AttackSimulation.ReadWrite.All

Permission Details

Application Permission

Read, create, and update all attack simulation data of an organization

Allows the app to read, create, and update attack simulation and training data for an organization without a signed-in user.

Permission ID: e125258e-8c8a-42a8-8f55-ab502afa52f3

Delegated Permission

Read, create, and update attack simulation data of an organization

Allows the app to read, create, and update attack simulation and training data for an organization for the signed-in user.

Permission ID: 27608d7c-2c66-4cad-a657-951d575f5a60

Properties

Microsoft Graph v1.0 endpoint-derived-docs

Properties is shown from stable Microsoft Graph v1.0 metadata.

Property	Type	Description
`alerts`	`alert collection`
`alerts_v2`	`security.alert collection`	A collection of alerts in Microsoft 365 Defender.
`attackSimulation`	`object`
`cases`	`object`
`dataSecurityAndGovernance`	`object`
`id`	`string`	The unique identifier for an entity. Read-only.
`identities`	`object`	A container for security identities APIs.
`incidents`	`security.incident collection`	A collection of incidents in Microsoft 365 Defender, each of which is a set of correlated alerts and associated metadata that reflects the story of an attack.
`labels`	`object`
`secureScoreControlProfiles`	`secureScoreControlProfile collection`
`secureScores`	`secureScore collection`
`subjectRightsRequests`	`subjectRightsRequest collection`
`threatIntelligence`	`object`
`triggers`	`object`
`triggerTypes`	`object`

JSON Representation

Microsoft Graph v1.0 endpoint-derived-docs

JSON representation is shown from stable Microsoft Graph v1.0 metadata.

JSON representation

{}

Relationships

Microsoft Graph v1.0 endpoint-derived-docs

Relationships is shown from stable Microsoft Graph v1.0 metadata.

Relationship	Type	Description
`alerts`	`alert collection`	Read-only. Nullable.
`alertsv2`	`security.alert collection`	A collection of alerts in Microsoft 365 Defender.
`data security and compliance`	`tenantDataSecurityAndGovernance`	A container for Microsoft Purview data security and compliance APIs.
`identities`	`security.identityContainer`	A container for security identities APIs.
`incidents`	`security.incident collection`	A collection of incidents in Microsoft 365 Defender, each of which is a set of correlated alerts and associated metadata that reflects the story of an attack.
`alerts_v2`	`security.alert collection`	A collection of alerts in Microsoft 365 Defender.
`secureScoreControlProfiles`	`secureScoreControlProfile collection`	Related secureScoreControlProfiles data exposed by this resource.
`secureScores`	`secureScore collection`	Related secureScores data exposed by this resource.
`subjectRightsRequests`	`subjectRightsRequest collection`	Related subjectRightsRequests data exposed by this resource.
`cloudAppSecurityProfiles`	`cloudAppSecurityProfile collection`	Related cloudAppSecurityProfiles data exposed by this resource.
`domainSecurityProfiles`	`domainSecurityProfile collection`	Related domainSecurityProfiles data exposed by this resource.
`fileSecurityProfiles`	`fileSecurityProfile collection`	Related fileSecurityProfiles data exposed by this resource.
`hostSecurityProfiles`	`hostSecurityProfile collection`	Related hostSecurityProfiles data exposed by this resource.
`incidentTasks`	`security.incidentTask collection`	A collection of tasks associated with security incidents.
`ipSecurityProfiles`	`ipSecurityProfile collection`	Related ipSecurityProfiles data exposed by this resource.
`providerTenantSettings`	`providerTenantSetting collection`	Related providerTenantSettings data exposed by this resource.
`securityActions`	`securityAction collection`	Related securityActions data exposed by this resource.
`tiIndicators`	`tiIndicator collection`	Related tiIndicators data exposed by this resource.
`userSecurityProfiles`	`userSecurityProfile collection`	Related userSecurityProfiles data exposed by this resource.
`zones`	`security.zone collection`	A collection of cloud zones in Microsoft Defender for Cloud that group and manage cloud environments across multiple cloud providers.

