Planet PowerShell logo

Contents

Using Powershell to Investigate Azure Ad User Risks

In this post, I will explain how you can use the PowerShell SDK for Microsoft Graph to investigate Risky Users in your Azure Active Directory. I will also show you how to use PowerShell to connect directly to the Microsoft Graph and query the data from there. Being able to query for riskDetections, risky users, and sign-ins, allows you to automate alerts or actions whenever a user gets flagged in your risk policy.

Using Microsoft Graph PowerShell SDK to query risk detections

Microsoft is working on a PowerShell SDK for working with the Microsoft Graph API. This makes it extremely easy to query data from the API, without any more profound knowledge of how to work with API’s. The SDK provides different PowerShell cmdlets instead of having to make different HTTP calls to an endpoint.

Connecting with the PowerShell SDK

First, you will need to download the PowerShell SDK or PowerShell Module. To do this run the following command in your PowerShell terminal

1
Install-Module Microsoft.Graph -Scope CurrentUser

Now because the Microsoft module we will be using is in preview you will need to change the PowerShell SDK to use the “Beta” profile. To do this you need to run the command:

1
Select-MgProfile -Name "beta"

Then once the module is installed, and you have selected the beta profile, you will need to connect to the Graph API with an admin account and then consent to the following permissions:

  • IdentityRiskyUser.Read.All
  • IdentityRiskyUser.ReadWrite.All

To do this you can run the following command:

1
Connect-MgGraph -Scopes "IdentityRiskyUser.Read.All", "IdentityRiskyUser.ReadWrite.All"

This will open a browser and you will be prompted to sign in with an admin account. Once you sign in you will be asked to grant permissions to Microsoft Graph Powershell. Click on “Accept” to proceed.

/images/using-powershell-to-investigate-azure-ad-user-risks/granting-permissions-for-powershell-sdk.png

Downloading the Microsoft Preview Module For Risky Users

To download the Microsoft Preview Module you will need to start by cloning the repository to your PC.

1
git clone https://github.com/AzureAD/IdentityProtectionTools.git

Then navigate to the folder where the module is located:

1
cd ./IdentityProtectionTools/src/modules/IdentityProtectionTools

Then you can import the Module commands into your PowerShell sessions:

1
Import-Module ./IdentityProtectionTools.psd1

You can see available commands by running:

1
Get-Command -Module IdentityProtectionTools

output:

1
2
3
4
5
CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Get-AzureADIPRiskyUser                             0.0.3      IdentityProtectionTools
Function        Invoke-AzureADIPConfirmCompromisedRiskyUser        0.0.3      IdentityProtectionTools
Function        Invoke-AzureADIPDismissRiskyUser                   0.0.3      IdentityProtectionTools

Querying all the risky users

Now to get all users with an elevated risk that were updated in the last 30 days you can run the following command:

1
Get-AzureADIPRiskyUser -Verbose  -All -riskUpdatedSinceDays -30 | Select-Object UserPrincipalName, RiskLevel, RiskDetail, RiskLastUpdatedDateTime, RiskState

Output:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
VERBOSE: 64 Risky Users Retrieved!
UserPrincipalName         RiskLevel RiskDetail                         RiskLastUpdatedDateTime RiskState
-----------------         --------- ----------                         ----------------------- ---------
[email protected]            none      userPerformedSecuredPasswordReset  06/01/2022 10:49:42     remediated
[email protected]            none      userPerformedSecuredPasswordReset  06/02/2022 07:21:17     remediated
[email protected]            medium    none                               06/17/2022 07:37:40     atRisk
[email protected]            none      userPerformedSecuredPasswordReset  06/02/2022 08:11:27     remediated
[email protected]            none      userPerformedSecuredPasswordChange 05/23/2022 06:33:20     remediated
[email protected]            low       none                               06/05/2022 11:46:28     atRisk
[email protected]            medium    none                               06/17/2022 01:09:50     atRisk
[email protected]            none      userPerformedSecuredPasswordReset  06/01/2022 14:10:35     remediated
[email protected]            low       none                               06/13/2022 08:28:06     atRisk
[email protected]           none      userPerformedSecuredPasswordReset  06/01/2022 12:23:34     remediated
[email protected]           none      userPerformedSecuredPasswordReset  06/08/2022 12:47:45     remediated

....

You can also specify the parameter “-RiskLevel” to define that you only want to query Users with a “High Risk”.

Dismiss or Confirm the User Risk for a user

You can also use the PowerShell Module for dismissing a user’s risk level.

To do this I will start by querying for risky users, but this time I will Select the property “Id” as well to get the user’s Id.

1
Get-AzureADIPRiskyUser -Verbose  -All -riskUpdatedSinceDays -30 | Select-Object UserPrincipalName, id, RiskLevel, RiskLastUpdatedDateTime

This will output:

1
2
3
4
5
6
7
8
VERBOSE: 64 Risky Users Retrieved!
UserPrincipalName         Id                                   RiskLevel RiskLastUpdatedDateTime
-----------------         --                                   --------- -----------------------
[email protected]            asdasdb8-5s10c-4saab1-9186-8asd70768 none      06/01/2022 10:49:42
[email protected]            cd2aasd6dbd4-cd8d-4e5-986-9dasd9d505 none      06/02/2022 07:21:17
[email protected]            a3785asd2-df8-s81-bced5-9e962ffa53e0 medium    06/17/2022 07:37:40
[email protected]            5bb89637-6258-4ad8e-ad5f-aas7722c4fb none      06/02/2022 08:11:27
[email protected]            8671asdd4-44fdg-fasd-aeasd-1dqwe46gf none      05/23/2022 06:33:20

You can then grab the Id of the user you want to dismiss the user risk level from and use it in the following command:

1
Invoke-AzureADIPDismissRiskyUser -UserIds @("asdasdb8-5s10c-4saab1-9186-8asd70768")

And just as well as you can dismiss the user risk you can also Confirm a compromised user with the command:

1
Invoke-AzureADIPConfirmCompromisedRiskyUser