IdentityRiskEvent.ReadWrite.All

Permission Details

Application Permission

Read and write all risk detection information

Allows the app to read and update identity risk detection information for your organization without a signed-in user. Update operations include confirming risk event detections.

Permission ID: db06fb33-1953-4b7b-a2ac-f1e2c854f7ae

Delegated Permission

Read and write risk event information

Allows the app to read and update identity risk event information for all users in your organization on behalf of the signed-in user. Update operations include confirming risk event detections.

Permission ID: 9e4862a5-b68f-479e-848a-4e07e25c9916

Properties

Microsoft Graph v1.0 endpoint-derived-docs

Properties is shown from stable Microsoft Graph v1.0 metadata.

Property	Type	Description
`appDisplayName`	`String`Nullable	App name displayed in the Microsoft Entra admin center. , , Supports $filter (eq, startsWith).
`appId`	`String`Nullable	Unique GUID that represents the app ID in the Microsoft Entra ID. , , Supports $filter (eq).
`appliedConditionalAccessPolicies`	`appliedConditionalAccessPolicy collection`	Provides a list of conditional access policies that the corresponding sign-in activity triggers. Apps need more Conditional Access-related privileges to read the details of this property. For more information, see Permissions for viewing applied conditional access (CA) policies in sign-ins.
`clientAppUsed`	`String`Nullable	Identifies the client used for the sign-in activity. Modern authentication clients include Browser, modern clients. Legacy authentication clients include Exchange ActiveSync, IMAP, MAPI, SMTP, POP, and other clients. , , Supports $filter (eq).
`conditionalAccessStatus`	`conditionalAccessStatus`	Reports status of an activated conditional access policy. The possible values are: success, failure, notApplied, and unknownFutureValue. , , Supports $filter (eq).
`correlationId`	`String`Nullable	The request ID sent from the client when the sign-in is initiated. Used to troubleshoot sign-in activity. , , Supports $filter (eq).
`createdDateTime`	`DateTimeOffset`	Date and time (UTC) the sign-in was initiated. Example: midnight on Jan 1, 2014 is reported as 2014-01-01T00:00:00Z. , , Supports $orderby, $filter (eq, le, and ge).
`deviceDetail`	`deviceDetail`	Device information from where the sign-in occurred; includes device ID, operating system, and browser. , , Supports $filter (eq, startsWith) on browser and operatingSytem properties.
`id`	`String`	Unique ID representing the sign-in activity. , , Supports $filter (eq).
`ipAddress`	`String`Nullable	IP address of the client used to sign in. , , Supports $filter (eq, startsWith).
`isInteractive`	`Boolean`Nullable	Indicates whether a sign-in is interactive.
`location`	`signInLocation`	Provides the city, state, and country code where the sign-in originated. , , Supports $filter (eq, startsWith) on city, state, and countryOrRegion properties.
`resourceDisplayName`	`String`Nullable	Name of the resource the user signed into. , , Supports $filter (eq).
`resourceId`	`String`Nullable	ID of the resource that the user signed into. , , Supports $filter (eq).
`riskDetail`	`riskDetail`	The reason behind a specific state of a risky user, sign-in, or a risk event. The value none means that Microsoft Entra risk detection did not flag the user or the sign-in as a risky event so far. , , Supports $filter (eq)., Note: Details for this property are only available for Microsoft Entra ID P2 customers. All other customers are returned hidden.

Showing 15 of 25 properties.

JSON Representation

Microsoft Graph v1.0 endpoint-derived-docs

JSON representation is shown from stable Microsoft Graph v1.0 metadata.

JSON representation

{
  "id": "String (identifier)",
  "createdDateTime": "String (timestamp)",
  "appDisplayName": "String",
  "appId": "String",
  "ipAddress": "String",
  "clientAppUsed": "String",
  "correlationId": "String",
  "conditionalAccessStatus": "string",
  "appliedConditionalAccessPolicies": [
    {
      "@odata.type": "microsoft.graph.appliedConditionalAccessPolicy"
    }
  ],
  "isInteractive": true,
  "deviceDetail": {
    "@odata.type": "microsoft.graph.deviceDetail"
  },
  "location": {
    "@odata.type": "microsoft.graph.signInLocation"
  },
  "riskDetail": "string",
  "riskLevelAggregated": "string",
  "riskLevelDuringSignIn": "string",
  "riskState": "string",
  "riskEventTypes": [
    "string"
  ],
  "riskEventTypes_v2": [
    "String"
  ],
  "resourceDisplayName": "string",
  "resourceId": "string",
  "status": {
    "@odata.type": "microsoft.graph.signInStatus"
  },
  "userDisplayName": "string",
  "userId": "string",
  "userPrincipalName": "string"
}

Relationships

Microsoft Graph v1.0 schema-derived

Relationships is shown from stable Microsoft Graph v1.0 metadata.

