Confirm Microsoft Entra ID Risky User - Incident Triggered

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

For each account entity included in the incident, this playbook will set the Risky User property in Microsoft Entra ID using Graph API using a Beta API.

Attribute	Value
Type	Playbook
Solution	Microsoft Entra ID Protection
Source	View on GitHub

Logic App Connectors

This playbook uses 3 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuread`	Managed	1	1
`azureadip`	Managed	1	1
`azuresentinel`	Managed	1	2

Action parameters (URLs, paths, function IDs)

`azuread` (Managed)

Action	Method	Endpoint	Other
Get_user	get	`/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('For_each')?['UPNSuffix']))}`	—

`azureadip` (Managed)

Action	Method	Endpoint	Other
Confirm_a_risky_user_as_compromised	post	`/beta/riskyUsers/confirmCompromised`	—

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Entities_-_Get_Accounts	post	`/entities/account`	—
Add_comment_to_incident_(V3)	post	`/Incidents/Comment`	—

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Playbooks · Back to Microsoft Entra ID Protection

Confirm Microsoft Entra ID Risky User - Incident Triggered

Logic App Connectors

azuread (Managed)

azureadip (Managed)

azuresentinel (Managed)

`azuread` (Managed)

`azureadip` (Managed)

`azuresentinel` (Managed)