January 29th, 2019

New Azure AD Identity Protection APIs now in preview in Microsoft Graph

Today we’re announcing two new ways to get Azure AD Identity Protection data through Microsoft Graph: The newly introduced riskyUsers API and an updated sign-in API with enhanced risk information. These APIs enable you to query users and risky sign-ins detected by Azure AD Identity Protection. These new additions to the Microsoft Graph beta endpoint are part of the refreshed Identity Protection experience that was recently released to public preview. Identity Protection detects risky sign-ins and users through heuristic and machine learning systems to help organizations identify and respond to potential compromises.

With the new riskyUsers API, you can retrieve information about specific users and their risk status. You can make a GET request to https://graph.microsoft.com/beta/riskyUsers/{id}, and the response will include information about specific users’ (which explains the reason behind their risk state). This API can be useful to understand which users fit different risk profiles, such as all the users with a specific risk level or who whose risk state changed during a specific period of time.

With the additions to the sign-in API, you can retrieve additional information about risk associated with individual sign-ins. You can make a GET request to https://graph.microsoft.com/beta/auditLogs/signIns/{id}, and in the response will return information about the (such as anonymized IP addresss) for specific sign-ins. This API can be useful to understand which patterns of risky sign-ins, such as all the successful sign-ins of a particular risk type from a specific region.

You can get started by reviewing our documentation and trying out these APIs today. We would love to hear your feedback through UserVoice or, for feedback specifically about the refreshed Identity Protection experience, through https://aka.ms/IdentityProtectionFeedback. If your tenant isn’t currently using Azure AD Identity Protection, learn more about enabling it on our Azure AD Identity Protection page.

-Sarah Handler on behalf of the Identity Protection team.