Graph Methods

Delegated access App-only access

Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET `/security/attackSimulation/payloads/{payloadId}/detail`
GET `/security/attackSimulation/trainings/{trainingId}/languageDetails/{trainingLanguageDetailId}?$filter=locale eq 'locale'`
POST `/security/attackSimulation/simulations`
PATCH `/security/attackSimulation/simulations/{simulationId}`
DELETE `/security/attackSimulation/simulations/{simulationId}`

Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET `/security/attackSimulation/endUserNotifications`
GET `/security/attackSimulation/landingPages/{landingPageId}`
GET `/security/attackSimulation/loginPages/{loginPageId}`
GET `/security/attackSimulation/payloads/{payloadId}/detail`
GET `/security/attackSimulation/simulations/{simulationId}/landingPage`
GET `/security/attackSimulation/simulations/{simulationId}/loginPage`
GET `/security/attackSimulation/trainings/{trainingId}`
GET `/security/attackSimulation/trainings/{trainingId}/languageDetails/{trainingLanguageDetailId}?$filter=locale eq 'locale'`
POST `/security/attackSimulation/simulations`
POST `/security/attackSimulation/trainingCampaigns`
PATCH `/security/attackSimulation/simulations/{simulationId}`
PATCH `/security/attackSimulation/trainingCampaigns/{trainingCampaignId}`
DELETE `/security/attackSimulation/simulations/{simulationId}`
DELETE `/security/attackSimulation/trainingCampaigns/{trainingCampaignId}/$ref`

Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
`Get-MgSecurityAttackSimulationTrainingLanguageDetail` /security/attackSimulation/trainings/{trainingId}/languageDetails/{trainingLanguageDetailId}?$filter=locale eq 'locale' Get trainingLanguageDetail
`New-MgSecurityAttackSimulation` /security/attackSimulation/simulations Create simulation
`Remove-MgSecurityAttackSimulation` /security/attackSimulation/simulations/{simulationId} Delete simulation

Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
`Get-MgBetaSecurityAttackSimulationEndUserNotification` /security/attackSimulation/endUserNotifications Get endUserNotification
`Get-MgBetaSecurityAttackSimulationLandingPage` /security/attackSimulation/landingPages/{landingPageId} Get landingPage
`Get-MgBetaSecurityAttackSimulationLoginPage` /security/attackSimulation/loginPages/{loginPageId} Get loginPage
`Get-MgBetaSecurityAttackSimulationTraining` /security/attackSimulation/trainings/{trainingId} Get training
`Get-MgBetaSecurityAttackSimulationTrainingLanguageDetail` /security/attackSimulation/trainings/{trainingId}/languageDetails/{trainingLanguageDetailId}?$filter=locale eq 'locale' Get trainingLanguageDetail
`New-MgBetaSecurityAttackSimulation` /security/attackSimulation/simulations Create simulation
`New-MgBetaSecurityAttackSimulationTrainingCampaign` /security/attackSimulation/trainingCampaigns Create trainingCampaign
`Remove-MgBetaSecurityAttackSimulation` /security/attackSimulation/simulations/{simulationId} Delete simulation
`Remove-MgBetaSecurityAttackSimulationTrainingCampaign` /security/attackSimulation/trainingCampaigns/{trainingCampaignId}/$ref Delete trainingCampaign
`Update-MgBetaSecurityAttackSimulationTrainingCampaign` /security/attackSimulation/trainingCampaigns/{trainingCampaignId} Update trainingCampaign

Code Examples

C# / .NET SDK

Create simulation

View official example on Microsoft Learn

// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;
using Microsoft.Kiota.Abstractions.Serialization;