Relationship	Type	Description
`appliedConditionalAccessPolicies`	`appliedConditionalAccessPolicy collection`	Provides a list of conditional access policies that the corresponding sign-in activity triggers. Apps need more Conditional Access-related privileges to read the details of this property. For more information, see Permissions for viewing applied conditional access (CA) policies in sign-ins.
`riskEventTypes`	`array`	Related riskEventTypes data exposed by this resource.
`riskEventTypes_v2`	`string collection`	The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue. Supports $filter (eq, startsWith).
`appliedEventListeners`	`appliedAuthenticationEventListener collection`	Detailed information about the listeners, such as Azure Logic Apps and Azure Functions, which the corresponding events in the sign-in event triggered.
`authenticationAppPolicyEvaluationDetails`	`authenticationAppPolicyDetails collection`	Provides details of the Microsoft Entra policies applied to a user and client authentication app during an authentication step.
`authenticationContextClassReferences`	`authenticationContext collection`	Contains a collection of values that represent the conditional access authentication contexts applied to the sign-in.
`authenticationDetails`	`authenticationDetail collection`	The result of the authentication attempt and more details on the authentication method.
`authenticationMethodsUsed`	`string collection`	The authentication methods used. Possible values: SMS, Authenticator App, App Verification code, Password, FIDO, PTA, or PHS.
`authenticationProcessingDetails`	`keyValue collection`	More authentication processing details, such as the agent name for PTA and PHS, or a server or farm name for federated authentication.
`authenticationRequirementPolicies`	`authenticationRequirementPolicy collection`	Sources of authentication requirement, such as conditional access, per-user MFA, identity protection, and security defaults.
`conditionalAccessAudiences`	`string collection`	A list that indicates the audience that Conditional Access evaluated during a sign-in event. Supports $filter (eq).
`networkLocationDetails`	`networkLocationDetail collection`	The network location details including the type of network used and its names.
`sessionLifetimePolicies`	`sessionLifetimePolicy collection`	Any conditional access session management policies that were applied during the sign-in event.
`signInEventTypes`	`string collection`	Indicates the category of sign in that the event represents. For user sign ins, the category can be interactiveUser or nonInteractiveUser and corresponds to the value for the isInteractive property on the signin resource. For managed identity sign ins, the category is managedIdentity. For service principal sign-ins, the category is servicePrincipal. The possible values are: interactiveUser, nonInteractiveUser, servicePrincipal, managedIdentity, unknownFutureValue. Supports $filter (eq, ne). NOTE: Only interactive sign-ins are returned unless you set an explicit filter. For example, the filter for getting non-interactive sign-ins is https://graph.microsoft.com/beta/auditLogs/signIns?&$filter=signInEventTypes/any(t: t eq 'nonInteractiveUser').

Graph Methods

Delegated access App-only access

Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
POST `/auditLogs/signIns/confirmCompromised`
POST `/auditLogs/signIns/confirmSafe`
POST `/auditLogs/signIns/dismiss`

Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
POST `/auditLogs/signIns/confirmCompromised`
POST `/auditLogs/signIns/confirmSafe`
POST `/auditLogs/signIns/dismiss`

Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
`Invoke-MgDismissAuditLogSignIn` /auditLogs/signIns/dismiss signIn: dismiss

Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
`Invoke-MgBetaDismissAuditLogSignIn` /auditLogs/signIns/dismiss signIn: dismiss

Code Examples

C# / .NET SDK

signIn: confirmCompromised

View official example on Microsoft Learn

// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.AuditLogs.SignIns.ConfirmCompromised;

var requestBody = new ConfirmCompromisedPostRequestBody
{
	RequestIds = new List<string>
	{
		"29f270bb-4d23-4f68-8a57-dc73dc0d4caf",
		"20f91ec9-d140-4d90-9cd9-f618587a1471",
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.AuditLogs.SignIns.ConfirmCompromised.PostAsync(requestBody);

JavaScript

signIn: confirmCompromised

View official example on Microsoft Learn

const options = {
	authProvider,
};

const client = Client.init(options);

const confirmCompromised = {
  requestIds: [
    '29f270bb-4d23-4f68-8a57-dc73dc0d4caf',
    '20f91ec9-d140-4d90-9cd9-f618587a1471'
  ]
};

await client.api('/auditLogs/signIns/confirmCompromised')
	.post(confirmCompromised);

PowerShell

signIn: confirmCompromised

View official example on Microsoft Learn

Import-Module Microsoft.Graph.Reports

$params = @{
	requestIds = @(
	"29f270bb-4d23-4f68-8a57-dc73dc0d4caf"
"20f91ec9-d140-4d90-9cd9-f618587a1471"
)
}

Confirm-MgAuditLogSignInCompromised -BodyParameter $params

Python

signIn: confirmCompromised

View official example on Microsoft Learn

# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.auditlogs.signins.confirm_compromised.confirm_compromised_post_request_body import ConfirmCompromisedPostRequestBody
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ConfirmCompromisedPostRequestBody(
	request_ids = [
		"29f270bb-4d23-4f68-8a57-dc73dc0d4caf",
		"20f91ec9-d140-4d90-9cd9-f618587a1471",
	],
)

await graph_client.audit_logs.sign_ins.confirm_compromised.post(request_body)

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or delegated permissions and search for IdentityRiskEvent.ReadWrite.All

4

Grant Admin Consent

Application permissions always require admin consent.