Skip to content
No description, website, or topics provided.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.


Type Name Latest commit message Commit time
Failed to load latest commit information.

Blog post here:

Azure AD Identity Protection

This python script uses the ClientId, Client Secret (configured in Azure portal) and the tenant domain to get the OAuth token and then uses the OAuth token to query the Microsoft Graph API to get the identity protection data in the JSON format for both risky users and risky detection.

The code also retries in case of the number of requests crosses the threshold ( i.e when the request fails with HTTP status code 429- "Too many requests").

Creates two types of output files :

  1. CSV log files for the request status to the Microsoft Graph API
  2. JSON output files for indivisual requests with prefix - "riskyuser_", "riskdetections_", "identityrisk_"

Example for log CSV

20200121-220832,RiskyUserEvent,,200,20,Request successful
20200121-220832,RiskyUserEvent,$skiptoken=a8cbddf449f8acdab8366235a9856daa072dd5ab56e55f45281f2c1b09c299e64c8_20,200,20,Request successful
20200121-220832,RiskyUserEvent,$skiptoken=674902a0dfs049sdfb93d0sbba444f9e03a4d0de2e3c5975be35140479b297fd4f5a1c01_40,200,20,Request successful
20200121-220833,RiskyUserEvent,$skiptoken=5799d562d882ss3735dh93020e8344e6aad9caa15a4567b5864e30e2649318ef78962_60,200,20,Request successful

Example for riskDetection JSON

		"id": "10c2017481bfae5f519a0ac52253b84dc4647bafaf19951a",
		"requestId": "0bf9f8-0363-411b-9a85-42b34f8b6e00",
		"correlationId": "6d2c4537-6658-4f6b-bd83-608873a623e7",
		"riskType": "anonymizedIPAddress",
		"riskState": "atRisk",
		"riskLevel": "medium",
		"riskDetail": "none",
		"source": "IdentityProtection",
		"detectionTimingType": "realtime",
		"activity": "signin",
		"tokenIssuerType": "AzureAD",
		"ipAddress": "",
		"activityDateTime": "2019-10-24T15:52:59.2544431Z",
		"detectedDateTime": "2019-10-24T15:52:59.2544431Z",
		"lastUpdatedDateTime": "2019-10-24T15:54:01.1560141Z",
		"userId": "3461fa0b-612e-4805-942d-0d5b9f3647f7",
		"userDisplayName": "John Doe",
		"userPrincipalName": "",
		"additionalInfo": "[{\"Key\":\"userAgent\",\"Value\":\"xyzzzz/113 zzzz/98.0.7 Charles/18.7.0 (x86_64)\"}]",
		"location": {
			"city": "San Jose",
			"state": "California",
			"countryOrRegion": "US",
			"geoCoordinates": {
				"latitude": 31.38745,
				"longitude": -123.9023
		"id": "9b8d3a520856b1b9f9f31c651c47a86c65a04cc35d593824c6af1de42f50832e",

Example for Risky User JSON response

		"id": "ddebe803-8acf-4ff5-8d6f-f51dd844ca88",
		"isDeleted": false,
		"isGuest": false,
		"isProcessing": false,
		"riskLevel": "high",
		"riskState": "atRisk",
		"riskDetail": "none",
		"riskLastUpdatedDateTime": "2020-01-08T07:13:46.0524129Z",
		"userDisplayName": "Doe, John",
		"userPrincipalName": ""
		"id": "ddebe803-8acf-4ff5-8d6f-f51dd844caa8",
You can’t perform that action at this time.