SecurityAnalyzedMessage.ReadWrite.All
Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated
Read/Write
All Resources
Read email metadata and security detection details, and execute remediation actions like deleting an email, without a signed-in user.
Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access
App-Only Access
Permission Details
Application Permission
Read metadata, detection details, and execute remediation actions on all emails in your organization
Read email metadata and security detection details, and execute remediation actions like deleting an email, without a signed-in user.
Permission ID:
04c55753-2244-4c25-87fc-704ab82a4f69
Delegated Permission
Admin consent required
Read metadata, detection details, and execute remediation actions on emails in your organization
Read email metadata, security detection details, and execute remediation actions like deleting an email, on behalf of the signed in user.
User sees: Read email metadata, security detection details, and execute remediation actions like deleting an email, on your behalf.
Permission ID:
48eb8c83-6e58-46e7-a6d3-8805822f5940
Properties
Microsoft Graph v1.0
endpoint-derived-docs
Properties is shown from stable Microsoft Graph v1.0 metadata.
| Property | Type | Description |
|---|---|---|
alerts |
alert collection |
|
alerts_v2 |
security.alert collection |
A collection of alerts in Microsoft 365 Defender. |
attackSimulation |
object |
|
cases |
object |
|
dataSecurityAndGovernance |
object |
|
id |
string |
The unique identifier for an entity. Read-only. |
identities |
object |
A container for security identities APIs. |
incidents |
security.incident collection |
A collection of incidents in Microsoft 365 Defender, each of which is a set of correlated alerts and associated metadata that reflects the story of an attack. |
labels |
object |
|
secureScoreControlProfiles |
secureScoreControlProfile collection |
|
secureScores |
secureScore collection |
|
subjectRightsRequests |
subjectRightsRequest collection |
|
threatIntelligence |
object |
|
triggers |
object |
|
triggerTypes |
object |
JSON Representation
Microsoft Graph v1.0
endpoint-derived-docs
JSON representation is shown from stable Microsoft Graph v1.0 metadata.
JSON representation
{}Relationships
Microsoft Graph v1.0
endpoint-derived-docs
Relationships is shown from stable Microsoft Graph v1.0 metadata.
| Relationship | Type | Description |
|---|---|---|
alerts |
alert collection |
Read-only. Nullable. |
alertsv2 |
security.alert collection |
A collection of alerts in Microsoft 365 Defender. |
data security and compliance |
tenantDataSecurityAndGovernance |
A container for Microsoft Purview data security and compliance APIs. |
identities |
security.identityContainer |
A container for security identities APIs. |
incidents |
security.incident collection |
A collection of incidents in Microsoft 365 Defender, each of which is a set of correlated alerts and associated metadata that reflects the story of an attack. |
alerts_v2 |
security.alert collection |
A collection of alerts in Microsoft 365 Defender. |
secureScoreControlProfiles |
secureScoreControlProfile collection |
Related secureScoreControlProfiles data exposed by this resource. |
secureScores |
secureScore collection |
Related secureScores data exposed by this resource. |
subjectRightsRequests |
subjectRightsRequest collection |
Related subjectRightsRequests data exposed by this resource. |
cloudAppSecurityProfiles |
cloudAppSecurityProfile collection |
Related cloudAppSecurityProfiles data exposed by this resource. |
domainSecurityProfiles |
domainSecurityProfile collection |
Related domainSecurityProfiles data exposed by this resource. |
fileSecurityProfiles |
fileSecurityProfile collection |
Related fileSecurityProfiles data exposed by this resource. |
hostSecurityProfiles |
hostSecurityProfile collection |
Related hostSecurityProfiles data exposed by this resource. |
incidentTasks |
security.incidentTask collection |
A collection of tasks associated with security incidents. |
ipSecurityProfiles |
ipSecurityProfile collection |
Related ipSecurityProfiles data exposed by this resource. |
providerTenantSettings |
providerTenantSetting collection |
Related providerTenantSettings data exposed by this resource. |
securityActions |
securityAction collection |
Related securityActions data exposed by this resource. |
tiIndicators |
tiIndicator collection |
Related tiIndicators data exposed by this resource. |
userSecurityProfiles |
userSecurityProfile collection |
Related userSecurityProfiles data exposed by this resource. |
zones |
security.zone collection |
A collection of cloud zones in Microsoft Defender for Cloud that group and manage cloud environments across multiple cloud providers. |
Graph Methods
Delegated access
App-only access
Exact Microsoft Learn match
Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
No API methods available for this version.
