Posts Tagged Risk Detections

Detection of identity-based risks using Azure AD Identity Protection and Graph API

Github repository :


What is Azure AD Identity Protection?
Identity Protection is a tool in Azure AD that allows organizations to accomplish three key tasks:

  • Automate the detection and remediation of identity-based risks.
  • Investigate risks using data in the portal.
  • Export risk detection data to third-party utilities for further analysis.

Identity Protection identifies risks in the following classifications:

Risk Detection Type Description
Atypical travel Sign in from an atypical location based on the user’s recent sign-ins.
Anonymous IP address Sign in from an anonymous IP address (for example: Tor browser, anonymizer VPNs).
Unfamiliar sign-in properties Sign in with properties we‘ve not seen recently for the given user.
Malware linked IP address Sign in from a malware linked IP address
Leaked Credentials This risk detection indicates that the user’s valid credentials have been leaked
Azure AD threat intelligence Microsoft’s internal and external threat intelligence sources have identified a known attack pattern

Source :

Note : Azure AD Identity Protection is fully available in the Azure AD Premium P2 only.

In this blog post, we will focus on detection of the above identity based risks.

There are two steps :
1) From Azure Portal, setup the Application (with a token) with configured permissions to read data from Identity Protection.
2) Python script to use Graph API with the above OAuth token to access the Identity protection data to ingest in your SIEM tool.

Setting up the application in the Azure portal
Azure Active Directory > App Registrations > New Registration


Give the application a name.


Add API permissions.
API Permission > Add a permission


Click Microsoft Graph


Since we want the logs from an application instead for a user, select Application permission.


Now, there are three API and we need specific permissions for them to access data via Graph API.

API Name Details Permission Needed
Sign Ins Allows query Graph API for information on Azure AD sign-ins with specific properties related to risk state, details and level AuditLog.ReadAll
Risky Users Gets users identified by identity protection as risky users. IdentityRiskyUser.ReadAll
Risk Detections Gets both risky users and sign-in linked risk detections and associated information identityRiskEvents.ReadAll

Above API permissions need to be set under Microsoft Graph as shown below.

image image
image image

The Global Administrator of your tenant needs to grant admin consent for the permissions you added.
You should contact them for this and get the consent granted.


Create a new client secret.

Certificate and Secrets > New Client Secret



A secret is automatically generated and can be copied.


Python script to use Graph API to pull Identity Protection data
Below is the screenshot of of a section of the python code which uses the ClientId, Client Secret and the tenant domain to get the OAuth token and then uses the OAuth token to query the Microsoft Graph API to get the identity protection data in the JSON format for both risky users and risky detection.

Full source code is located here :

The code also retries in case of the number of requests crosses the threshold (HTTP 429 Too many requests).


Hope this post helps you implementing and querying the Azure Identity Protection data in your organization.
Please feel free to ask questions in the comments sections below.

, , ,

Leave a comment

Random Thoughts

The World as I see it

Simple Programmer

Making The Complex Simple

Ionic Solutions

Random thoughts on software construction, design patterns and optimization.

Long (Way) Off

A tragic's view from the cricket hinterlands