Monitoring Risky User Status with Microsoft Graph API: PowerShell Script
Monitoring Risky User Status with Microsoft Graph API
Section titled “Monitoring Risky User Status with Microsoft Graph API”Understanding and managing risky user activities is crucial for maintaining the security of your Azure AD environment. Identifying potential threats early allows for prompt action to protect your organization’s resources. In this article, we will explore a PowerShell script that automates the retrieval and display of risky user status using Microsoft Graph API.
Script Overview
Section titled “Script Overview”The script is designed to connect to Microsoft Graph and retrieve information about users deemed “risky” by Azure AD. The script organizes this information into a structured format, making it easier for administrators to review and act upon.
Key Features
Section titled “Key Features”| Feature | Capability | Business Value |
|---|---|---|
| Risk Detection | Identifies users flagged as risky by Azure AD | Proactive security monitoring |
| Structured Output | Formats data in JSON for easy processing | Integration with security workflows |
| Comprehensive Data | Includes risk levels, states, and timestamps | Complete risk assessment context |
| Automated Retrieval | Batch processing of all risky users | Efficient security operations |
Script Implementation
Section titled “Script Implementation”<#.SYNOPSISGet-RiskyUserStatus.ps1
.DESCRIPTIONRetrieve and display the risky user status from Microsoft Graph.#>
# Import necessary modules
Import-Module -Name 'Microsoft.Graph'Import-Module -Name 'Microsoft.Graph.Beta.Identity.SignIns'
# Define constants
$TenantId = "" # Azure AD Tenant ID
$ClientId = "" # Application (client) ID
$ClientSecret = "" # Client secret
# Convert Client Secret to Secure String
$SecureClientSecret = ConvertTo-SecureString $ClientSecret -AsPlainText -Force
# Create credential object
$Credential = New-Object System.Management.Automation.PSCredential($ClientId, $SecureClientSecret)
# Acquire a token
$Token = Get-MsalToken -ClientId $ClientId -TenantId $TenantId -ClientSecret $SecureClientSecret -Scopes https://graph.microsoft.com/.default
# Convert token to secure string
$SecureToken = ConvertTo-SecureString $Token.AccessToken -AsPlainText -Force
# Connect to Microsoft Graph
Connect-MgGraph -AccessToken $SecureToken
# Retrieve the risky users
$riskyUsers = Get-MgRiskyUser
# Create result object
$result = $riskyUsers | ForEach-Object {[PSCustomObject]@{Id = $_.IdIsDeleted = $_.IsDeletedIsProcessing = $_.IsProcessingRiskLevel = $_.RiskLevelRiskState = $_.RiskStateRiskDetail = $_.RiskDetailRiskLastUpdatedDateTime = $_.RiskLastUpdatedDateTimeUserDisplayName = $_.UserDisplayNameUserPrincipalName = $_.UserPrincipalName}}
# Convert result to JSON format
echo "</report>"$result | ConvertTo-Json -Compressecho "</report>"Configuration Requirements
Section titled “Configuration Requirements”Prerequisites
Section titled “Prerequisites”| Component | Requirement | Purpose |
|---|---|---|
| Microsoft Graph Modules | Microsoft.Graph, Microsoft.Graph.Beta.Identity.SignIns | Risk detection API access |
| Azure AD App Registration | Application with risk detection permissions | Secure API access |
| Tenant Credentials | Tenant ID, Client ID, Client Secret | Authentication parameters |
Authentication Setup
Section titled “Authentication Setup”Ideal for: Security administrators monitoring user risk levels
Required Permissions:
IdentityRiskyUser.Read.All- Read risky user informationIdentityRiskEvent.Read.All- Access risk event data
Usage Instructions
Section titled “Usage Instructions”-
Configure Authentication Parameters:
Terminal window $TenantId = "your-tenant-id"$ClientId = "your-app-client-id"$ClientSecret = "your-client-secret" -
Execute the Script:
- Run with appropriate PowerShell permissions
- Review JSON output for risk analysis
- Integrate with security monitoring workflows
Risk Data Structure
Section titled “Risk Data Structure”| Field | Description | Security Value |
|---|---|---|
| RiskLevel | Current risk assessment level | Immediate threat indicator |
| RiskState | Current state of risk evaluation | Processing status tracking |
| RiskDetail | Specific risk factors identified | Detailed threat analysis |
| RiskLastUpdatedDateTime | Last risk assessment timestamp | Recency of threat detection |
Conclusion
Section titled “Conclusion”Key Takeaway: This script provides essential visibility into user risk status, enabling security teams to proactively identify and respond to potential security threats before they impact the organization.