var requestBody = new Simulation
{
	DisplayName = "Graph Simulation",
	CreatedBy = new EmailIdentity
	{
		Email = "[email protected]",
	},
	DurationInDays = 3,
	AttackTechnique = SimulationAttackTechnique.CredentialHarvesting,
	Status = SimulationStatus.Scheduled,
	IncludedAccountTarget = new AddressBookAccountTargetContent
	{
		OdataType = "#microsoft.graph.addressBookAccountTargetContent",
		Type = AccountTargetContentType.AddressBook,
		AccountTargetEmails = new List<string>
		{
			"[email protected]",
		},
	},
	TrainingSetting = new TrainingSetting
	{
		SettingType = TrainingSettingType.NoTraining,
	},
	EndUserNotificationSetting = new EndUserNotificationSetting
	{
		NotificationPreference = EndUserNotificationPreference.Microsoft,
		SettingType = EndUserNotificationSettingType.NoTraining,
		PositiveReinforcement = new PositiveReinforcementNotification
		{
			DeliveryPreference = NotificationDeliveryPreference.DeliverAfterCampaignEnd,
			DefaultLanguage = "en",
			AdditionalData = new Dictionary<string, object>
			{
				{
					"[email protected]" , "https://graph.microsoft.com/v1.0/security/attacksimulation/endUserNotifications/1ewer3678-9abc-def0-123456789a"
				},
			},
		},
		AdditionalData = new Dictionary<string, object>
		{
			{
				"simulationNotification" , new UntypedObject(new Dictionary<string, UntypedNode>
				{
					{
						"targettedUserType", new UntypedString("compromised")
					},
					{
						"[email protected]", new UntypedString("https://graph.microsoft.com/v1.0/security/attacksimulation/endUserNotifications/12wer3678-9abc-def0-123456789a")
					},
					{
						"defaultLanguage", new UntypedString("en")
					},
				})
			},
		},
	},
	AdditionalData = new Dictionary<string, object>
	{
		{
			"[email protected]" , "https://graph.microsoft.com/v1.0/security/attacksimulation/payloads/12345678-9abc-def0-123456789a"
		},
		{
			"[email protected]" , "https://graph.microsoft.com/v1.0/security/attacksimulation/loginPages/1w345678-9abc-def0-123456789a"
		},
		{
			"[email protected]" , "https://graph.microsoft.com/v1.0/security/attacksimulation/landingPages/1c345678-9abc-def0-123456789a"
		},
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Security.AttackSimulation.Simulations.PostAsync(requestBody);

JavaScript

Create simulation

View official example on Microsoft Learn

const options = {
	authProvider,
};

const client = Client.init(options);

const simulation = {
  displayName: 'Graph Simulation',
  '[email protected]': 'https://graph.microsoft.com/v1.0/security/attacksimulation/payloads/12345678-9abc-def0-123456789a',
  '[email protected]': 'https://graph.microsoft.com/v1.0/security/attacksimulation/loginPages/1w345678-9abc-def0-123456789a',
  '[email protected]': 'https://graph.microsoft.com/v1.0/security/attacksimulation/landingPages/1c345678-9abc-def0-123456789a',
  createdBy: {
    email: '[email protected]'
  },
  durationInDays: '3',
  attackTechnique: 'credentialHarvesting',
  status: 'scheduled',
  includedAccountTarget: {
    '@odata.type': '#microsoft.graph.addressBookAccountTargetContent',
    type: 'addressBook',
    accountTargetEmails: [
      '[email protected]'
    ]
  },
  trainingSetting: {
    settingType: 'noTraining'
  },
  endUserNotificationSetting: {
    notificationPreference: 'microsoft',
    settingType: 'noTraining',
    positiveReinforcement: {
      deliveryPreference: 'deliverAfterCampaignEnd',
      '[email protected]': 'https://graph.microsoft.com/v1.0/security/attacksimulation/endUserNotifications/1ewer3678-9abc-def0-123456789a',
      defaultLanguage: 'en'
    },
    simulationNotification: {
      targettedUserType: 'compromised',
      '[email protected]': 'https://graph.microsoft.com/v1.0/security/attacksimulation/endUserNotifications/12wer3678-9abc-def0-123456789a',
      defaultLanguage: 'en'
    }
  }
};

await client.api('/security/attackSimulation/simulations')
	.post(simulation);