Exact Microsoft Learn match
Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
| Methods |
|---|
GET
/security/collaboration/analyzedEmails
|
GET
/security/collaboration/analyzedEmails/{analyzedEmailId}
|
POST
/security/collaboration/analyzedEmails/remediate
|
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
No deterministic PowerShell command map is available for this permission.
Browse PowerShell docs
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Code Examples
C# / .NET SDK
analyzedEmail: remediate
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Security.Collaboration.AnalyzedEmails.MicrosoftGraphSecurityRemediate;
using Microsoft.Graph.Beta.Models.Security;
var requestBody = new RemediatePostRequestBody
{
DisplayName = "Clean up Phish email",
Description = "Delete email",
Severity = RemediationSeverity.Medium,
Action = RemediationAction.SoftDelete,
RemediateSendersCopy = false,
AnalyzedEmails = new List<AnalyzedEmail>
{
new AnalyzedEmail
{
NetworkMessageId = "73ca4154-58d8-43d0-a890-08dc18c52e6d",
RecipientEmailAddress = "[email protected]",
},
new AnalyzedEmail
{
NetworkMessageId = "73ca4154-58d8-43d0-a890-08dc18c52e6d",
RecipientEmailAddress = "[email protected]",
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.Security.Collaboration.AnalyzedEmails.MicrosoftGraphSecurityRemediate.PostAsync(requestBody);
JavaScript
analyzedEmail: remediate
const options = {
authProvider,
};
const client = Client.init(options);
const remediate = {
displayName: 'Clean up Phish email',
description: 'Delete email',
severity: 'medium',
action: 'softDelete',
remediateSendersCopy: 'false',
analyzedEmails: [
{
networkMessageId: '73ca4154-58d8-43d0-a890-08dc18c52e6d',
recipientEmailAddress: '[email protected]'
},
{
networkMessageId: '73ca4154-58d8-43d0-a890-08dc18c52e6d',
recipientEmailAddress: '[email protected]'
}
]
};
await client.api('/security/collaboration/analyzedEmails/remediate')
.version('beta')
.post(remediate);
PowerShell
analyzedEmail: remediate
Import-Module Microsoft.Graph.Beta.Security
$params = @{
displayName = "Clean up Phish email"
description = "Delete email"
severity = "medium"
action = "softDelete"
remediateSendersCopy = "false"
analyzedEmails = @(
@{
networkMessageId = "73ca4154-58d8-43d0-a890-08dc18c52e6d"
recipientEmailAddress = "[email protected]"
}
@{
networkMessageId = "73ca4154-58d8-43d0-a890-08dc18c52e6d"
recipientEmailAddress = "[email protected]"
}
)
}
Invoke-MgBetaRemediateSecurityCollaborationAnalyzedEmail -BodyParameter $params
Python
analyzedEmail: remediate
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.security.collaboration.analyzedemails.microsoft_graph_security_remediate.remediate_post_request_body import RemediatePostRequestBody
from msgraph_beta.generated.models.remediation_severity import RemediationSeverity
from msgraph_beta.generated.models.remediation_action import RemediationAction
from msgraph_beta.generated.models.security.analyzed_email import AnalyzedEmail
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = RemediatePostRequestBody(
display_name = "Clean up Phish email",
description = "Delete email",
severity = RemediationSeverity.Medium,
action = RemediationAction.SoftDelete,
remediate_senders_copy = False,
analyzed_emails = [
AnalyzedEmail(
network_message_id = "73ca4154-58d8-43d0-a890-08dc18c52e6d",
recipient_email_address = "[email protected]",
),
AnalyzedEmail(
network_message_id = "73ca4154-58d8-43d0-a890-08dc18c52e6d",
recipient_email_address = "[email protected]",
),
],
)
await graph_client.security.collaboration.analyzed_emails.microsoft_graph_security_remediate.post(request_body)App Registration
1
Navigate to Azure Portal
Go to App registrations in Microsoft Entra admin center
2
Add API Permission
Select your app → API permissions → Add a permission → Microsoft Graph
3
Select Permission Type
Choose Application permissions or delegated permissions and search for SecurityAnalyzedMessage.ReadWrite.All
4
Grant Admin Consent
Application permissions always require admin consent.