Microsoft Graph Identity Protection

Microsoft Graph Identity Protection exposes Microsoft Entra ID (formerly Azure AD) Identity Protection signals and controls through the Graph API so you can detect, investigate, and remediate identity risks at scale. It provides programmatic access to risk detections and risk levels for users, sign-ins, and service principals; surfaces indicators such as leaked credentials, unfamiliar sign-in properties, impossible travel, malware-linked or anonymous IPs, password spray, and token theft; and preserves risk history. Using the API, you can list and filter risky entities, confirm compromise or dismiss false positives, trigger remediation (for example, require password reset or MFA via risk-based policies), and manage Identity Protection policies to automate response. This enables integration with SIEM/SOAR and custom apps to monitor, triage, and enforce risk-based conditional access across your tenant.