Add PowerShell commands to manage "Users flagged for risk" in Azure AD
I have quite a few users who have been tagged as "Users flagged for risk" in Azure AD. I'd like to be able to "Dismiss all events" for those users that were "Last updated" more than XX days ago. It seems I can only do this via the web GUI one user at a time. This stinks. This particular report had gone unwatched for a bit. PowerShell to the rescue please!
We now have an API to dismiss risky users. Please note that using the riskyUsers API requires an Azure AD Premium P2 license. Here’s more information on how to do this: https://docs.microsoft.com/en-us/graph/api/riskyusers-dismiss?view=graph-rest-beta&tabs=cs
Long, Gary commented
Come on Microsoft - throw us a bone! How are we supposed to effectively manage risk with these "stone age" tools?
Povl H. Pedersen commented
The new stuff for P2 is fine. But we need simple functionality for P0 and P1.
Povl H. Pedersen commented
Agree. Currently it is not usable. I have as first user on my list a high risk user, last event 1 year back, 0 events in total
Is this usable information ? No.
Please find someone who can implement this.
Just dismissing all would be a great help, and being able to sort by date without having to download the list. Powershell would be the best.
Rajat Luthra commented
While the script is currently being built, the features announced below will help you bulk dismiss users to some extent. Hope this helps.
This is some pretty basic functionality that would greatly improve the usability of the Users flagged for risk, it's been over a year without any updates. Agreed with Russ, this is highly disappointing.
Russ Harland commented
It's unfortunate that this basic functionality is STILL not available. Very disappointing.
this is broken as **** anyway. I still have users in my console that aren't even at the company anymore and their emails have been deleted years ago. their "dismissed" but still there. what a bad product
Please provide an update on this request.
This cant be that hard to get sorted can it? This needs to be automated into a report...
Is there any timing available?
Matt Wilkinson commented
This request has been open a year. Please can we have PowerShell commands for this functionality?
truly need to be able to dismiss a bulk of users either via powershell or the portal for users flagged for risk
Agreed!!!! such limited Functionality
Stephane BOUGES commented
As this is quite an old subject and it's still annoying us for our day-to-day work to have no PowerShell cmdlets to manage Risk Events / Users flagged for risk, I would like to know:
Any news on this subject? Any estimated date when it could be available?
Thanks in advance for your answer...
Please implement a function in the portal and with powershell to dismiss a bulk of users.
The current implementation of "Users flagged for risk" has two major shortcomings
1) You can't work (read/delete) on these events via an automated fashion (PowerShell)
2) You can't whitelist IP ranges belonging to your organisation so as to drive down false positives
=> Please urgently improve this functionality as currently it is close to useless.
it's a must mates, we have lots of noise due Users flagged for risk deleted time ago.
Hi please address powershell or API read/write access to risk events. I would very much like to see the capability to close risk events or do remediation from a script.
We had a instance of Office 365 running for two years as a test instance, and when we finally went all in with Office 365 we had over 3,000 events in "Users flagged for risk". We wanted to start from square one and get all of these cleared. We put in a Microsoft Premier support ticket in to have these cleared and Microsoft's response was that they had now way to clear these logs. Insanity!
Tom Bond commented