Skip to content
Griffin31 Help Center

"Monitoring Risky User Status with Microsoft Graph API: PowerShell Script"

Understanding and managing risky user activities is crucial for maintaining the security of your Azure AD environment. Identifying potential threats early allows for prompt action to protect your organization’s resources. In this article, we will explore a PowerShell script that automates the retrieval and display of risky user status using Microsoft Graph API.

SCRIPT OVERVIEW

The script is designed to connect to Microsoft Graph and retrieve information about users deemed “risky” by Azure AD. The script organizes this information into a structured format, making it easier for administrators to review and act upon.

Here is the script:

<# .SYNOPSIS Get-RiskyUserStatus.ps1

.DESCRIPTION Retrieve and display the risky user status from Microsoft Graph. #>

Import necessary modules

Section titled “Import necessary modules”

Import-Module -Name ‘Microsoft.Graph’ Import-Module -Name ‘Microsoft.Graph.Beta.Identity.SignIns’

Define constants

Section titled “Define constants”

$TenantId = "" # Azure AD Tenant ID $ClientId = "" # Application (client) ID $ClientSecret = "" # Client secret

Convert Client Secret to Secure String

Section titled “Convert Client Secret to Secure String”

$SecureClientSecret = ConvertTo-SecureString $ClientSecret -AsPlainText -Force

Create credential object

Section titled “Create credential object”

$Credential = New-Object System.Management.Automation.PSCredential($ClientId, $SecureClientSecret)

Acquire a token

Section titled “Acquire a token”

$Token = Get-MsalToken -ClientId $ClientId -TenantId $TenantId -ClientSecret $SecureClientSecret -Scopes https://graph.microsoft.com/.default

Convert token to secure string

Section titled “Convert token to secure string”

$SecureToken = ConvertTo-SecureString $Token.AccessToken -AsPlainText -Force

Connect to Microsoft Graph

Section titled “Connect to Microsoft Graph”

Connect-MgGraph -AccessToken $SecureToken

Retrieve the risky users

Section titled “Retrieve the risky users”

$riskyUsers = Get-MgRiskyUser

Create result object

Section titled “Create result object”

$result = $riskyUsers | ForEach-Object { [PSCustomObject]@{ Id = $.Id IsDeleted = $.IsDeleted IsProcessing = $.IsProcessing RiskLevel = $.RiskLevel RiskState = $.RiskState RiskDetail = $.RiskDetail RiskLastUpdatedDateTime = $.RiskLastUpdatedDateTime UserDisplayName = $.UserDisplayName UserPrincipalName = $_.UserPrincipalName } }

Convert result to JSON format

Section titled “Convert result to JSON format”

echo "" $result | ConvertTo-Json -Compress echo ""