ESC
Type to search...
Navigate Open ESC Close

IdentityRiskyUser.ReadWrite.All

Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated Read/Write All Resources

Allows the app to read and update identity risky user information for your organization without a signed-in user. Update operations include dismissing risky users.

Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access App-Only Access

Permission Details

Application Permission

Read and write all risky user information

Allows the app to read and update identity risky user information for your organization without a signed-in user. Update operations include dismissing risky users.

Permission ID: 656f6061-f9fe-4807-9708-6a2e0934df76
Delegated Permission Admin consent required

Read and write risky user information

Allows the app to read and update identity risky user information for all users in your organization on behalf of the signed-in user. Update operations include dismissing risky users.

User sees: Allows the app to read and update identity risky user information for all users in your organization on your behalf. Update operations include dismissing risky users.
Permission ID: e0a7cdbb-08b0-4697-8264-0069786e9674

Properties

Microsoft Graph v1.0 endpoint-derived-docs

Properties is shown from stable Microsoft Graph v1.0 metadata.

Property Type Description
id String Unique ID of the user at risk.
isDeleted BooleanNullable Indicates whether the user is deleted. The possible values are: true, false.
isProcessing BooleanNullable Indicates whether the backend is processing a user's risky state.
riskLastUpdatedDateTime DateTimeOffsetNullable The date and time that the risky user was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.
riskLevel riskLevel Level of the detected risky user. The possible values are: low, medium, high, hidden, none, unknownFutureValue.
riskState riskState State of the user's risk. The possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue.
riskDetail riskDetail Details of the detected risk.
userDisplayName StringNullable Risky user display name.
userPrincipalName StringNullable Risky user principal name.
history riskyUserHistoryItem collection The activity related to user risk level change

JSON Representation

Microsoft Graph v1.0 endpoint-derived-docs

JSON representation is shown from stable Microsoft Graph v1.0 metadata.

JSON representation 
{
  "@odata.type": "#microsoft.graph.riskyUser",
  "id": "String (identifier)",
  "isDeleted": "Boolean",
  "isProcessing": "Boolean",
  "riskLastUpdatedDateTime": "String (timestamp)",
  "riskLevel": "String",
  "riskState": "String",
  "riskDetail": "String",
  "userDisplayName": "String",
  "userPrincipalName": "String"
}

Relationships

Microsoft Graph v1.0 endpoint-derived-docs

Relationships is shown from stable Microsoft Graph v1.0 metadata.

Relationship Type Description
history riskyUserHistoryItem collection The activity related to user risk level change

Graph Methods

Delegated access App-only access
Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET /identityProtection/riskyUsers/{riskyUserId}/history
POST /auditLogs/signIns/confirmCompromised
POST /auditLogs/signIns/confirmSafe
POST /auditLogs/signIns/dismiss
POST /identityProtection/riskyUsers/confirmCompromised
POST /identityProtection/riskyUsers/confirmSafe
POST /identityProtection/riskyUsers/dismiss
Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET /identityProtection/riskyUsers/{id}/history/
GET /identityProtection/riskyUsers/{userid}/history/{id}
GET /riskyUsers/{id}/history
GET /riskyUsers/{userid}/history/{id}
POST /auditLogs/signIns/confirmCompromised
POST /auditLogs/signIns/confirmSafe
POST /auditLogs/signIns/dismiss
POST /riskyUsers/confirmCompromised
POST /riskyUsers/confirmSafe
POST /riskyUsers/dismiss
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Get-MgRiskyUserHistory /identityProtection/riskyUsers/{riskyUserId}/history
List history of riskyUser
Invoke-MgDismissAuditLogSignIn /auditLogs/signIns/dismiss
signIn: dismiss
Invoke-MgDismissRiskyUser /identityProtection/riskyUsers/dismiss
riskyUser: dismiss
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Get-MgBetaRiskyUserHistory /riskyUsers/{id}/history
List history of riskyUser
Get-MgBetaRiskyUserHistory /riskyUsers/{userid}/history/{id}
Get history item of riskyUser
Invoke-MgBetaDismissAuditLogSignIn /auditLogs/signIns/dismiss
signIn: dismiss

Code Examples

C# / .NET SDK
riskyUser: confirmCompromised
View official example on Microsoft Learn
// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.IdentityProtection.RiskyUsers.ConfirmCompromised;

var requestBody = new ConfirmCompromisedPostRequestBody
{
	UserIds = new List<string>
	{
		"29f270bb-4d23-4f68-8a57-dc73dc0d4caf",
		"20f91ec9-d140-4d90-9cd9-f618587a1471",
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.IdentityProtection.RiskyUsers.ConfirmCompromised.PostAsync(requestBody);
JavaScript
riskyUser: confirmCompromised
View official example on Microsoft Learn
const options = {
	authProvider,
};

const client = Client.init(options);

const confirmCompromised = {
  userIds: [
    '29f270bb-4d23-4f68-8a57-dc73dc0d4caf',
    '20f91ec9-d140-4d90-9cd9-f618587a1471'
  ]
};

await client.api('/identityProtection/riskyUsers/confirmCompromised')
	.post(confirmCompromised);
PowerShell
riskyUser: confirmCompromised
View official example on Microsoft Learn
Import-Module Microsoft.Graph.Identity.SignIns

$params = @{
	userIds = @(
	"29f270bb-4d23-4f68-8a57-dc73dc0d4caf"
"20f91ec9-d140-4d90-9cd9-f618587a1471"
)
}

Confirm-MgRiskyUserCompromised -BodyParameter $params
Python
riskyUser: confirmCompromised
View official example on Microsoft Learn
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.identityprotection.riskyusers.confirm_compromised.confirm_compromised_post_request_body import ConfirmCompromisedPostRequestBody
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ConfirmCompromisedPostRequestBody(
	user_ids = [
		"29f270bb-4d23-4f68-8a57-dc73dc0d4caf",
		"20f91ec9-d140-4d90-9cd9-f618587a1471",
	],
)

await graph_client.identity_protection.risky_users.confirm_compromised.post(request_body)

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or delegated permissions and search for IdentityRiskyUser.ReadWrite.All

4

Grant Admin Consent

Application permissions always require admin consent.