Identity Protection APIs for US Gov: New Availability & Deprecation Notice

Today we’re announcing two new ways for customers in the US Government cloud to get Azure AD Identity Protection data through Microsoft Graph: The riskyUsers API and the riskDetection API. These APIs enable you to query users and risky sign-ins detected by Azure AD Identity Protection. These APIs were added to Microsoft Graph as part of the refreshed Identity Protection experience, and we’re excited to extend these capabilities to the US Government cloud. Identity Protection detects risky sign-ins and users through heuristic and machine learning systems to help organizations identify and respond to potential compromises.

With the riskyUsers API, you can retrieve information about specific users and their risk status. You can make a GET request to https://graph.microsoft.com/beta/riskyUsers/{id}, and the response will include information about specific users’ (which explains the reason behind their risk state). This API can be useful to understand which users fit different risk profiles, such as all the users with a specific risk level or whose risk state changed during a specific period of time.

With the riskDetection API, you can retrieve information about specific risk detections and why they are risky. You can make a GET request to https://graph.microsoft.com/beta/riskDetections, and the response will include a list of risk detections and their details, including the risk level, risk event type, and associated user. This API can be useful to understand the types of risk detections in your environment and to identify patterns of malicious activity, such as trends of a specific type of risk detection or risk detections within a specific timeframe.

With the introduction of these APIs that can be used to query risk detections and risky users, we will be deprecating the identityRiskEvents API for US Government customers (the identityRiskEvents API has already been deprecated for commercial customers). The riskDetection and riskyUsers APIs provide more advanced details during the identityRiskEvents API.

Beginning May 16, 2020, the identityRiskEvents API will stop returning data for US Government tenants.

If you have been using the identityRiskEvents API in beta, you can transition to the riskDetection API. For more information and details on this new API, please refer to the following documentation:

If you aren’t yet using Identity Protection, check it out here– it’s a powerful tool for protecting your identities!

-Sarah Handler, on behalf of the Identity Protection team