PowerShell

Create simulation

View official example on Microsoft Learn

Import-Module Microsoft.Graph.Security

$params = @{
	displayName = "Graph Simulation"
	"[email protected]" = "https://graph.microsoft.com/v1.0/security/attacksimulation/payloads/12345678-9abc-def0-123456789a"
	"[email protected]" = "https://graph.microsoft.com/v1.0/security/attacksimulation/loginPages/1w345678-9abc-def0-123456789a"
	"[email protected]" = "https://graph.microsoft.com/v1.0/security/attacksimulation/landingPages/1c345678-9abc-def0-123456789a"
	createdBy = @{
		email = "[email protected]"
	}
	durationInDays = "3"
	attackTechnique = "credentialHarvesting"
	status = "scheduled"
	includedAccountTarget = @{
		"@odata.type" = "#microsoft.graph.addressBookAccountTargetContent"
		type = "addressBook"
		accountTargetEmails = @(
		"[email protected]"
	)
}
trainingSetting = @{
	settingType = "noTraining"
}
endUserNotificationSetting = @{
	notificationPreference = "microsoft"
	settingType = "noTraining"
	positiveReinforcement = @{
		deliveryPreference = "deliverAfterCampaignEnd"
		"[email protected]" = "https://graph.microsoft.com/v1.0/security/attacksimulation/endUserNotifications/1ewer3678-9abc-def0-123456789a"
		defaultLanguage = "en"
	}
	simulationNotification = @{
		targettedUserType = "compromised"
		"[email protected]" = "https://graph.microsoft.com/v1.0/security/attacksimulation/endUserNotifications/12wer3678-9abc-def0-123456789a"
		defaultLanguage = "en"
	}
}
}

New-MgSecurityAttackSimulation -BodyParameter $params

Python

Create simulation

View official example on Microsoft Learn

# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.simulation import Simulation
from msgraph.generated.models.email_identity import EmailIdentity
from msgraph.generated.models.simulation_attack_technique import SimulationAttackTechnique
from msgraph.generated.models.simulation_status import SimulationStatus
from msgraph.generated.models.address_book_account_target_content import AddressBookAccountTargetContent
from msgraph.generated.models.account_target_content_type import AccountTargetContentType
from msgraph.generated.models.training_setting import TrainingSetting
from msgraph.generated.models.training_setting_type import TrainingSettingType
from msgraph.generated.models.end_user_notification_setting import EndUserNotificationSetting
from msgraph.generated.models.end_user_notification_preference import EndUserNotificationPreference
from msgraph.generated.models.end_user_notification_setting_type import EndUserNotificationSettingType
from msgraph.generated.models.positive_reinforcement_notification import PositiveReinforcementNotification
from msgraph.generated.models.notification_delivery_preference import NotificationDeliveryPreference
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Simulation(
	display_name = "Graph Simulation",
	created_by = EmailIdentity(
		email = "[email protected]",
	),
	duration_in_days = 3,
	attack_technique = SimulationAttackTechnique.CredentialHarvesting,
	status = SimulationStatus.Scheduled,
	included_account_target = AddressBookAccountTargetContent(
		odata_type = "#microsoft.graph.addressBookAccountTargetContent",
		type = AccountTargetContentType.AddressBook,
		account_target_emails = [
			"[email protected]",
		],
	),
	training_setting = TrainingSetting(
		setting_type = TrainingSettingType.NoTraining,
	),
	end_user_notification_setting = EndUserNotificationSetting(
		notification_preference = EndUserNotificationPreference.Microsoft,
		setting_type = EndUserNotificationSettingType.NoTraining,
		positive_reinforcement = PositiveReinforcementNotification(
			delivery_preference = NotificationDeliveryPreference.DeliverAfterCampaignEnd,
			default_language = "en",
			additional_data = {
					"end_user_notification@odata_bind" : "https://graph.microsoft.com/v1.0/security/attacksimulation/endUserNotifications/1ewer3678-9abc-def0-123456789a",
			}
		),
		additional_data = {
				"simulation_notification" : {
						"targetted_user_type" : "compromised",
						"end_user_notification@odata_bind" : "https://graph.microsoft.com/v1.0/security/attacksimulation/endUserNotifications/12wer3678-9abc-def0-123456789a",
						"default_language" : "en",
				},
		}
	),
	additional_data = {
			"payload@odata_bind" : "https://graph.microsoft.com/v1.0/security/attacksimulation/payloads/12345678-9abc-def0-123456789a",
			"login_page@odata_bind" : "https://graph.microsoft.com/v1.0/security/attacksimulation/loginPages/1w345678-9abc-def0-123456789a",
			"landing_page@odata_bind" : "https://graph.microsoft.com/v1.0/security/attacksimulation/landingPages/1c345678-9abc-def0-123456789a",
	}
)

result = await graph_client.security.attack_simulation.simulations.post(request_body)

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or delegated permissions and search for AttackSimulation.ReadWrite.All

4

Grant Admin Consent

Application permissions always require admin consent.